Any modern business has been dealing with identity and access management (IAM) from day one. But now, with more critical elements of business extending beyond the enterprise, access control complexity has been ramping up due to cloud, mobile, bring your own device (BYOD), and hybrid computing.
And such greater complexity forms a major deterrent to secure, governed, and managed control over who and what can access your data and services -- and under what circumstances.The next BriefingsDirect thought leader discussion then centers on learning new best practices for managing the rapidly changing needs around IAM.
While cloud computing gets a lot of attention, those of us working with enterprises daily know that the vast majority of businesses are, and will remain, IT hybrids, a changing mixture of software as a service (SaaS), cloud, mobile, managed hosting models, and of course, on-premises IT systems.
We're here with a Chief Technology Officer for a top IAM technology provider to gain a deeper understanding of the various ways to best deploy and control access management in this ongoing age of hybrid business.
Here to explore five critical tenets of best managing the rapidly changing needs around identity and access management is Darran Rolls, Chief Technology Officer at SailPoint Technologies in Austin, Texas. The discussion is moderated by me, Dana Gardner, Principal Analyst at Interarbor Solutions.
Here are some excerpts:
Gardner: There must be some basic, bedrock principles that we can look to that will guide us as we're trying to better manage access and identity.
Rolls: Absolutely, there are, and I think that will be a consistent topic of our conversation today. It's something that we like to think of as the core tenets of IAM. As you very eloquently pointed out in your introduction, this isn't anything new. We've been struggling with managing identity and security for some time. The changing IT environment is introducing new challenges, but the underlying principles of what we're trying to achieve have remained the same.
The idea of holistic management for identity is key. There's no question about that, and something that we'll come back to is this idea of the weakest link -- a very commonly understood security principle. As our environment expands with cloud, mobile, on-prem, and managed hosting, the idea of a weak point in any part of that environment is obviously a strategic flaw.
As we like to say at SailPoint, itâs an anywhere identify principle. That means all people -- employees, contractors, partners, customers, basically from any device, whether youâre on a desktop, cloud, or mobile to anywhere. That includes on-prem enterprise apps, SaaS apps, and mobile. Itâs certainly our belief that for any IAM technology to be truly effective, it has to span all for all -- all access, all accounts, and all users; wherever they live in that hybrid runtime.
Gardner: So we're in an environment now where we have to maintain those bedrock principles for true enterprise-caliber governance, security, and control, but we have a lot more moving parts. And we have a cavalcade of additional things you need to support, which to me, almost begs for those weak links to crop up.
So how do you combine the two? How do you justify and reconcile these two realities -- secure and complex?
Addressing the challenge
Rolls: One way comes from how you address the problem and the challenge. Quite often, I'm asked if there's a compromise here. If I move my IAM to the cloud, will I still be able to sustain my controls and management and do risk mitigation, which is what we were trying to get to.
My advice is if you're looking at an identity-as-a-service (IDaaS) solution that doesnât operate in terms of sustainable controls and risk mitigation, then stop, because controls and risk mitigation really are the core tenets of identity management. Itâs really important to start a conversation around IDaaS by quite clearly understanding what identity governance really is.
This isnât an occasional, office-use application. This is critical security infrastructure. We very much have to remember that identity sits at the center of that security-management lifecycle, and at the center of the usersâ experience. So itâs super important that we get it right.
So in this respect, I like to think that IDaaS is more of a deployment option than any form of a compromise. There are a minimum set of table stakes that have to be in place. And, whether you're choosing to deploy an IDaaS solution or an on-prem offering, there should be no compromise in it.
We have to respect the principles of global visibility and control, of consistency, and of user experience. Those things remain true for cloud and on-prem, so the song remains the same, so to speak. The IT environment has changed, and the IAM solutions are changing, but the principles remain the same.
Gardner: I was speaking with some folks leading up to the recent Cloud Identity Summit, and more and more, people seem to be thinking that the IAM is the true extended enterprise management. It's more than just the identity in access, but across services and so essential for extended enterprise processes.
Also, to your point, being more inclusive means that you need to have the best of all worlds. You need to be able to be doing IAM well on-premises, as well as in the cloud -- and not either/or.
Rolls: Most of the organizations that I speak to these days are trying to manage a balance between being enterprise-ready -- so supporting controls and automation and access management for all applications, while being very forward looking, so also deploying that solution from the cloud for cost and agility reasons.
For these organizations, choosing an IDaaS solution is not a compromise in risk mitigation, itâs a conscious direction toward a more off-the-shelf approach to managing identity. Look, everyone has to address security and user access controls, and making a choice to do that as a service canât compromise your position on controls and risk mitigation.
