The 7 Tenets of Successful Identity & Access Management
By Darran Rolls, Chief Technology Oficer, SailPoint
Your organization’s identities dictate who accesses your applications and data, as well as what can be done with that access. Securing and managing those identities is everything, and identity and access management (IAM) solutions play a key role in helping organizations meet those requirements. By automating processes for access certifications and policy enforcement, IAM solutions can help your organization inventory, analyze and understand the access privileges granted to employees, contractors and partners. These solutions can also allow you to increase efficiency and reduce costs by replacing slow, outdated processes with modern, software-driven ones.
The IAM platform’s job is simple in principle: give the right people the right access to the right data. To do this, trusted and properly managed identity access has to become the primary control. It comes down to three basic questions to govern access:
Who has access today?
Who should have access?
What is being done with that access?
When looking at the post-incident forensic reports from any high-profile data breach, there are always basic identity and access management errors at the root cause. Simple things like overly complex data access and unknown data classification are usually a factor. Others can include more complex questions such as data classification and contractor access.
"Effective identity and access management requires connectivity from any kind of platform to any kind of data repository"
The basic tenets of a next generation IAM system are those that allow organizations to answer the tough questions about their users’ access into their applications and data. Properly implemented, following these 7 tenets enables organizations to have a true holistic view of access, allowing IT to make the right decisions when it comes to answering the overarching question “who has access to what?”
Consider Everything - Identity and access management is no longer a “Do it yourself” project. The sheer number of users, data applications, interfaces and platforms in the modern enterprise requires an integrated IAM system.
An integrated enterprise solution will control and monitor all your users, all your applications, all your data, and all access rights.
2.Remember Your Customer - The enterprise has to service a wide range of internal customers with different data access needs from different locations using different access devices. The IAM solution must be adaptable across all this. No matter where the user is (or on what type of device), they must be able to access the necessary data without complications. Any user, any platform, any time. In a friendly, easy way.
3. Be Context Aware - Understanding users and, most importantly, the data and resources they should and typically access is critical. Identity context is about sharing and understanding these relationships and translating them into entitlements or rights. That context model needs to sit in the center of the security and operations infrastructure as the identity governance and administration engine. It is a model of known relationships between people, accounts, privileges and data.
4. Govern by Model - Managing the access of thousands of users requires governance models. These models are what make the IAM engine effective. Automation, Role, Change, Risk, and Control models each drive compliance and, as a group, drive common policy. Placing governance models at the center creates a stable, repeatable and scalable approach to enterprise identity control.
5. Managing Risk is a Verb - Managing risk is the mechanism for how you know when an action falls outside of normal usage. Identity risk scoring can be accomplished by model in an advanced IAM system. Risk scoring allows for faster access authentication and tracking strategies. Low-risk accounts may have only read privileges and no access to confidential information while a high-risk profile may have privileged access or orphaned accounts. No matter what, knowing a user’s risk profile helps in assessing how closely their online activities need to be monitored.
6. Connect to Everything - When considering an integrated IT system such as identity access management, the most difficult decision an enterprise needs to make is determining how much of an existing platform to keep and how much needs to be replaced. Some parts of their internal IT architecture will stay the same and so the IAM system needs to be flexible enough to connect to everything and anything. Effective identity and access management requires connectivity from any kind of platform to any kind of data repository.
7. Be Consistent - This may sound intuitive but consistency in all these actions and approaches is key. The business user wants access regardless of where the apps are served. The auditor only cares about compliance, not where data is stored. The IAM solution needs to bridge gaps like these seamlessly and consistently to secure the business in a scalable way. Regardless of where the data resides, one-off connections or patched provisioning should be excluded from the IAM implementation design, otherwise scalability will be impacted whether data is structured or unstructured.
The modern enterprise is more complex than ever and identity and access management is at its core. While it is possible for enterprises to piece together their own solutions, the number of rules, number of best practices, and number of intricacies involved with implementing a secure IAM solution is huge. There is a lot at stake. It only takes one incorrect configuration to open your enterprise to anyone wanting in.
Here at SailPoint, we understand business users, business complexities and most of all, we understand what is at stake when it comes to accurate identity monitoring and compliance. You spent your life’s work on your business. We have done the same in identity and access management. We have refined the mechanisms for fast and effective IAM strategy and are ready to share our vision, solutions and knowledge with your organization.