May 14
Todd Rossin | CEO & Chief Strategist, IDMWORKS

How to Plan for Enterprise and Customer/Consumer IAM Program Success

The challenges of securing your environment, specifically with identity and access management (IAM), continue to increase in scope and complexity. Yet, too many organizations are still trying to tackle IAM, whether it’s enterprise, customer or consumer focused, on a project-by-project basis. Fifteen plus years and thousands of customer engagements have taught us a lot of lessons for ensuring success in the IAM arena. Combined, they point to a tried-and-true, proven process for assessing your existing environment, assessing what your goals are and marrying those together into an IAM blueprint and a phased-based roadmap to move your company forward.

The Devil’s in the Details
Digital transformation initiatives bring about a number of complexities that didn’t exist ten or even five years ago. Gone are the days of a tidy, on-premises perimeter that was easily controlled. Environments are more diverse. Cloud-first, mobile-first digital initiatives are the norm and they’re challenging security practices and putting IAM squarely in the spotlight.

We’ve entered a cycle where the volume of user identities, applications, devices and data have created an explosion of vendor point solutions that have created a perfect storm of IAM complexity.

User and Device Proliferation
From an IAM perspective, the number of users that organizations need to provide secure access for has been increasing exponentially, whether they’re employees (B2E), other businesses (B2B) or direct customers/consumers (B2C). Users can be internal or external, and they’re bringing with them a broad cross-section of devices with varied authentication requirements and options.

“X” as a Service Application Expansion
While some legacy applications may currently reside on-premises, increasingly those apps are SaaS based or they are apps that have been moved into a cloud environment (i.e., IaaS and PaaS based) as part of a “cloud first” business directive.

Mergers and Acquisitions Activity
Many organizations continue to grow through mergers and acquisitions, and IAM teams are left to deal with more than a single province for applications and identities (not to mention, vendor solutions.) This poses a massive challenge when trying to secure a “Rube Goldberg machine” of identity solutions.

Expanding User Constituencies
There are now multi-faceted constituencies to secure—employee, non-managed employee, partner, vendor and customer identities—all needing to access resources. You can’t apply the same clunky experience or constraints that you could get away with when you were just securing on-premises identity stores and shoving both enterprise entities and consumers into one place, or trying to manage “N” number of disparate identity stores and methodologies.

Partner identities bring risk. What happens if the partner’s worker leaves and goes to a competitor? Can the access be shut down at a single point for that partner worker, or will they still have back-door access through an untracked or managed SaaS application?

Customer and consumer volumes bring access management needs that are orders of magnitude greater than just managing employee access. The scale is completely different, and the business implications and regulatory requirements increase the complexity of seamless and secure access. It’s not seamless if it’s not frictionless, and the solution won’t achieve the tried-and-true business goal of improving the customer experience.

Increasing Threat Vectors
Threat vectors continue to increase, and year-after-year, compromised credentials continue to be the number one cause of security breaches. Additional regulatory requirements have expanded in both data and consent management, requiring organizations to strengthen their authentication and authorization mechanisms for all users, systems and services. This includes both human (e.g., employee, customer, partner, etc.) and non-human (e.g., systems, services and robotics) digital entities.

Complex Regulatory Changes
While GDPR isn’t technically a U.S. regulation, the E.U. is specifying that any organization that collects any personal data of any E.U. citizen (including browsing history) and analyzes it in any way, processes that data in any way, stores it or uses it, is subject to their regulation and is liable for associated fines and penalties for non-compliance.

California is also blazing the trail of data privacy regulation within the U.S. with the California Data Protection Act.

Regulations like these are pushing organizations’ current, legacy IAM solutions beyond their “wheelhouse” and are driving innovation for better privacy control at both the device and data levels.

Data Proliferation
When it comes to customer data, it’s a challenge for organizations to have a single view of the customer or to link customer/consumer data across business units and data silos. But doing so is critical to securing customer and consumer data and ensuring compliance with industry and governmental regulations.

How are you protecting sensitive data? What are the practices and processes for registering, granting and maintaining an entity’s profile, consent and applicable access? Who has access to what data, and is it auditable?

Any one of these vectors can have both IAM and non-IAM projects associated with them, which is where problems often begin.

Start with an IAM Assessment
If identity is all you have left to control, where do you begin to build a holistic IAM program that will take into consideration the full scope of security complexity?

Once you understand what you need, how do you figure out how to put it all together into a cohesive architecture that scales and expands over time?

Once you have a vision, how do you convince the powers that be and sell it throughout your organization to get buy-in?

Where do you even start? This is one of the BIGGEST issues nearly every organization faces, and in my experience, a good answer is: with an IAM assessment.

Why Should Your Organization Assess?

  • To make sure that the right people get access to the right resources at the right time for the right reasons (and that you can prove it to auditors).
  • To eliminate waste, make the customer experience better, increase security and reduce risk.
  • To prevent and detect. To stop the bad before it happens by closing the door on the issues, but if (or when) bad things happen, to detect what went wrong so it can be prevented from happening again.

Determine the Appropriate IAM Category(ies) to Tackle
Before you begin an assessment, be sure you understand the type of program you’re building. Each identity type has a very different focus, stakeholders, solution set and assessment criteria.
Are you tackling:

  • Enterprise IAM – employees, consultants, vendors, interns, and so on
  • Customer IAM – external, direct users or entities
  • Consumer IAM – external partners or third parties that use or resell your products/services

What Should Your Organization Assess?
From a top-down perspective, IAM is fairly straightforward.

  • Administration includes the management of the human and non-human identities and their entitlements therein.
  • Intelligence is the ability to take data and metrics, analyze the results and take appropriate action based on them.
  • Authentication and Authorization, not just the identities themselves but also:
  • What can these identities do?
  • When can they do it?
  • Where can they do it?
  • How can they do it?
  • Audit and Compliance form the ocean surrounding the “islands” of IAM (administration, intelligence, authentication and authorization), and tend to be drivers of many projects.

It seems simple until you peel back the layers to reveal the complexity inside. Each category contains many capabilities to cover with distinct functionality, many of which have their own vendor landscapes.

What Is the End Goal of the Assessment for Your Organization?
A strong IAM program requires a thoughtful approach to the solutions that you’ll be integrating over the years to come. Taking the time to assess your current state and your desired future state will save significant amounts of time, money and wasted cycles in the future. A comprehensive assessment is a key first step in a multi-stage approach that helps you tackle your identity program in consumable portions based on priority.

The end goal is to define an enterprise-accepted future state architecture that can be tied back to the issues, wants and associated requirements that an assessment identifies. Once this is defined, a true roadmap to implement solutions in a cost-effective, time-effective and security-focused manner can be achieved.

While this can be an intricate process, with variants across enterprise and consumer identity, there are some tried-and-true methodologies that can guide you along the way. Step into a session on enterprise and/or consumer IAM assessments at Identiverse for deeper insights and stories from the battlefront.

View More Posts

Identiverse is a really rewarding experience in terms of building and sharing knowledge.

— Grewe