For today’s enterprises, the demands of securing hybrid workforces, cloud environments, and digital transformation initiatives have placed identity at the center of strategic discussions about security.
Identity is the link that connects users to the devices, services, and applications they use during a time when the traditional perimeter has been eroded. But managing identity and access has never been more complicated. The number of identities is increasing, attackers are targeting credentials, and cloud service adoption has created identity silos that challenge consistent policy enforcement.
In the Identity Defined Security Alliance’s 2021 Trends in Securing Digital Identities report, a survey found that the vast majority of respondents’ organizations had experienced an identity-related breach within the previous two years. Many of these breaches were tied to issues such as phishing or inadequately managed privileges. Addressing these problems has forced forward-thinking IT leaders to prioritize an identity-focused security strategy centered on effective governance, monitoring, and zero trust. Reaching that nirvana will require bringing each of the building blocks of identity management together.
Identity Management Convergence
At its core, identity management is composed of three domains of identity management—identity governance administration (IGA), access management (AM), and privileged access management (PAM). Each of those domains is a foundational part of a successful identity strategy. IGA automates processes such as user provisioning, access reviews, and the enforcement of policies; access management focuses on authentication and enforcement of user access; and PAM, as the name implies, is focused on monitoring and managing privileged access.
Traditionally, the activities of these different identity systems were handled separately by various vendors. However, the demands of today’s environment require a change from the siloed approach of the past. While each represents a piece of the puzzle, it is only by combining these solutions that organizations can shrink the attack surface they need to protect. There is a convergence underway in the identity management space, driven by the understanding that decisions about access and authentication benefit from all these pieces working together.
Imagine a scenario where someone has access to a specific application but they have not logged into the app for 90 days. That could be a sign of excessive privileges, which create open entry points for an attacker. Or this case: a user has privileged access rights to an application, and the security team wants any attempt to access the application to trigger a prompt for step up authentication. Functioning in a silo is not an option—identifying and remediating these potential security gaps requires integrating IGA, PAM, and access management processes.
The challenge of silos is clearest in the cloud. Cloud platforms and applications may have unique identity management controls to protect users and their data. Traditionally, the policies of each cloud platform would have to be managed on their own, creating silos that challenge security. To reduce risk, all identity controls should align to ensure consistency and compliance.
Cloud resources cannot operate safely in security silos, and neither can the technologies handling the various aspects of identity management—PAM, AM, and IGA. A different approach is needed—one that enables enterprises to link identity management efforts together, from the data center to the cloud. Many IAM vendors have sought to solve this problem by integrating with partners. However, this can leave enterprises using products unsupported by a particular vendor with limited options. If they want a vendor with broader product capabilities, they may be forced to rip and replace portions of their identity stack. Those words—rip and replace—are conversation killers when it comes time to devise a budget. In most cases, organizations would be better served by maximizing their existing investments.
Finding a New Approach
Many enterprises turn to custom-built solutions to handle these challenges. However, those solutions take time and effort to build. In the face of this reality, identity orchestration has emerged as an answer. Identity orchestration uses a management layer that applications can integrate with the appropriate identity systems. This eliminates the need to rewrite applications to support the IAM functionality of a particular cloud platform. With identity orchestration, administrators can automate the configuration and management of those systems and eliminate the silos caused by having to handle identity management using the systems of individual cloud providers.
Regardless of what approach is used, what is certain is that the security outcomes promoted by IDSA work best when IGA, AM, and PAM are working in combination. The security outcomes are approaches that enhance your organization’s security posture by putting identity first. For example, one of the outcomes is that “privileged user accounts and entitlements are granted through governance-driven provisioning.” When implemented, this approach means that privileged user accounts and entitlements are created and assigned via a governance process that includes business justification approvals and constraints based on business requirements. Another example of a security outcome is requiring multifactor authentication for privileged access. In both of these cases, different identity systems are functioning in tandem to improve security.
Functioning independently, IGA, AM, and PAM are not enough, but by linking the three together and centralizing identity management, identity-focused security and zero trust can become a reality.
About the Author: Asif Savvas, is the Chief Product Officer at Simeio. Asif is responsible for building and rolling out innovative market leading service offerings backed with Simeio’s IAM services platform Identity Orchestrator, to drive new customer wins. His focus is on leveraging the latest and best fit technologies that enhance client experience in simplifying and managing their IAM programs.