Stories in the IAM Trenches - the Gartner Security & Risk Summit Edition

I’m here in National Harbor, Maryland at the Gartner Security and Risk Summit. One of the advantages of sponsoring the event is the opportunity to do what Gartner calls a “Solution Provider Session”. Most sponsors use their allotted time to pitch their solutions – that’s why we’re here isn’t it, to sell some stuff? But we’ve always chosen to use our session to provide some real-world perspective on the difficulties of identity and access management. So we invite a few of our customers to tell about their IAM journey, and hopefully expose the rest of the audience to the success they’ve had with One Identity solutions.

Today, John Milburn, the VP and GM of Identity and Access Management, lead a panel discussion that included three customers. The title of the session was “When Security Quits Standing in the Way of Agility: Stories from the IAM Trenches”. After the obligatory, “IAM is hard but we can make it not so difficult”, John turned the time over to the IAM project leads at Asurion, Bechtel, and Charles River Labs to tell their stories, including the scope of their project, the process they went through to choose a solution, and the results (both positive and negative as well as apparent and hidden) of their project.

Each came from a different place in their IAM journey, and each addressed different pains in different ways, but they all had valuable advice for anyone willing to listen.

Cory Plastek, Identity and Access Management engineer at Asurion mentioned a few valuable points:

  • The most important thing is to get provisioning, and de-provisioning right.
  • The way an organization attacks provisioning must be flexible enough to adjust to evolving needs, but it must also include open communication across all aspects of the business and strike a fine balance between necessary boundaries enablement.
  • Buy in and cooperation from HR is critical to provisioning success.

Tom Lawson, identity and access engineering manager at Bechtel, talked in depth about the dangers of toxic combinations of entitlements and the challenges of IAM when contractors enter the picture. Key pieces of advice from Tom include:

  • To be successful, an IAM project must be built on a firm understanding of requirements prior to shopping for a solution, good use cases, and a pragmatic approach that doesn’t attempt to do it all at once.
  • Treat your IAM engineers right, there are more jobs out there than there are people so don’t allow the grass to be greener on the other side of your valuable employees’ fences.
  • You can never arrive at a single authoritative data source but through a combination of HR data, IAM data, and other data, you can arrive at the right authoritative data set to get controls and governance right.

Andy Griffin, chief of information security at Charles River Labs talked a lot about the unique challenges of integrating an enterprise IAM strategy with Office 365. He also mentioned the difficulties that a too narrow view of compliance can have on the success of a project. Key takeaways from the Charles River Labs project include:

  • Let the line-of-business (in his case HR) feel like they have the power and can control the key data that initiates any IAM action.
  • Compliance can always be improved through automation and unification, enabling an organization to move on to more important and impactful activities.
  • Understand the risks introduced by trendy technologies (in his case Office 365) before you begin your IAM project so you can build to those needs rather than trying to retrofit later.

The common theme I heard from all three of these IAM experts was that governance cannot happen without administration being done first and done right. Be willing to put the control in the hands of the right people (or more correctly, empower the right people to be in control). And understand that garbage-in equals garbage-out, so get the data right and build from there.

Anonymous