Identity and access management, as embodied in your enterprise’s identity solution, might just be the most essential aspect of your cybersecurity platform. The consensus from IT security experts, CTOs, and CISOs around the world is that identity is the most pressing issue in the field—even more so than malware. At Identiverse 2018, Ping Identity CEO Andre Durand summed it up perfectly: digital identity is poised to overtake and subsume all other categories of cybersecurity. The time has never been better to assess your enterprise’s identity solution and to possibly upgrade or restructure it.
Yet perhaps because of this new emphasis, picking the right identity solution for your enterprise has never felt more confusing or overwhelming. Does your enterprise need a more traditional IAM solution? Does it need a privileged access solution? Does it need identity governance? Should your enterprise be embracing biometric authentication or should it be utilizing other forms of authentication? Do you need multifactor authentication? Will you upgrade on the legacy identity solution you currently have or will you need to select a new one?
These aren’t idle questions (very few of the questions we ask here are). Picking an identity solution for your enterprise can have lasting and rippling effects across your IT environment—and ultimately your entire business. If you choose a solution that isn’t the right fit, it may be extremely difficult and costly to change later on.
But don’t panic. We can help you make the right choice by giving you the tools for honest self-assessment. Here are 5 new questions to ask yourself before you even begin the identity solution selection process—the answers to which will help you make the right choice for your enterprise:
1. What Exactly is the Problem I’m Looking to Solve With My Identity Solution?
On its face, this seems like a trite question. In fact, the query has proven deceptively complicated for enterprises of all sizes. We’ve heard again and again from solution providers about enterprises looking for an identity solution when they themselves don’t fully understand the problem they are looking to solve. Without this self-knowledge, the chances of a successful IAM deployment slips closer to zero.
So you need to assess where your major identity problems are centered. Consider the following:
- Are you more interested in making sure that the people entering your network are who they say they are? A more vanilla IAM solution should do the trick.
- Are you concerned about your super-users and how they use their credentials? Or on keeping track of their powerful credentials? Privileged access management is probably your best choice.
- Worried about entitlement creep, or how your digital roles are granted and maintained via onboarding, offboarding, and provisioning? Identity governance and administration will most likely fit best with your needs.
Of course, most identity solution providers will provide their own IAM, PAM, and IGA products, albeit each with their own areas of emphasis and capabilities. Several will even have their own biometric authentication capabilities for those enterprises concerned about their authentication processes. But knowing what you need to solve most will help you narrow down your choices and thus help you make the best identity solution choice.
2. How Secure Do I Want/Need My Digital Identities to Be?
On a website devoted to digital identity security, this question must seem completely backward. However, it’s actually rooted in a deep and contentious debate among identity solution providers: the balance between user friction and security.
In his video interview with Solutions Review, Richard Bird of Optiv stated that we don’t worry about user friction in the analog/real world, so if we truly value our digital security we need to stop sabotaging our own safety by prioritizing a frictionless user experience. While we don’t disagree with Mr. Bird, we do note that there are some potential nuances to the debate.
For example, if your business needs customer identity and access management (CIAM) as part of its IAM, then you do need your customers’ user experience to be as frictionless as possible. Plenty of research shows that too much friction in the identity process can drive away business in a B2C environment, even if the reason is their own security.
Further, having too much friction for your employees can lead them to create workarounds or other subversive measures that can compromise your entire system. Relatedly, too much friction can indicate that you don’t know what is truly valuable in your IT environment, which can spread your defenses and IT security focus too thin.
Then again, having a daunting identity solution deployed at the front door (so to speak) can deter hackers from targeting your enterprise in the first place. Hackers are humans, and humans traditionally look for the easiest solution—in this case, they’ll look for a more vulnerable target rather than waste time trying to get past your defenses. This applies doubly to new hackers or to hackers reliant on products purchased on the Dark Web.
With all this in mind, ask yourself the following:
- How do I want my identity solution deployed on my enterprise?
- Do I want heavy security the entire way through my network? Or would I be okay with a layered or tiered approach where entry to the main network is easier but entry to the most vital databases is locked up tight with multifactor authentication?
- How much friction will my employees or customers tolerate before they try to subvert my identity solution or seek business elsewhere? Do I need to initiate a cultural change in my enterprise to bring my employee’s tolerance levels up?
- What authentication protocols will I consider mandatory? And are the factors I want to use in my authentication process reasonable to expect from my employees and/or customers?
3. Is My Enterprise Poised For Cloud Adoption and/or Digital Transformation?
The latest craze for enterprises of all sizes is digital transformation and cloud adoption. Really, it’s no surprise. Why shackle yourself to a brick-and-mortar institution when you can take to the electric skies and enjoy infinite scalability, better communication, and more creativity?
If your enterprise is getting ready to take the plunge, congratulations! But just like everything else in business, this needs to be done carefully and judiciously. If you are also selecting a new identity solution, your future in the cloud needs to be a major part of your decision-making. Will your identity solution be able to be deployed via the cloud? Can it secure your cloud-based assets? And do you know where all of those assets are?
A simple question, perhaps, but the simplest questions are often the hardest to answer.
4. Will I Need a Managed Identity Solution? Or Can My IT Security Team Handle It?
Managed services providers and managed security services providers (MSSPs) have become a popular choice for enterprises that lack the technical experience or human resources to deploy and maintain their cybersecurity solutions independently. Since even a ten-person team can now need to handle millions of customers thanks to the digital age, the ability to offload some of the identity solution responsibilities onto a third party is a welcome option for enterprises large and small.
The question for your enterprise is whether you need an MSSP to handle your identity solution. The answer may depend on both the availability of your IT security team as well as what kind of identity solution you’re considering deploying. Identity governance and administration will (generally) require more IT security resources to manage properly than a vanilla IAM solution, as just one example. Different identity solutions will require different levels of technical know-how, which can be hard to come by in this day and age.
If you’re having trouble answering these questions, you may wish to speak to your IT security team directly to get their assessment of the situation and what they need. Communication is, as always, the first step to better cybersecurity overall.
5. How Many Identities Do I Need To be Secured?
This is simultaneously the most obvious and yet most deceptive question you need to consider. If you are a B2B facing enterprise, you may be tempted to simply count your employees, but that’s not quite the answer. First off, you need to consider the third-parties that you need to have access to your IT environment for whatever reason. Remember that some of the worst data breaches of the past half-decade occurred because hackers infiltrated a third-party and used that to penetrate their true target’s perimeter—the Target hack serves as a prime example. How many third-parties access your network in a given day/week/month/quarter? How many distinct digital identities do they need? B2C businesses will of course need to consider the number of customers entering through customer portals each day.
Then you need to consider how your enterprise will grow and change over time. If your business ever decides to shift focus, will the identity solution you are considering be able to accommodate? Will it be able to scale as you bring on new people and new third-parties? Can it grow with your customer base?
Additionally, you need to consider the privileged identities that you may need to create in the future, and how regular identities will need to change or adapt as employees take on new roles and projects. The digital marketplace is fast-paced, and you need to be able to adapt just as quickly—with your identity solution in tow!
Again, the only way to answer those questions is to look critically at your enterprise and consider how your business processes and your authentication work now—and how you want those processes to work in the future.
Latest posts by Ben Canner (see all)
- Key Findings: The Gartner 2019 Critical Capabilities for Identity Governance and Administration - November 13, 2019
- 60 Percent of Enterprises Misunderstand Cloud Security Responsibility Sharing - November 12, 2019
- 5 Identity Management Insight Videos for 2019 (and 2020) - November 11, 2019