I spend way too much of my time thinking about identity and access management (IAM). I guess it’s what pays the bills, so that’s a good thing. I get paid to write about, talk about, and evangelize the One Identity way of doing IAM.
I’ve written a little book called Identity and Access Management for the Real World. Chapter One: The Fundamentals delves into the basics of IAM, the challenges we all face, and some recommendations to overcome those challenges.
Unlike many of you, if I mess something up I just look like a fool … no one really gets hurt, my employer doesn’t suffer significant damage, and there’s no headlines warning everyone of the dangers of doing business with me or my employer.
Identity and access management challenges can be boiled down to a few concepts:
- People need access to stuff to do their jobs and someone has to make sure that they can get to what they need when they need it.
- The business needs to make sure that those people only get to the stuff they should get to and not too much.
- There’s always someone watching to make sure that you do those things according to some rules, that you had no hand in defining.
- The people at risk if things go wrong are often woefully lacking in the ability to control their own fates (i.e. they must rely on people that know how to do stuff but not why to do it to actually set up and enforce the rules that must be followed).
These tenets aren’t universal; there are organizations that have everything nailed down and have all the right people doing the right things and are able to prove it. But there are many more (possibly you and your organization) that are struggling with one or more of these factors. That’s just the way it is. Here’s a short Identity and Access Management video that discusses one company’s struggle with, and solution to this complexity problem.
I think the reason we have these problems is that we’re spending so much time putting out fires that we haven’t been able to purge the dead undergrowth to prevent the next fire from spreading out of control. After all, when you find a weakness or experience a breach, you must immediately find a solution to that problem. And the fastest solution may not be one that has anything to do with the preventing the next fire that will inevitably ignite. We end up with a bunch of disjointed access methods, a jumble of ways authorization is defined and enforced, and lots of productivity-sapping hoops that end users and IT have to jump through just to do their jobs – all in the name of better security. The victim is business agility (and isn’t that what we’re all in business for in the first place?)
Here are three things you can do to minimize the disjointed and ad hoc approach to IAM that is so prevalent:
Reduce complexity where ever possible. Take advantage of existing tools and infrastructure whenever possible to reduce the need for new identities, new provisioning workflows, and new IT tasks to simply grant users access. A great example of this is the AD bridge – simply extending Active Directory authentication and authorization to Unix/Linux systems has proven to dramatically reduce the workload and risk of access to those systems.
Put the business in charge. We all love our IT departments but they should not be the ones making decisions on who should access what and under what circumstances. But they are precisely the ones that most often control these things simply because they know how to manage the systems and the accounts. Do whatever you can to return that control to the ones that are accountable for the data stored and used on those systems.
- Keep your eye on the prize. The ultimate goal of everything is to fulfill your organizational objectives – whether that’s making money, serving constituents, educating people, or changing the world. This concept of agility is difficult when all your efforts are focused on simply getting things done. From an IAM standpoint this means lots of wasted time and effort on menial tasks like password resets, multiple logins, redundant roles, and manual provisioning processes. All of those things are important, but following the first two recommendations will inevitably result in a more efficient (and more governable) IAM approach that becomes a business enabler not productivity black hole.
The little book I've written goes into more detail on this future-proof approach to IAM. Subsequent chapters discuss the specifics of governance, access management, privileged account management, mobility, and even IAM as a service. I’ll be writing about those topics in the coming weeks.