Current Trends in Identity and Access Management: July 2017
Identity and access management (IAM) is a mature and well understood domain of security. That doesn’t mean it’s static. While IAM is commonly associated with security — indeed, it is an essential part of a holistic security program — many people are beginning to understand the business processes it represents as well. They therefore view it as an IT operations topic. The truth is likely both: It blurs the lines between security and operations.
Recent trends in this area reflect the mainstreaming of IAM into the business. My colleagues and I have seen this manifested in five important ways, and we expect these trends to continue in the coming year. Each of these areas represents an opportunity for chief information security officers (CISOs) to take advantage of recent trends.
1. Chief Marketing Officers and Chief Operating Officers Are Asking for IAM Data
What do Google, Facebook, Twitter and other companies value most? What have they gotten very good a collecting? The answer is information about their user base. They know who we are, when we’re active and all about our browsing habits. They use this to create targeted advertising and have monetized it.
Not all companies are interested in monetizing user behaviors for advertising, but most companies can benefit from better understanding their users. While an IAM solution can’t provide all of this, it can provide the most elemental data point: who the user is — their identity.
We have recently seen CMOs and COOs asking chief information officers (CIOs) for information about users. Basic demographic information is available in a user directory, and that is a good start, but they want more. They want session and website access information. Being able to understand who a user is (first and last name, email, phone number) and track their behaviors from their login across their full user session, requires data from the user directory and the web access management solution. They want to compile these, together with user behavior analytics systems, to understand specific usage patterns.
For example, for an auto parts retailer, data could reveal that approximately 50 auto repair shops in the Greater Denver area are frequently abandoning their cart after viewing brake fluid on their site. This trend could be driven by a competitor offering a lower price or more options. Without this level of analysis, and without knowing who the users are and where they are located, this type of conclusion isn’t possible.
Opportunity for Security
This appears to be a net-new demand that hasn’t reached critical mass. It presents an opportunity to CISOs, because the CMO and COO may have funding available for IAM initiatives and could influence the board or others executives to make IAM a priority. This unlikely partnership also offers CISOs the opportunity to evangelize the other benefits of IAM, namely increased security and operational efficiency.
2. Insider Threats Can Be Identified and Stopped
Big data is here, and it’s starting to be leveraged by IAM teams. By compiling access logs and events from servers, networking devices, middleware, IDS/IPS, vulnerability management solutions, and applications, it’s possible to correlate these activities and identify trends. These can represent terabytes of data. Enter the big data solutions and security-specific tools.
Historically this has been very successful for external threats, which have very little identity data context. It has been proven to be effective when someone penetrates the exterior or malware is deployed. CISOs now have visibility and the ability to respond, sometimes within minutes. There is now a broad realization that internal users (specifically internal privileged accounts) have much more value to attackers when compromised. So, we are now being asked how to leverage this data to identify and respond to internal threats — for events that do contain identity information.
Opportunity for Security
Security in this area can be achieved through four essential activities. Technologically, all the tools are available. Now it’s time to use them.
- Identify your most valued assets (e.g., data, applications, etc.).
- Identify and integrate privileged user repositories to understand who these users are.
- Collect activities on critical infrastructure in the central security intelligence and event management (SIEM) solution.
- Identify expected activities for each user type and create runbook use cases to respond to events that are outside of these.
3. Cloud-Based IAM Solutions Have Reached a Critical Level of Maturity
In the years leading up to now, I have seen multiple solutions created, startups enter the industry, big companies try to bring their solutions to the cloud, and a lot of them failed to achieve their stated capabilities. Not only was the technology not ready, but also companies were not generally interested. There was a rare situation in which business demand and technology solutions have developed in parallel.
It is still true that companies will need to adopt a set of standard capabilities per the 80/20 rule. Fortunately, the number and flexibility of those standard capabilities has become robust among the market leaders. Product vendors see this trend, and the product investment funding is clearly becoming cloud first.
It’s important to note that some cloud-based IAM vendors have a focus area. Few cover all aspects of IAM — and therefore have some limitations. This is where it’s really important to understand the four subdomains of IAM: identity data; identity management; access governance; and access enforcement. Some vendors focus on federation and authentication. Some are great at directory replication within a homogeneous platform. Some specialize in provisioning and deprovisioning.
Administration interfaces — those complex, fat-client or command-line tools so common with on-premises solutions — are now replaced with dynamic and intuitive web-based tools in cloud-based IAM solutions. They have point-and-click configurations and wizards. They allow almost all aspects of administration to be conducted by customer administrator users.