Gardner: I suppose the risk of going hybrid is that if you have somewhat of a distributed approach to your IAM capabilities, you'll lose that all-important single view of management. I'd like to hear more, as we get into these tenets, of how you can maintain that common control.
You have put in some serious thought into making a logical set of five tenets that help people understand and deal with these changeable markets. So letâs start going through those. Tell me about the first tenet, and then we can dive in and maybe even hear an example of where someone has done this right.
Focusing on identity
Rolls: Obviously it would be easy to draw 10 or 20, but we like to try and compress it. So there's probably always the potential for more. I wouldnât necessarily say these are in any specific order, but the first one is the idea of focusing on the identity and not the account.
This one is pretty simple. Identities are people, not accounts in an on-line system. And something we learned early in the evolution of IAM was that in order to gain control, you have to understand the relationships between people -- identities, and their accounts, and between those accounts and the entitlements and data they give access, too.
So this tenet really sits at the heart of the IAM value proposition -- it's all about understanding who has access to what, and what it really means to have that access. By focusing on the identity -- and capturing all of the relationships it has to accounts, to systems, and to data -- that helps map out the user security landscape and get a complete picture of how things are configured.â¨
Gardner: If I understand this correctly, all of us now have multiple accounts. Some of them overlap. Some of them are private. Some of them are more business-centric. As we get into the Internet of Things, we're going to have another end-point tier associated with a user, or an identity, and that might be sensors or machines. So itâs important to maintain the identity focus, rather than the account focus. Did I get that right?
Rolls: We see this today in classic on-prem infrastructure with system-shared and -privileged accounts. They are accounts that are operated by the system and not necessarily by an individual. What we advocate here, and what leads into the second tenet as well, is this idea of visibility. You have to have ownership and responsibility. You assign and align the system and functional accounts with people that can have responsibility.
In the Internet of Things, I would by no means say that it's nothing new, because if nothing else, it's potentially a new order of scale. But it's functionally the same thing: Understanding the relationships.
For example, I want to tie my Nest account back to myself or to some other individual, and I want to understand what it means to have that ownership. It really is just more of the same, and those principles that we have learned in enterprise IAM are going to play out big time when everything has an identity in the Internet of Things.
Gardner: Any quick examples of tenet one, where we can identify that we're having that focus on the user, rather than the account, and it has benefited them?
Rolls: For sure. The consequences of not understanding and accurately managing those identity and account relationships can be pretty significant. Unused and untracked accounts, something that we commonly refer to in the industry as "orphan accounts," often lead to security breaches. Thatâs why, if you look at the average identity audit practice, itâs very focused on controls for those orphan accounts.
We also know for a fact, based on network forensic analysis that happens post-breach, that in many of the high-profile, large-scale security breaches that we've seen over the last two to five years, the back door is left open by an account that nobody owns or manages. Itâs just there. And if you go over to the dark side and look at how the bad guys construct vulnerabilities, first things they look for are these unmanaged accounts.
So itâs low-hanging fruit for IAM to better manage these accounts because the consequences can be fairly significant.
Gardner: Okay, tenet two. Whatâs next on your priority list?
Rolls: The next is two-fold. Visibility is king, and silos are bad. This is really two thoughts that are closely related.
The first part is the idea that visibility is king, and this comes from the realization that you have to be able to capture, model, and visualize identity data before you have any chance of managing it. Itâs like the old saying that you canât manage what you canât measure.
Itâs same thing for identity. You canât manage the access and security you donât see, and what you donât see is often what bites you. So this tenet is the idea that your IAM system absolutely must support this idea of rapid, read-only aggregation of account and entitlement information as a first step, so you can understanding the landscape.
The second part is around the idea that silos of identity management can be really, really bad. A silo here is a standalone IAM application or what one might think of as a domain-specific IAM solution. These are things like an IDaaS offering that only does cloud apps or an Active Directory-only management solution, basically any IAM tool that creates a silo of process and data. This isolation goes against the idea of visibility and control that we just covered in the first tenant.
You canât see the data if its hidden in a siloed system. Itâs isolated and doesn't give you the global view you need to manage all identity for all users. As a vendor, we see some real-world examples of this. SailPoint just replaced a legacy-provisioning solution at a large US based bank, for example, because the old system was only touching 12 of their core systems.
The legacy IAM system the bank had was a silo managing just the Unix farm. It wasn't integrated and its data and use case wasnât shared. The customer needed a single place for their users to go to get access, and a single point of password control for their on-prem Unix farm, and for their cloud-based, front-end application. So today SailPointâs IdentityNow provides that single view for them, and things are working much better.
