While many organisations continue to hold onto the concept of the hardened security perimeter, the true reality is that as a society we live in an ever-evolving, perimeter-less world, where anyone, friend or foe, can access anything from anywhere. Our infrastructures are essentially without borders, all critical data is cloud-based, and employees work from anywhere at any time day or night.
The absolute essential line of defence we have is identity: the trusted process that validates access rights across organisations and provides a rigid foundation for risk-based decisions. As it currently stands, most businesses never view beyond the “account” stage of an Identity, overlooking a major opportunity to produce a cutting-edge program on which they can build their future policies.
Since our inception, Xello have found there are a 3 basic questions that can be asked of any identity management strategy to draw attention on how mature an organisation’s identity program is. These questions are not meant to be a substitute for true expertise, but instead are intended to get IT decision makers thinking about some fundamental requirements that are the foundation of robust, modern identity strategy.
Question #1: Can You Locate Your Identities?
The first consideration needs to be whether or not your business has an accurate inventory of your identities. An identity is not an account or subscription, but rather a collection of users’ roles and access rights based on preapproved policies. These permissions are used throughout the organisation to associate specific user credentials and access rights to a system account. Often, identity and account are used in parallel, but from a over-arching identity management position, they differ considerably.
The most effective way to understand an identity is as a container which collects and stores all the users’ access rights across an organisation. An identity will contain multiple user accounts, but there will only be one, single identity record per user. A typical IT Security Team will look at their employees Active Directory (AD) as the system-of-record for identities, but AD also controls and maintains user accounts. This can blur the view to some extent, but separating the authentication functionality from the authorisation process of AD is critical for success. Additionally, businesses need to make sure their efforts include those infrastructure segments that do not use AD for authentications.
Question #2: How is the business supporting our identity program?
Secondly, in order to fully understand the accreditation process, you must understand the business processes around identity and/or account management. Regardless of the maturity level of your identity program, the process of managing credentials is fundamentally core to your success. While a manual process can be successful with enough rigor, automation is necessary to minimize the human errors which inherently creep into any manual process.
Auditability is key here. Could you randomly sample 20% of your accounts and have enough evidence to show each followed the documented process for account creation? Does the process start with the HR team at new hire? Does the direct-line manager initiate the request? Does the employee request access themselves? What about lateral moves or promotions? Understanding the approval process of how user accounts get created, maintained, and eventually shut down is honestly the true goal of any identity program. Add to that the need to prove the process was followed if you ever have to go through an audit, and you’ll understand why the workflow of account maintenance is so critical.
Question #3: How does your authentication work?
Finally, it’s important to understand the end-to-end authentication process within your enterprise. It’s common to find mature infrastructures, after decades of managing accounts in a world of system and device sprawl, lose track of authoritative systems and account stores. While the vast majority of organizations have centralized on Active Directory for their Windows environments, significantly fewer have integrated network devices, applications, or their Linux hosts to AD as well. Far too often, these types of systems leverage local accounts for authentication and have no association to a common, managed identity repository.
Unwinding the authentication process can be tricky, especially for the applications that have been running for decades. Service accounts buried in applications or Linux shell scripts, SSH keys that are years (or decades) old, and trusted “shared” accounts will all provide both a challenge and an opportunity. Have no doubt – investing time to dig through code or document how users authenticate will have a lasting benefit.
So there are our three foundational considerations for any organisation developing even a basic identity practice. By focusing your efforts on these three efforts initially, you’re far more likely to be more successful in the long term.