Everyone in computer science understands the importance of standardized programming languages, and yet, in conversations between security practitioners and IT infrastructure managers about identity, much seems to get lost in translation.
Terms like authorization and authentication are often used interchangeably, but also have distinct meanings to different people. Say authentication to a security person, and you will be talking about verifying the identity of a user or device. Say authorization, and the conversation turns to access rights and permissions.
The lack of a common lexicon and a standardized approach for effective identity and access management (IAM) exacerbate the challenges facing businesses today. A common problem between infrastructure and security teams, for example, is the universal compliance demand that all access is accounted for, understood, and approved. When asked, infrastructure organizations may produce user and account lists sourced from operating systems, devices, and applications that have not been maintained, are incomplete or have significant data quality issues. They’ve met the requirement of accounting for all access, but believe the requirement that access is understood or approved as outside their realm of responsibility.
This disagreement on basic terms such as “all” and “understood” often leaves security teams scrambling to either find other sources and accountable parties for the needed information or work with the data they have.
Internal Collaboration Goes Awry
Such situations are symptoms of the tension between security goals and business operations. Without defined standards for Identity and Access Management (IAM), there is an opportunity to leverage any gray areas in terms of definitions. As was demonstrated by the IDSA’s State of Identity report, disjointed approaches to identity management and political squabbling over what is best for the business are common in enterprise environments. At its worst, this infighting manifests as budget and job protectionism; if the findings of the security team make the internal audit team look bad, the audit team may massage the data to avoid spreading what they deem FUD (fear, uncertainty, doubt).
Regardless of how it is rationalized, this tug of war over ownership of identity weakens security. According to the IDSA report, 24% of survey respondents called out resistance from existing teams. Imagine an infrastructure team that has historically managed Active Directory without input from the security team. Due to a management decision, the infrastructure team decides to pass ownership of Active Directory to the security team, saddling them with a mix of poor audit and monitoring practices, an excessive amount of domain administrators, and other complications. Handling all that complexity frustrates the security team, which then wants to transfer the responsibility of managing Active Directory back to the infrastructure team. Identity management has become a hot potato, and as more scripts are added, and more trust relationships are built without proper security boundaries, the goal of protecting identity slips further away.
Taking Charge of Identity
Eliminating terminology discrepancies and political battles over identity should be a top priority for business leaders. When asked what specific types of identity issues are most worrisome for their teams, 83% of those in the IDSA survey cited phishing as the top identity-risk. With stolen credentials at the center of so many data breaches, it is time for security to take charge of identity management. Identity should be managed as a core competency within the security function. The continued business practice of either having identity managed as an administrative IT function or as a “security sound” function will result in the same outcomes manifesting today—breaches, privacy violations, and company losses.
At organizations where security teams did not have a leadership role with workforce IAM, only 14% of the IDSA survey respondents characterized their security awareness of their organization’s identity strategy as excellent. Though the study uncovered that many security professionals, even when the security team leads IAM efforts, rated security awareness of identity issues as “OK” or worse, it also revealed problems such as organizational barriers and motivation are not as prominent at companies where security is in charge.
Accompanying a larger role for security should be a zero-defect approach to identity and account ownership. If we wouldn’t accept a stranger standing in the middle of our children’s schoolyard, a person we know nothing about who seems to have no connection to the environment or situation, why would we accept the existence of a digital equivalent in our companies, networks, and applications? Knowing who your employees, partners, customers, and connections are is a non-negotiable in today’s environment, but it isn’t the standard of practice today.
Bringing Everyone to the Table
Putting the security team in the lead does not eliminate the need for collaboration – security is a team sport, says my fellow IDSA Board Member, Adam Bosnian. IAM will remain a shared responsibility that also involves human resources, IT operations, and others. For an IAM program to be successful, security teams need to keep these other parties involved in the conversation, which requires that security leaders must understand the needs of these other teams and empower these stakeholders to reach their goals. History tells us that employees will circumvent policies that make their jobs more difficult and that political battles can hamper efforts to come to a single source of truth when it comes time to assess security posture or compliance. It would be good then for business leaders to remember one simple fact: business productivity and security are not opposing forces, and in any language, effective collaboration translates to success.
Check out the webinar featuring Richard Bird and Diane Hagglund, Principal and Founder of Dimensional Research.
About the Author: Richard Bird, IDSA Executive Board Member and Ping Identity Chief Customer Information Officer. Richard is a cyber security veteran and former chief information security officer. He is an internationally recognized identity-centric security expert, not just from a security solutions standpoint but as the former global head of identity for JP Morgan Chase’s consumer businesses. He is a frequent speaker on keynote platforms around the world as well as a member of the Forbes Tech Council. Richard has been interviewed by The Wall Street Journal, Business Insider, Reuters, TechRepublic, CNN, Solutions Review, NASDAQ and Congressional Quarterly on topics ranging from data protection regulations to cybersecurity enabled consumer protection