Gardner: It also reminds me that we need to be conscious of supporting the legacy in the older systems, recognizing that they weren't designed necessarily for the reality we're in now. We also need to be flexible in the sense of being future-proof. So it's having visibility across your models that are shifting in terms of hybrid and cloud, but also visibility across the other application sets and platforms that were never created with this mixture of models that we are now supporting.
Rolls: Exactly right. In education, we say "no child left behind." In identity, we say no account left behind, and no system left behind. We also shouldnât forget there is a cost associated with maintaining those siloed IAM tools, too. If the system only supports cloud, or only supports on-prem, or managing identity for mobile, SaaS, or just one area of the enterprise -- thereâs cost. There's a real dollar cost for buying and maintaining the software, and probably more importantly, a soft cost in the end-user experience for the people that have to manage across those silos. So these IAM silos are not only preventing visibility and controls, but there is big cost here, a real dollar cost to the business, as well.
Gardner: This gets closer to the idea of a common comprehensive view of all the data and all the different elements of what we are trying to manage. I think that's also important.
Okay, number three. What are we looking at for your next tenet, and what are the ways that we can prevent any of that downside from it?
Rolls: This tenet comes from the school of identity hard knocks, and is something Iâve learned from being in the IAM space for the past 20 or so years -- you have to manage the complete lifecycle for both the identity, and every account that the identity has access to.
Our job in identity management, our place if you will in the security ecosystem, is to provide cradle-to-grave management for corporate account assets. It's our job to manage and govern the full lifecycle of the identity -- a lifecycle that youâll often hear referred to as JML, meaning Joiners, Movers and Leavers.
As you might expect, when gaps appear in that JML lifecycle, really bad things start to happen. Users donât get the system access they need to get their jobs done, the wrong people get access to the wrong data and critical things get left behind when people leave.
Maybe the wrong people get access to the wrong data. They're in the Move phase. Then things get left behind when people leave. You have to track the account through that JML lifecycle. I avoid using the term "cradle to grave," but thatâs really what it means.
Thatâs a very big issue for most companies that we talked to. Itâs captured in that lifecycle.
Gardner: So itâs not just orphan accounts, but itâs inaccurate or outdated accounts that donât have the right and up-to-date information. Those can become back doors. Those can become weak links.
It appears to me, Darran, that there's another element here in how our workplace is changing. We're seeing more and more of what they call "contingent workforces," where people will come in as contractors or third-party suppliers for a brief period of time, do a job, and get out.
Itâs this lean, agile approach to business. This also requires a greater degree of granularity and fine control. Do you have any thoughts about how this new dynamic workforce is impacting this particular tenet?
Rolls: Itâs certainly increasing the pressure on IT to understand and manage all of its population of users, whether they're short-term contractors or long-term employees. If they have access to an asset that the business owns, itâs the business's fiduciary duty to manage the lifecycle for that worker.
In general, worker populations are becoming more transient and work groups more dynamic. Even if itâs not a new person joining the organization, weâre creating and using more dynamic groups of people that need more dynamic systems access.
Itâs becoming increasingly important for businesses today to be able to put together the access that people need quickly when a new project starts and then accurately take it away when the project finishes. And if we manage that dynamic access without a high degree of assured governance, the wrong people get to the wrong stuff, and valued things get left behind.
Quite often, people ask me if it would really matter when the odd account gets left behind, and my answer usually is: It certainly can. A textbook example of this when a sales guy leaves his old company, goes to join a competitor, and no one takes away his salesforce.com account. He's then spends the next six months dipping into his old companyâs contacts and leads because he still has access to the application in the cloud.
This kind of stuff happens all the time. In fact, we recently replaced another IDaaS provider at a client on the West Coast, specifically because the other vendor -- who shall remain nameless -- only did just-in-time SAML provisioning, with no leaver-based de-provisioning. So customers really do understand this stuff and recognize the value. You have to support the full lifecycle for identity or bad things happen for the customer and the vendor.
Gardner: All right. We were working our way through our tenets. We're now on number four. Is there a logical segue between three and four? How does four fit in?
Rolls: Number four, for me, is all about consistency. It talks to the fact that we have to think of identity management in terms of consistency for all users, as we just said, from all devices and accessing all of our applications.
Practically speaking, this means that whether you sit with your Windows desktop in the office, or you are working from an Android tablet back at the house, or maybe on your smartphone in a Starbucks drive-through, you can always access the applications that you need. And you can consistently and securely do something like a password reset, or maybe complete a quarterly user access certification task, before hitting the road back to the office.
