Who owns identity and access management?

Speed, agility, responsiveness; these are all terms frequently bandied about when today’s businesses are talking about their needs.  In the world of digital transformation, along with increasing competition, companies deal with a fickle customer base that expect your business to pivot quickly to meet their demands, or else fail.  For some businesses, the notion of speed is essential. 

A great example of this is the digital world of the stock market.  I once worked with a company that had automated all their trading systems.  The systems were designed with complex analysis engines that would be capable of making trading decisions on their own, thousands of times a second. The interesting fact about this business was that many of their competitors also had implemented much the same type of trading engines… to be honest, this resulted in the performance of their portfolio being about the same as their competition. But what if they could make all their trades milliseconds before their competition?  On a single day, a few seconds difference in making trades through these automated systems might not show much impact, but over the fiscal year the results could be significant.

To that end, the company invested in a dedicated fiber network that essentially connected them directly to the trading floor.  The seconds they saved did indeed translate to earnings for their investors, so much so that the practice is now regularly implemented and have been written about in books like Flash Boys by Michael Lewis.  So, it might be around this time that you the reader either have an idea of why I’m talking about day trading in an article that is supposed to be about identity… what’s the connection?

Let’s start instead with the question. Who should own identities in a modern and secure corporation? Traditionally, security was not only the owner of such data, but much like a slow network connection to a stock trader, security is often also a bottleneck to business agility.  These delays lead to adversarial relationships between security and the business that grow into mistrust, shadow IT, and an ultimate lack of governance as the business starts swiping their credit cards into online services. To put it simply and without further ado… those days are gone… the business should own the data!

The decisions of who gets hired, who has what job or who has what authorization, have nothing to do with security and everything to do with the business.  Yet everywhere I go, I find the businesses feel like they are asking for permission from security to do these things rather than be in control in the first place.  A classic example of this was when I was consulted to help a company modernize and was presented with a very simple use case.

It was explained to me that employee “x” was responsible for granting employee access to the shipping system from the shipping department.  “Is that something we could automate?”  Why sure… we’ll just make it so the system grants shipping system access to the people in the shipping department.  Simple, right?  “Ok, but I need employee “x” to be an approver for this.”  I took a deep breath and repeated the previous question, “…and what does employee “x” use to determine his approvals?” You of course see the circular argument I just entered.  Rather than just explain to employee “x”and his team that this will simply be automated, I needed to take a step back, change gears, and explain to these folks their NEW responsibility in the world of Identity and Access Management designed for business agility.

Security does indeed have a huge responsibility that cannot be understated. When the wrong people get access to the wrong systems or have what we like to call ‘toxic role combinations’ all fingers will be pointed at the security people for doing the wrong thing.  So, we can’t screw this up.  And those same fingers will be pointing at us when the business falters… “The security team made our jobs impossible… fire them!”  Clearly what is needed here is the correct balance of security where not only are the proper controls are put in place, but where security could be used to gain an edge against competition.  This is the world of modern Identity and Access Management.

The business owns the identity.  The business chooses who gets access to what.  Moreover, these decisions need to happen automatically and without any friction that puts the business at risk.  Here are the essential steps you need to take to make sure your business gets what they need all while you protect the company and your own security employees.

Partnerships

If I’ve said it once, I’ve said it a hundred times.  Security teams need to break down the traditional barriers that stand between healthy collaboration with partners.  They can’t be bullies and they most certainly cannot be irrelevant.  It is your company’s responsibility to make sure that you’re building positive relationships of trust.  This point has nothing to do with technology, does it?

Business modeling

Collaborate with your business partners to model the roles, activities, and constraints in each business unit that will be leveraging the IAM solution.  Understand what the toxic role combinations are, the foundations of their decision-making, who gets access to what, and where the compliance boundaries should be.  Remember that this doesn’t mean that decisions are always automated, just make sure that approvals can be made by the business and not require a security team member.

Automation and self-service

Now that you have the business roles and responsibilities modeled in your IAM system, turn it on.  Employees should glide through the authorization process, being granted rights automatically through attribute-based access controls or via an audited approval process owned by the business.  Next, take the helpdesk out of the picture by enabling self-service portals for things like multi-factor token requests, password resets and other IT related tasks.  This should all be automated.

Attestation and audit

Finally, make sure you control over-privileged employees or employees with stale access rights by creating an automated attestation system that prompts business owners to vouch for someone’s access (again, we’re not asking security these questions).  Everything mentioned above needs to be fully audited.  If you cannot find out exactly when, why and how something happened in the system, then you are doing it wrong.

True, the above is a high-level simplification of an IAM implementation, focusing on a few of the basics.  I’m just trying to drive the point home that after you have put the above system in place, you can relax, put your feet up and watch your baby get the job done.  No longer can you be blamed for being the business roadblock, the right people are making the decisions and you’ve got your bases covered through mature business modeling, automation, self-service, and enough audit data to keep you resting well at night.