3 Fundamental Questions to Ask of Your Identity Program
While many continue to hold onto the concept of the hardened perimeter, the stark reality is that we live in an ever-evolving, perimeter-less world, where anyone can access anything from anywhere. Our infrastructures are fundamentally borderless, our critical data is cloud-based, and our users work from anyplace on the globe – or 36,000 feet above it.
The first, and possibly only, line of defense we have is the identity: the trusted moniker that validates access rights across the enterprise and provides a trustworthy foundation for risk-based decisions. Unfortunately, most organizations never look past the “account” stage of an identity, missing a major opportunity to develop an evolutionary program on which they can build their future program.
Over the years, I’ve found there are a few fundamental questions that can be asked of any identity management strategy to shed light on how mature an organization’s identity program is. Obviously, these questions are not meant to be all-encompassing, but rather are intended to get the reader thinking about some basic necessities that are the foundation of whatever type of identity strategy you want to put forward.
Question #1: Where are your identities?
The first consideration needs to be whether or not you have an accurate inventory of your identities. An identity is not an account, but rather a collection of users’ roles and access rights based on predefined policies. These permissions are used throughout the enterprise to associate specific user credentials and rights to a system account. Too often, identity and account are used interchangeably, but from a holistic identity management position, the two are very different.
The best way to envision an identity is as a container which collects and holds all the users’ access rights across the enterprise. An identity will contain many user accounts, but there will only be one, single identity record per user. A typical enterprise will look at their Active Directory (AD) as the system-of-record for identities, but AD also controls and maintains user accounts. This, admittedly, muddies the water a bit, but separating the authentication functionality from the authorization process of AD is critical for success. Additionally, make sure your efforts include those infrastructure elements that do not use AD for authentications. Considerations should be given to identifying how applications, network devices, and Linux hosts authenticate and determine if central authentication processes exist which contains user information of those elements.
Question #2: How does your authentication work?
Secondly, it’s important to understand the end-to-end authentication process within your enterprise. It’s common to find mature infrastructures, after decades of managing accounts in a world of system and device sprawl, lose track of authoritative systems and account stores. While the vast majority of organizations have centralized on Active Directory for their Windows environments, significantly fewer have integrated network devices, applications, or their Linux hosts to AD as well. Far too often, these types of systems leverage local accounts for authentication and have no association to a common, managed identity repository.
Unwinding the authentication process can be tricky, especially for the applications that have been running for decades. Service accounts buried in applications or Linux shell scripts, SSH keys that are years (or decades) old, and trusted “shared” accounts will all provide both a challenge and an opportunity. Have no doubt – investing time to dig through code or document how users authenticate will have a lasting benefit.
Question #3: How is the business supporting our identity program?
Finally, in order to fully understand the accreditation process, you must understand the business processes around identity and/or account management. Regardless of the maturity level of your identity program, the process of managing credentials is fundamentally core to your success. While a manual process can be successful with enough rigor, automation is necessary to minimize the human errors which inherently creep into any manual process.
Auditability is key here. Could you randomly sample 20% of your accounts and have enough evidence to show each followed the documented process for account creation? Does the process start with the HR team at new hire? Does the direct-line manager initiate the request? Does the employee request access themselves? What about lateral moves or promotions? Understanding the approval process of how user accounts get created, maintained, and eventually shut down is honestly the true goal of any identity program. Add to that the need to prove the process was followed if you ever have to go through an audit, and you’ll understand why the workflow of account maintenance is so critical.
So, there you have it. Three foundational considerations for anyone building even a basic identity program. By investing in these three efforts upfront, you’re guaranteed to be more successful in the long term.