Consistency here means that you get the same basic user experience, and I use the term user experience here very deliberately, and the same level of identity service, wherever you are. It has become very, very important, particularly as we have introduced a variety of incoming devices, that we keep our IAM services consistent.
Gardner: It strikes me that this consistency has to be implemented and enforced from the back-end infrastructure, rather than the device, because the devices are so changeable. We're even thinking about a whole new generation of devices soon, and perhaps even more biometrics, where the device becomes an entry point to services.
Tell me a bit about the means by which consistency can take place. This isn't something you build into the device necessarily.
Rolls: Yes, that consistency has to be implemented in the underlying service, as youâve highlighted. Itâs very easy to think of consistency as just being in the IAM UI or just in the device display, but it really extends to the identity API as well. A very good example to explore this concept of consistency of the API, is to think like a corporate application developer and consider how they look at consistency for IAM, too.
Assume our corporate application developer is developing an app that needs to carry out a password reset, or maybe it needs to do something with an identity profile. Does that developer write a provisioning connector themselves? Or should they implement a password reset in their own custom code?
The answer is, no, they donât roll their own. Instead they should make use of the consistent API-level services that the IAM platform provides -- they make calls to the IDaaS service. The IDaaS service is then responsible for doing the actual password reset using consistent policies, consistent controls, and a consistent level of business service. So, as I say, its about consistency for all use cases, from all devices, accessing all applications.
Thinking about consistency
Gardner: And even as we think about the back-end services support, that itself also needs to extend to on-prem legacy, and also to cloud and SaaS. So we're really thinking about consistency deep and wide.
Rolls: Precisely, and if we donât think about consistency for identity as a services, we're never going to have control. And importantly, we're never going to reduce the cost of managing all this stuff, and we're never going to lower the true risk profile for the business.
Gardner: We're coming up or our last tenet, number five. We haven't talked too much about the behavior, the buy-in. You can lead a horse to water, but you can't make him drink. This, of course, has an impact on how we enforce consistency across all these devices, as well as the service model. So what do we need to do to get user buy-in? How does number five affect that?
Rolls: Number five, for me, is the idea that the end-user experience for identity is everything. Once upon a time, the only user for identity management was IT itself and identity was an IT tool for IT practitioners. It was mainly used by the help desk and by IT pros to automate identity and access controls. Fortunately, things have changes a lot since then, both in the identity infrastructure and, very importantly, in the end usersâ expectations.
Today, IAM really sits front and center for the business users IT experience. When we think of something like single sign-on (SSO), it literally is the front door to the applications and the services that the business is running. When a line-of-business person sits down at an application, they're just expecting seamless access via secured single sing-on. The expectation is that they can just quickly and easily get access to the things they need to get their job done.
They also expect identity-management services, like password management, access request, and provisioning to be integrated, intuitive, and easy to use. So the way these identity services are delivered in the user experience is very important.
Pretty much everything is self-service these days. The expectation is to move the business user to self-service for pretty much everything, and that very much includes Identity Management as a Service (IDaaS) as well. So the UI just has to be done right and the overall usersâ experience has to be consistent, seamless, intuitive, and just easy to deal with. Thatâs how we get buy-in for identity today, by making the identity management services themselves easy to use, intuitive, and accessible to all.
Gardner: And isnât this the same as saying making the governance infrastructure invisible to the end user? In order to do that, you need to extend across all the devices, all the deployment models, and the APIs, as well as the legacy systems. Do you agree that we're talking about making it invisible, but we canât do that unless you're following the previous four tenets?
Rolls: Exactly. There's been a lot of industry conversation around this idea of identity being part of the application and the usersâ flow, and thatâs very true. Some large enterprises do have their own user-access portals, specific places that you go to carry out identity-related activities, so we need integration there. On the other hand, if I'm sitting here talking to you and I want to reset my Active Directory password, I just want to pick up my iPhone and do it right there, and that means secure identity APIâs.
We talked a good amount about the business user experience. It is very important to realize that itâs not just about the end-user and the UI. It also affects how the IDaaS service itself is configured, deployed, and managed over time. This means the user experience for the system owner, be that someone in IT or in the line of business -- it doesnât really matter who -- has to be consistent and easy to use and has to lead to easier configuration, faster deployment, and faster time-to-value. We do that by making sure that the administration interface and the APIâs that support it are consistent and generally well thought out, too.
Intersect between tenets
Gardner: I can tell, Darran, that you've put an awful lot of thought into these tenets. You've created them with some order, even though they're equally important. This must be also part of how you set about your requirements for your own products at SailPoint.
