As protecting identities takes center stage in the battle to stay secure, a common question being asked of identity and security professionals at every level is “who owns identity in your organization?” Some will argue that there isn’t a right answer, as long as someone owns the overall administration and security of identities, especially organizations who may be subject to significant penalties if personally identifiable data is exposed.
This is the question that starts off a series of blogs that focuses on establishing good identity and access management (IAM) hygiene. While having a mature IAM program is not required for implementing an identity-centric approach to security, putting “identity” at the center would imply that the people, process and technologies associated with an organization’s identities are in good standing. Our customer advisory board (CAB) has identified a number of recommendations for good IAM hygiene and in subsequent blogs, we’ll examine the top 5 in more detail. But first, back to the ownership question!
Who would you say owns identity in your company? Is it HR? The IAM team? The CISO? The CTO? Maybe you are forward thinking enough to have embraced the concept of a Chief Identity Officer. The question isn’t who owns identity management or access management, but who owns identity? As former CISO and Chief Customer Information Officer at Ping Identity Richard Bird would suggest, if everyone in the organization owns a part of identity, then nobody owns it.
Let’s define “ownership” as it relates to this subject of who owns identity. When you look up the definition of “ownership,” it might tell you “the act, state, or right of possessing something.” However, the definition for this article would be: “The individual or entity responsible for the creation, removal, ongoing maintenance and security of an identity.” But what identities are we talking about? Today, most organizations would have identities that fall in these 4 categories:
Employee Identities: HR would typically own employee identities and be the authoritative source. Origination points could be Workday, Peoplesoft or some other human resource management system (HRMS) that manages your corporate employees. Generally, there is a workflow process involving the HR business partner and/or manager of the employee to on and offboard the individual into the HRMS. Workflows (automated or manual) would be initiated for things like birthright provisioning (Active Directory, email, SSO) upon identity creation or role-based access control (RBAC), based on a new (or change) identity event being triggered by the HRMS.
Contingent workers, contractors, or 3rd party identities: There are several possibilities for ownership of these identities based on how they come in and out of your organization. Most companies have separate identity creation processes for non-employees as most HR organizations do not want to manage or own non-employee identity in their HRMS. Instead, this task usually falls on the IAM team to create a centralized process so there is only one authoritative source for the non-employees. Although the IAM team may provide the service or application to create and maintain these non-employee identities, there is usually a similar on and off-boarding process involving the manager of the non-employee as the sponsor of the identity.
Non-human identities, such as service accounts tied to system processing events or batch processes, are typically owned by the application or system owner. They are sometimes created outside of the corporate IAM process and locally managed by the application team, or in some cases owned by the infrastructure teams. More advanced IAM programs will have non-human identities incorporated into the normal IAM workflows for both creation and removal, thereby allowing for an association back to a human owner. It is imperative to understand who ultimately owns or manages these non-human identities as they generally come with elevated access rights. Best practice is to associate them with a primary human owner, enabling the IAM system to initiate a workflow when the primary owner leaves or changes jobs so a new owner can be assigned.
Consumer identities: In today’s digital world, your organization most likely has web-facing applications accessible by consumers of your goods and services. In some cases, you may be collecting and storing personally identifiable information (PII) or payment card information (PCI). Ownership of these identities seems to vary within organizations – is it the application owner, marketing, finance? Is it a shared responsibility with the consumer? While identities that have access to internal systems are the most exploitable, consumer identities are the motherload for hackers looking to make a buck off of the dark web. With the introduction of GDPR in EMEA and similar regulations in California, the stakes for protecting consumer data and privacy have been significantly elevated.
Now back to the question of who owns identity in your organization. As you can see, there are numerous flavors of identity within any organization and various owners depending on the relationship the individual has within the organization. Is there one organization, one executive, one steering committee who is overseeing the people, process and technologies associated with securing and managing identities in your organization? If not, it’s time to start the conversation. Identity and Access Management is no longer an operational, user experience or process streamlining activity, it has become the basis for your security program.
About the Author: Tom Malta, SVP, Head of Enterprise Access Management Products & Service for Wells Fargo, has led many successful IAM Programs over the last 20 years utilizing custom built as well as off the shelf technology supporting internal, external, and 3rd party/cloud identities alike. His recent passions include emerging technologies such as biometrics, AI, and next generation customer authentication solutions such as blockchain. Tom is a member of the IDSA Customer Advisory Board.