How much do you really know about those with access to your resources?
As a company that hires employees, we know a lot about them before we give them access. We spend a lot of time vetting them and their appropriateness for a role or position. Teams are dedicated to finding and hiring the right people. That means we gather extensive details about those employees, sometimes even requiring background checks and security clearances, just to make sure we can trust them—particularly since we’re handing them keys to a kingdom of company data.
These elaborate processes, along with the fact that the process and data are managed in an HR system, is music to the ears of an identity professional. How nice it is to trust the authoritative employee data in that easily accessed HR system and to use it to drive downstream processes and access. Proactively maintaining the accuracy and accessibility of data repositories is a critical component of identity management. Unfortunately, as businesses balance an army of partners, contractors, and devices, it is also easier said than done.
The Importance of Trusted Identity Data
Regardless of the type of worker we’re dealing with, we get very anxious to get those folks to work, so we are highly motivated to onboard them quickly, get them “in the system” with the equipment and access they need to be productive. That onboarding is based on the authoritative data we gather during the hiring process or via limited information provided by third-party vendors about their workers.
Managing this access becomes priority number one for an identity team, but of course requires coordination with all sorts of people within the organization: Human Resources, managers/sponsors, IT, security teams, asset management, IAM teams, even external third-party contributors, the list goes on. On top of this, the process involves stacks of high-dollar technology: HRIS, VMS, TPRM, third-party identity, IGA, PAM, ITSM, and directory tools.
All of this is done with a few goals:
- Know who is getting access
- Efficiently grant that access
- Securely manage and remove the access
IDSA outlines a multitude of best practices and security outcomes that make identity the heart of your security program. These best practices rely on one very important assumption – you know the identities that are getting access. This goes hand-in-hand with the best practice of ensuring the uniqueness of every human and non-human identity.
One very important, yet often overlooked, component is that you trust the data you have about these identities – whether they are employees, contractors, customers, partners, or non-humans. And not just that you trust it at the point in time the identity is onboarded, but you must trust it consistently – throughout the identity’s lifecycle.
Trusting your authoritative identity data is dependent on three things:
- Proactive collection and maintenance of this authoritative data by responsible parties
- Constant validation to ensure it remains up-to-date and accurate
- Storage in an accessible and searchable source repository
While there are many technologies that support the collection and maintenance of this authoritative data, success in this effort is heavily reliant on, first, recognizing all of the entities that should be considered an identity (hint: anyone or anything with access to your resources!). We must stop ignoring entire populations just because we don’t have great processes or systems for maintaining their information.
Next, success is reliant on the consistent execution of effective business processes to manage the data and lifecycle for those identities – again, all of them, not just our employees. Most organizations have a handle on the collection and maintenance of employee data, but quite often neglect non-employee identities like third party vendors, guests, or IoT devices.
At times, we’re lucky to gather a full name and email address for an IT vendor, never mind all the necessary details to make a determination about whether we should trust them with our data. What makes things even more difficult is the challenge many organizations face with where to store this non-employee data, including tracking and auditing the process of onboarding these identities and, most importantly, ensuring their status and information remains up-to-date. This authoritative data is relied upon by identity solutions to properly manage access and disable appropriately.
Proactively Revalidating Identity Data
Managing the identity data and lifecycle appropriately also includes proofing the maintained identity data at regular intervals, as outlined in the IDSA Security Outcome: User’s identity is systematically proven throughout the identity lifetime. This is an important step not only at identity onboarding, but also periodically as proactive revalidation that their status or other details have not changed.
While proactive revalidation can be achieved via regular manager or HR check-ins for the on-site employee workforce, third-party or remote workers frequently require additional identity proofing tools. Most of us have experienced the I-9 process when starting a new job where we present a few forms of identification to a HR representative who verifies not only who we are but also our employment eligibility. This is an example of in-person identity proofing. Obviously, there are many instances when a person will be onboarded without ever presenting themselves (or their ID) to someone in-person. What then?
Digital identity proofing mechanisms are also available. For example, we can validate government IDs electronically by comparing them to a selfie taken on a mobile device. Or perhaps validation is done by querying a user for a number of details that only they should know. What are the last four digits of your social security number? Where did you live in December 1999? Who holds your mortgage, and how much is the payment?
There is so much focus on this digital identity proofing that today, the “Improving Digital Identity Act of 2020,” a government-wide approach to improving digital identity, is being introduced to Congress. This bill is based on recommendations from the Better Identity Coalition addressing the gaps in digital identity security recently exposed by the significant shift to conducting business online, particularly due to COVID-19. This bill reflects the need for better digital identity verification while also setting a high bar for privacy and security.
As long as we are collecting and maintaining enough authoritative details about our identities, we can use this to ensure we’re still engaging with the people we think we are. We should also insert this proofing into frequent revalidation exercises to make sure their personal data or their relationship with our organization hasn’t changed or even more importantly, that someone else hasn’t commandeered their identity and their access along with it. This is particularly important for those external, third-party workers who we often lose track of since they are not proactively managed by an HR team or direct manager.
Keep in mind, identity revalidation and proofing differs from entitlement or access certifications. Identity revalidation ensures you have accurate, authoritative information about the person or entity. Access certifications rely on this accurate, authoritative identity data to execute properly. One must know the manager, sponsor, or owner of an identity as well as the status and relationships of that identity in order to understand how and what needs to be certified when it comes to access. This, again, makes the case for how important it is to properly maintain the identity data in the first place.
IAM relies on a complicated web of systems and data, and doing it right requires keeping the data in source systems clean and accessible. With the correct approach, organizations can ensure that the identity data they have is data they can trust.
About the Author: Jennifer Kraxner is the Foundation Prep TWG subcommittee leader and senior solutions advisor with SecZetta, Inc. Jennifer has spent nearly a decade as an advisor to organizations regarding their identity and access management (IAM) programs. In this capacity, she works to address the pain points and risks encountered when governing access for their employees and external third parties. Prior to that, Jennifer worked as a counterintelligence agent with the US Department of Defense, providing risk mitigation and protection against security and terrorist threats. She has led initiatives across a variety of industries, including government, healthcare, IT, and financial services. Her work with teams to assess business processes, develop strategic roadmaps, and implement identity solutions serves to drastically improve efficiency and manage the risk presented by today’s extended workforce.
