In this chapter
- Explore criteria for selecting strategy and technology partners
Table of Contents
- Identity Moves to the Center of Security
- The Power of Identity Governance
- Identity Governance in Action
- Identity Governance and the Cloud
- Building your Strategic Roadmap
- Selecting the Right Partners
Throughout this guide we have emphasized how identity governance processes touch every employee and every part of the organization. They have major impacts on security, operational costs, and employee productivity. They also need to evolve to support new business and technology initiatives: mobile applications, cloud computing, and unstructured data today; the Internet of Things and advanced analytics very soon; and as-yet-unknown projects coming down the pike.
To meet these challenges, you want to work with strategy and technology partners that not only satisfy your requirements today, but can be allies over the long haul. In this chapter we outline some of the criteria for selecting those partners.
A strategy partner can help you:
- Assess current capabilities and weaknesses
- Develop a strategic plan and roadmap
- Build acceptance for identity governance projects at managerial and lower levels
- Update the roadmap as new opportunities and challenges emerge
The ideal strategy partner will have experience helping organizations in your industry that are operating at the same scale as yours and facing the same challenges. You should also look for firms that have demonstrated both strategic vision in identity governance and skills to guide the implementation of individual projects.
When you evaluate technology partners such as software vendors, you obviously want to find solutions that meet your immediate requirements for features and functions. But also keep these considerations in mind:
- Does the vendor have experience with organizations in your industry, operating at the same scale as you do?
- Can you single-source multiple elements of identity governance from one vendor (so you don’t need to integrate solutions from several parties)?
- Does the vendor have a good track record of upgrading technologies and extending identity governance to new areas?
- Does the vendor offer strong support and professional services that you can call upon when you need help or short-term resources?
See if the vendor has an active users group. A vibrant customer community is a sign of long-term viability, as well as a source of information and support for new customers.
An Open Identity Platform
In Chapters 2 and 4 we discussed how identity governance solutions need to acquire data from all of the organization’s directories, applications, and repositories of unstructured data, as well as cloud platforms, so they can create a comprehensive view of users and permissions.
Because integration provides so much value, identity governance solutions should be built on an « open identity platform »; that is, a structure that facilitates connecting to systems that contain identity information and interface with cybersecurity technologies. Attributes include:
- Out-of-the-box connectors to directories and applications
- Interfaces to file shares, on-premises storage net.works, cloud-based file storage services, and other repositories of unstructured data
- Integration with other identity management tools, such as authentication, single sign-on, PAM, and GRC products
- Integration with MDM, DLP, SIEM, and security analytics tools you have in your organization today or might want to work with in the future
- Integration with service management and technical support ticketing systems you use to handle access requests and issues
Also, because new applications and security technologies come along every year, the open identity platform should include a framework and tools for creating new connectors. The platform should offer the ability to leverage APIs and identity-related standards such as LDAP, SAML, and SCIM. It might also provide agents that can be configured quickly for new data sources, or agentless technology that makes it easier to deploy new connectors.
Consistency Across Environments
You may have noticed that:
- Employees expect the same access to computing resources, regardless of where applications run.
- Auditors demand that all data access meets corpo.rate policies, regardless of where the data is stored.
- Managers want a single system for requesting and approving access.
- Administrators prefer one tool to provision access to data center, cloud, and mobile applications.
- Analysts need to correlate identity and event data from all directories, applications, and systems in the enterprise.
To satisfy all these audiences, look for identity governance solutions that use one set of interfaces, processes, enforcement mechanisms, and analytics tools across data center, cloud, and mobile environments.
Coverage of Unstructured Data
Today, many cybercriminals and rogue insiders target unstructured data, including documents, spreadsheets, slide presentations, software and product design files, email and text messages, and social media posts. These can contain credit card and Social Security numbers, business secrets and intellectual property, and sensitive personal information.
Look for identity governance solutions that can extend monitoring and policy enforcement to repositories of unstructured data, including:
- Cloud storage services
- Email servers and online collaboration portals
- File shares and storage networks
Through connectors and APIs, the system might track:
- Who created and owns files and folders
- Who has permissions to access each file and folder
- What sharing is enabled for each (e.g., « private, » « share with people you invite, » « anyone with the link can view, » « anyone with the link can edit »)
- Who has accessed each file and folder
This data can alert you to risks and policy violations, identify files and folders that require special monitoring, and help you improve policies and processes for storing and accessing unstructured data.
We have mentioned several times how critical it is to gain the active participation of non-technical business people in identity governance activities. Only business users and application owners can fully understand both access requirements and access-related risks. You are going to rely on business managers to certify access rights and rigorously reduce unnecessary permissions.
To encourage the participation of business people, you should find identity governance solutions that:
- Have intuitive and easy-to-use interfaces suitable for non-technical users
- Use business-friendly terminology and concepts, without jargon or cryptic system and network names
- Provide features that address real-world conditions (e.g., allow managers to delegate approval authority if they are busy, and send email reminders when managers fail to respond within a specified period)
Analytics and Risk Management
Security analytics and risk management can improve incident response and help organizations detect weaknesses in their security infrastructure and practices. You should seek identity governance solutions that capture comprehensive identity-related data from across the enterprise, then correlate the data to identify policy violations and reveal vulnerabilities, such as employees with too many permissions, and access rights created outside of authorized processes.
Some vendors are working on identity governance solutions that capture and correlate event data (log-on attempts, file downloads), calculate baseline levels for these events, and flag departures from the baselines. They will also be able to feed risk scores for users and transactions to risk management and fraud detection platforms.
A Cloud Strategy
As we discussed in Chapter 4, identity governance solutions should help you migrate applications to the cloud safely. Your technology partners should have a strategy for integrating with a wide range of cloud-based applications and services. Also, you might want to give preference to vendors that offer some or all components of identity management as cloud-based services (IDaaS), or better yet, provide options for hybrid solutions with some elements deployed on premises and others in the cloud.
We started this guide by pointing out that most data breaches and unauthorized insider activities involve the misuse of user credentials. Identity governance solutions are designed to minimize these abuses by ensuring that permissions to access computing resources are assigned and controlled based on explicit organizational policies.
To achieve these goals you need sophisticated technology and the active participation of business managers, employees, and technologists. We have highlighted the importance of develop.ing an identity strategy and roadmap that pull in resources from many parts of the business to generate early wins, build momentum, and evolve to meet changing business and technical needs. We have also made suggestions about criteria to use in selecting strategy and technology partners to help you move forward.
Please share these ideas (and this guide) with your colleagues as a basis for discussion about how identity governance principles and practices can be applied in your environment. Then, when you have started to implement your strategy, share the results with your professional community, so we can learn from one another.
You might also be interested in:
Find out how SailPoint can help your organization.