Making Security a Team Sport is Critical to Identity Access Management Success

A decade’s worth of digital transformation has created increasingly complex IT environments that need to be protected. At the core of these security efforts are the growing number of identities (both human and machine) that, more often than not, are at the center of the most impactful data breaches.

A recent report from the Identity Defined Security Alliance (IDSA), a group of vendors promoting Zero Trust and an identity-centric approach to security, revealed an uncomfortable truth—organizational disconnect complicates IAM efforts. It found that 33 percent of survey respondents cited a lack of alignment of goals as one of the key issues preventing security from engaging with workforce IAM, while 24 percent called out resistance from existing teams.

Turf wars over who should take ownership of identity management are far from infrequent – leaving enterprise security leaders with the nearly impossible task of balancing security best practices with the access requirements of different teams and users.  

Today we live in a world where each mobile device, on-boarded worker, application, machine, and cloud user represents a potential point of failure for network security. Getting it right starts with the idea that security is not just the job of the CISO, but the entire organization. The most successful security strategies take a collaborative approach – making it a team sport. Reaching that reality, however, takes a deliberate approach. 

Determine the Right Stakeholders
Identity management and access decisions can get political. If an employee finds access to specific network resources makes their job easier, and a security policy constrains that access, a conflict will almost certainly arise.

For that reason, when setting IAM policies, the right stakeholders must be at the table. In the typical enterprise, these stakeholders will include:
 

  • DevOps
  • Enterprise Architects
  • Business Applications
  • Cloud Team 
  • IT Operations

Each of these teams represents a critical piece of enterprise IT that needs to be represented during conversations about identity. For example, as DevOps teams strive to push out applications faster, they will continue to leverage cloud services and put pressure on businesses to adopt the configuration management, application development, and version control tools that will enable continuous delivery.

However, the use of these tools brings with it an added challenge to managing identity, as some organizations are left struggling with a manual access management process across a mix of on-premises and web-based solutions.

For security leaders, working with DevOps teams to develop a consistent approach to identity management is critical to ensuring access policies are effective while simultaneously helping DevOps teams to succeed. With this type of collaboration, security teams, which are often viewed as impeding progress, can instead work to empower it.

Know Your Users
Making sound decisions about identity access management also requires a clear understanding of the roles and responsibilities associated with each of those identities. IAM strategies must be designed with usability and user job functions in mind.
 
Understanding the pain points of users will increase the likelihood of adoption during the actual implementation process. Falling back to cumbersome authentication requirements will likely result in attempts to circumvent security controls – which defies the purpose of the policies and makes the job of the user harder.

Instead of only focusing on locking down identities and credentials, there should be an emphasis on problem-solving. What are the challenges enterprises are trying to address with their implementation? How can security help address these challenges while also meeting their goals? Understanding these needs will enable the stakeholders to identify potential problems and address them at the outset.
  
Speak Their Language
Too often, security leaders fall into the mindset that they are the organization’s police force. It’s important to remember, however, that security is not meant to be a stop sign. Instead of immediately heading towards “no,” security leaders should try to understand what each team needs, what their goals are, and what applications they are working on.

By making the focus of the conversation about them and how the security organization can make their lives easier, teams that may not normally think of how security correlates with their job are, instead, compelled to consider it. 

Everyone’s Job
The challenge of managing identity securely across on-premises, distributed, and cloud environments will only continue to grow. Doing it successfully will require increased levels of collaboration between security and other business functions.

Security is not just the job of any one group, it is everyone’s job. According to Verizon’s 2019 Data Breach Investigations Report, roughly 80 percent of hacking-related breaches involved the use of stolen credentials. With user identities at the core of securing the businesses, involving the right stakeholders, speaking their language, and understanding the organization’s users and their needs is a vital piece of laying a secure foundation for the enterprise.

What’s Hot on Infosecurity Magazine?