Tell me about the intersect between these tenets, the marketplace, and what SailPoint is bringing in order to ameliorate the issues that the problem side of these tenets identify, but also the solution side, in terms of how to do things well.
Rolls: You would expect every business to say these words, but they have great meaning for us. We're very, very customer focused at SailPoint. We're very engaged with our customers and our prospects. We're continually listening to the market and to what the buying customer wants. Thatâs the outside-in part of the of the product requirements story, basically building solutions to real customer problems.
Internally, we have a long history in identity management at SailPoint. That shows itself in how we construct the products and how we think about the architecture and the integration between pieces of the product. Thatâs the inside-out part of the product requirements process, building innovative products that solutions that work well over time.
So I guess that all really comes down to good internal product management practices. Our product team has worked together for a considerable time across several companies. So thatâs to be expected. It's fair to say that SailPoint is considered by many in the industry as the thought leader on identity governance and administration. We now work with some of the largest and most trusted brand names in the world, helping them provide the right IAM infrastructure. So I think weâre getting it right.
As SailPoint has strategically moved into the IDaaS space, weâve brought with us a level of trust, a breadth of experience, and a depth of IAM knowledge that shows itself in how we use and apply these tenets of identity in the products and the solutions that we put together for our customers.
Gardner: Now, we talked about the importance of being legacy-sensitive, focusing on what the enterprise is and has been and not just what it might be, but I'd like to think a little bit about the future-proofing aspects of what we have been discussing.
Things are still changing and, as we said, there are new generations of mobile devices, more biometrics perhaps doing away with passwords and identifying ourselves through the device that then needs to filter back throughout the entire lifecycle of IAM implications and end points.
So when you do this well, if you follow the five tenets, if you think about them and employ the right infrastructure to support governance in IAM for both the old and the new, how does that set you up to take advantage of some of the newer things? Maybe itâs big data, maybe itâs hybrid cloud, or maybe it's agile business.
It seems to me that there's a virtuous adoption benefit that when you do IAM well.
Changes in technologies
Rolls: As you've highlighted, there are lots of new technologies out there that are effecting change in corporate infrastructure. In itself, that change isnât new. I came into IT with the advent of distributed systems. We were going to replace every mainframe. Mainframes were supposed to be dead, and it's kind of interesting that they're still here.
So infrastructure change is most definitely accelerating, and the options available for the average IT business these days -- cloud, SaaS and on-prem -- are all blending together. That said, when you look below the applications, and look at the identity infrastructure, many things remain the same. Consider a SaaS app like Salesforce.com. Yes, itâs a 100 percent SaaS cloud application, but it still has an account for every user.
I can provide you with SSO to your account using SAML, but your account still has fine-grained entitlements that need to be provisioned and governed. That hasnât changed. All of the new generation of cloud and SaaS applications require IAM. Identity is at the center of the application and it has to be managed. If you adopt a mature and holistic approach to that management you are in good stead.
Another great example are the mobile device management (MDM) platforms out there -- a new piece of management infrastructure that has come about to manage mobile endpoints. The MDM platforms themselves have identity control interfaces. Its our job in IAM to connect with these platforms and provide control over whatâs happening to identity on the endpoint device, too.
Our job in identity is to manage identity lifecycles where ever they sit in the infrastructure. If you're not on board, you'd better get on board, because the challenges for identity are certainly not going away.
Interestingly, I'm sometimes challenged when I make a statement like that. Iâll often get the reply that "with SAML single sign-on, the the passwords go away so the account management problem goes away, right? The answer is that no, they donât. They're still accounts in the application infrastructure. So good best practice identity and access management will remain key as we keep moving forward.
Gardner: And of course as you pointed out earlier, we can expect the scale of what's going to be involved here to only get much greater.
Rolls: Yes, 100 percent. Scale is key to architectural thinking when you build a solution today, and we're really only just starting to touch where scale is going to go.
Itâs very important to us at SailPoint, when we build our solutions, that the product we deliver understands the scale of business today and the scale that is to come. That affects how we design and integrate the solutions, it affects how they are configured and how they are deployed. Itâs imperative to think scale -- thatâs certainly something we do.
You may also be interested in:
- Identity and Access Management as a Service Gets Bost with SailPoint's IdentityNow Cloud Service
- Panel tackles how to make mobile devices as secure as they are indispensable
- As the digital economy ramps up, expect a new identity management vision to leapfrog passwords
- Standards and APIs: How to Build Platforms and Tools to Best Manage Identity and Security