Identity Management Day is about raising awareness of the importance of identity management and securing digital identities, and sharing best practices to help organizations and consumers #beidentitysmart.
We asked our Customer Advisory Board Members, who provide guidance on our mission and represent the practitioner community, to weigh in on the following question – “What is the biggest identity management/identity security challenge facing organizations today?” Here is what they had to say:
“I think the biggest identity management/identity security challenge today still revolves around people and the technology they use. We still have challenges with understanding roles and responsibilities and how that relates to access and rights. We also have issues with the devices they use if they are trusted device identities or not. We have significant challenges managing identities when they are no longer in our control (e.g., think about your PII leaving your company and an inability to validate that identifiable information is protected and safe). Even if we do have a great understanding of these pieces, we’ve misconfigured something (a human) and ultimately fail in delivering on the intent of an identity-centric control in the first place.”
James Carder, CSO and VP LogRhythm Labs, LogRhythm
“One of the key challenges I see with implementing a successful IAM program is managing the expectations with the key stakeholders (both business and IT). Managing expectations effectively and keeping the stakeholders informed will help minimize the friction for a predictable program delivery.
As organizations continue to expand and adopt cloud offerings, the need for IAM requirements (people, process and technology) should change as well. While some of these changes may be a net new to most organizations, they should continue to focus on basic IAM hygiene (revoking access on a timely manner, implementing role based access, minimize or eliminate non SSO external apps, guard privileged credentials and last but not least manage authorization appropriately) and incorporate these into cloud services for full coverage.”
Narendra Patlolla, Head of Cyber Architecture, Gallagher
“I think the biggest challenges remain the fundamentals. So many organizations are still trying to implement provisioning and attestation beyond the core major identity systems like their AD and HR systems. I think great technologies like SAML, when used within an enterprise are great for integrating applications especially after acquisitions, but often become band-aids that mask the underlying issues of dispersed identity silos. The hard work is getting all these systems centralized or at least well managed through best practices around governance and especially deprovisioning. This is an endless challenge with large enterprises that do many small acquisitions a year. Many times the challenge becomes the cost of integrating acquired entities if your systems are too inflexible.
In addition, as multi-cloud adoption grows, managing all those identities and especially the governance around what authorization they have is a big challenge. The business wants to move faster than you have time to create new policies, so thinking ahead of the business challenges coming is important.”
Carlos Garcia, Sr Principal Architect, Enterprise Clinical Technology – Genomics, Optum
“As a practitioner in the space for the last 20+ years, I am amazed at how often I come across basic IAM hygiene things companies need to be doing, but they still struggle with! Even in mature IAM programs, some of the basics may be missing. Two of the most common would be 1 – off-boarding personnel in a timely manner, and 2 – inactivating unused/orphan credentials when no longer needed –
– How many times has that contractor left and you failed to disable his/her access until months later?
– How many times have you come across privileged service accounts that you cannot identify an owner for?
Many firms have mature programs that offer full automation for on boarding, but when it comes to disabling and removing access – many will say it is often a complex manual task because we don’t have a single place to leverage that tells us everything that Jimmy or Suzie had before they left.
If you cannot identify every identity + access pair in your enterprise (who has access to what), then it will likely lead to many inactive/unused credentials over time because ownership will not be obvious and those “orphans” are indeed the primary targets for the bad guys as well.”
Tom Malta, Head of Identity and Access Management, Navy Federal Credit Union
Thanks to our Customer Advisory Board Members for all of their contributions to the Identity Defined Security Alliance and Identity Management Day!