Just as important as the use cases available is the integration capabilities. On-premises IAM solutions have the advantages of installed connectors, a broad range of network protocols, custom code capabilities and nearly unlimited bandwidth. The leading cloud-based IAM vendors are addressing this too by adopting dedicated network connectivity to go beyond the LDAPS/ JDBC protocols, and leveraging application programming interfaces (APIs) for integration. Software-as-a-service (SaaS) operational services have also expanded so features that aren’t yet administered by web-based tools can be configured with a change request ticket to the SaaS operations team.
Perhaps the most important reasons to adopt cloud-based IAM solutions are stability, flexible capacity and operational cost reductions. These are no longer considered differentiators between SaaS vendors; they are often more stable than on-premises solutions and certainly more expandable. The cost advantage still needs to be evaluated on a company-by-company basis, and many factors affect that calculation. But in my experience, I have yet to see a cloud-based IAM solution cost more to implement or operate than a comparable on-premises solution.
Opportunity for Security
Adopting a cloud-based IAM solution is not something to be taken lightly, especially if there are significant investments in on-premises licenses, infrastructure and operations. If these investments exist, the next upgrade or expansion cycle is the time to look at moving to cloud-based IAM. Doing so makes it possible to adopt standardized solutions, simplify operations and reduce operational cost, all while using the leading-edge technology.
4. Regulatory Compliance and Audit Enablement Is No Longer a Burning Platform
With the current level of IAM maturity, most companies have reached an equilibrium of automated IAM technology and manual processes for audit and regulatory compliance. The pendulum has certainly swung back and forth over the past 15 years, and a lot of work has been done to get here. Now, the demand for technology and process changes have declined. This isn’t to say the work is complete or that everyone is happy — I doubt any company would say they have the optimal solution.
Most companies have either reached a point of diminishing returns on their investments toward audit and regulatory compliance needs, or they simply have no funding available. A few companies are pulling back from their complex RBAC models and automated separate of duties (SoD) policies because they have realized the cost and complexity of maintaining them. Others have found manual processes are sufficient for audit purposes and less expensive — especially when using offshore teams — than integrating to the nth level with technology.
Still, other companies have IAM shelfware. They bought solutions and are paying for annual maintenance, but the cost to implement, integrate and operate are too expensive in the current business environment. There is a fundamental truth that IAM affects almost every area of IT and most back-office business processes. This makes a comprehensive deployment expensive and time-consuming. And in spite of the move toward cloud-based IAM, that fundamental truth hasn’t changed.
The big caveat to this is the General Data Protection Regulation (GDPR). While few companies are taking action at the moment, and it’s not perfectly clear what the IAM implications are, it’s clear we will all need to look at how we enable users to manage their identity data under this regulation. I expect this to be a significantly different situation in six months to a year!
Opportunity for Security
While SOX, HIPPA, GLBA and other regulatory programs are not disappearing (perhaps changing, but not being eliminated), they are no longer a leading driver of funding to IAM programs. This is not to say no one is asking or new regulations aren’t coming. In fact, internal audit teams and application owners are still burdened with onerous access recertification processes. Further, other demand is backfilling for that drop in demand, so we still see an upward trend in IAM investment. CISOs can still rely on internal audit and business unit stakeholders to advocate and help with funding for IAM initiatives by building a coalition.
5. The Explosion of Federation
Federation and federated single sign-on (SSO) is now the standard mechanism to provide SSO across application domains. It’s practically a necessity to connect with SaaS providers. This has been the case for a number of years, and federation was one of the most rapidly adopted standards. But it has recently reached a new threshold: It is becoming the default authentication mechanism within companies and across applications. This is due to a number of factors, such as the proliferation and maturity of SSO tools, native support for SAML within large software packages and the adoption of SaaS applications.
It’s also important to remember that federation partnerships have become a very simple configuration to add. In most SSO tools, they can be added in a few minutes via a wizard-like interface. With this small investment and a little testing, these connections can be added and changed easily. There are even some companies that allow business users to manage federations for their applications without security team participation. The close relatives of federation, OAuth and social media-based authentication are gaining acceptance as well, but they are not yet at the same critical mass.
For many companies, the sheer number and criticality of federation partnerships have become unwieldy. Five years ago, a company might have had two or four federation partnerships. But today it can be in the hundreds, with copies of the same partnership on the same endpoint system, used by different business units. Managing hundreds of configurations can be challenging, so I have been coaching companies to treat federation partnerships with the same diligence and change management control as their other mission-critical systems.
Opportunity for Security
When a technology reaches this level of adoption and maturity, it’s an opportunity to eliminate older technologies, mandate federation as the SSO standard for technology deployments and codify the change control process for SSO integrations. If a security team can achieve these things, they are well-positioned to leverage offshore or outsourced resources to manage these configurations. This allows the core security team to refocus on more pressing and complex issues.
While many changes in the security domain make our lives more difficult, the changing IAM landscape continues to improve business outcomes, improve the user experience and increase operational efficiency.