Identity management has evolved over the years and like other areas of focus, it has been affected by recent trends in IT. Movement to the cloud, BYOD, IoT, and other hot button topics have played a role in the evolution of needs and challenges to identity management. Evolution can drive advancement and in the area of identity management, this is certainly the case.
Looking at BYOD as a simple example, what was once viewed by IT as a threat can now favorably be leveraged as a second factor of authentication when attempting to access data or applications. It’s a complete flip in perspective and, while there are still considerations to be made, BYOD has in many cases increased efficiencies, and one can argue even enhanced security.
Throughout this period, there are three tenants of identity management that I feel have not changed, at least in my mind anyway. I word it that way because depending on who you talk to or what you read, you may be advised differently and as such, that is why I refer to these as the “alternate truths of identity management.”
So what are these alternate truths? Not to be confused with alternative facts, they are counters to statements you may have heard over time, and similar to the above example of using your personal device to now increase your authentication security, I want you to flip these on their heads and look at them from an opposite perspective.
Alternative Truth #1
You don’t need to rip and replace all of your existing identity management tools.
The reality is that no matter how frustrated you may be, you’ve likely invested a lot of time and money into your existing security and identity infrastructure. While the guidance may be to do a rip and replace of these tools, you should look for ways to leverage your existing investments.
Yes, this still may mean you need to invest in some new technology, but take a modular approach. Look at how you can integrate any new software or technology with your existing investments so that you can benefit by leveraging the data you get from those sources. Establish your key foundational elements and then build on these over time, and with each step addressing the lowest hanging fruit for fast ROI.
There’s a concept in debt reduction called the Snowball Effect. The concept is that you should pay off the lowest debt you have first. Then you take the payments that you were making on that debt and add it to the next biggest debt you have and keep it going until soon enough you are making massive debt payments on your largest remaining debt, and eliminate it quicker. Now, I’m not a financial expert, and the concept has its skeptics who say that it makes more sense to pay off your highest interest rate debts first. But here’s the response to that criticism and why I felt it a good example to bring up; the snowball effect eliminates your “low hanging fruit” first and gives you some quick wins. Each time you eliminate one of the debts, it’s a positive win and provides you with positive reinforcement to maintain your new behavior.
If we transfer this concept to identity management and take a modular approach to tackling our challenges and reducing risk, we can get some quick wins and eliminate some risk by first looking at your privilege accounts. These are likely low in number, but high in risk as these accounts have ultimate access to the applications and data that resides in them. Consider implementing a form of identity governance or even simply adding on increased authentication requirements for these riskier accounts and you will be lowering your risk. Then you can snowball your efforts on to the next challenge, all the while building on your foundation in a modular method.
Alternative Truth #2
You don’t always need to buy the latest and greatest technology.
In the fall of 2013, tech writers were making predictions about how Google Glass would change the world we live in. There were articles about how no doctor would perform surgery without wearing one, reporters would use them as their new recording devices, and we’d all be walking around with them on watching sports 24/7. But by January 2015, Google announced that Glass would be going away. There were a lot of reasons why Glass didn’t make it, but my point is that sometimes even if Oprah and Bill Murray are early adopters, sometimes it makes more sense to take a breath and see how things play out before you make the leap.
When it comes to your organization’s security and identity management, you need to be smart and think long term. While it didn’t happen in enterprises, imagine if everyone had invested a bunch of time and effort to secure Google Glass in terms of it being used to access our corporate applications and data. The time we spent on that new “latest and greatest” tech would have meant we weren’t spending time on the other areas that needed our attention. Of course, I realize sometimes the decision is made for you like the case of CEOs starting showing up in meetings with iPads when they first came out and pretty much forced the network access issue.
With technology constantly advancing, it’s a difficult task but you need to do your best to pick and choose what you think needs your attention because it will be here in the long run, and what you can put on the back burner for the time being as you aren’t sure whether it will be around next year.
Alternative Truth #3
You have allies in the line of business, you just don’t know them yet.
One of the things I often hear from customers who are in the middle of an identity project, or just finished one, is that they didn’t involve the business early enough. They never accounted for the line of business buy-in or adoption issues and that slowed things down or worse, killed elements of the project altogether.
The history with IT and line of business is that each thinks the other doesn’t understand the other’s point of view. The line of business staff think IT is the “department of no” and the IT staff think the line of business staff are rogue and don’t understand the risks. But, there are some line of business staff who are the trailblazers and forge ahead with new projects and likely don’t involve IT in doing so. While discovering those rogue projects can be frustrating and highlight potential risks, you should identify these people and instead of approaching them in an adversarial way to scold them on their project, you should leverage them to help you with yours. Clearly to pull off such a project, they have influence and trust from their coworkers – use that to your advantage and get them involved so they can help you and at the same time, they get educated about the risks.
The reality is that you need allies in the line of business to consult with during the planning and to be your project promotors during implementation phase. Ultimately, if you can convince them of the value the project will bring to the line of business, then they will be one of your best assets to convince their colleagues as well.
As I started out by saying, identity management has gone through a lot of evolution over the last number of years. This isn’t going to slow down by any means and in fact, it will likely speed up. In fact, in the case of IoT devices – one of the trends mentioned at the beginning of this article, Gartner estimates that 20.4 billion new devices will be brought online by 2020. Each of those devices can easily represent a new identity that needs to be managed. If we look at this one estimate in terms of how it relates to the alternative truths, we’re left to ask the following questions:
- Will vendors tell you that you need to rip and replace what you are using now to manage these devices?
- What percentage of these devices represent a fad that ends up soon fading away?
- How many of those devices will be brought online by an ambitious staff member on the business side without your IT department’s knowledge, and how will you react?
Your response to each of these questions will play a key role in determining how your organization addresses your identity and security challenges.
Maybe it’s time to look at things with a different, alternative approach?
