As part of Solutions Review’s Premium Content Series—a collection of contributed columns written by industry experts in maturing software categories— David “The Identity Jedi” Lee of SecZetta lays out the roadmap to achieving comprehensive identity management.
In the digital age, businesses are required to manage an ever-increasing number of identities. These identities can be employees, customers, or partners, and each has different access needs that must be considered across the lifecycle of their relationship with the organization. To complicate matters further, most organizations rely on multiple systems for identity management, which can lead to fragmentation and inaccurate identity data.
These systems can include Human Resource (HR) systems, Partner Relationship Management (PRM) systems, and Privileged Account Management (PAM) systems. Each system may contain different data about an individual entity’s relationship with the organization, and it can be difficult to combine this data into a single identity record.
In order to move toward comprehensive identity management, businesses need to ensure they have an accurate understanding of each individual entity’s relationship with the organization relative to its access needs. There is no one-size-fits-all solution for integrating identity systems. The following steps will help determine the best approach for your organization.
Establish a Clear Business Case for Identity Integration
Understanding that identity is at the center of modern-day security architectures makes the need for a clear integration of identity systems to create a single identity record foundational. Providing a single source of accurate and trusted identity data enriches security systems around it by assuring what user is authenticated, what access that user has been granted, and how they are using that access. Being able to see access information in your governance system, and have it correlate with access data in your identity management system, allows you to visualize a complete picture of what a user should have access to. Beyond enabling visualization, your monitoring systems now have richer identity context when viewing alerts on identity actions and your authorization policies can provide fine-grained access to rich identity data, allowing you to authorize continuously and at scale. Having a comprehensive and integrated identity management system enhances your current security architecture and increases operational efficiency in day-to-day operations as well as during an investigation.
The first step to accomplishing identity integration is to develop the business case to justify the investment. This is where many organizations struggle as they don’t have a way to operationalize the value of identity data or build a comprehensive view of risk. A few key considerations when formulating the business case are:
- What is the total cost of your current identity management infrastructure? This should include hardware, software, and support costs.
- How much time and money are spent on manual processes associated with identity management? This can include things like password resets, account provisioning/deprovisioning, and compliance reporting.
- What are the risks associated with your current identity management infrastructure? This can include things like data breaches, regulatory fines, and loss of customer trust.
Once you have a clear understanding of the cost and risks associated with your current identity management infrastructure, you can begin to build a business case for change. When thinking about an integration project, it’s important to consider both the one-time and recurring costs. One-time costs can include things like professional services fees, hardware, and software. Recurring costs can include things like support, maintenance, and license fees. It’s also important to think about the risks associated with not making a change.
Define the Business Requirements and Goals for Identity Integration
We all know the quote; “Don’t boil the ocean,” it’s been a staple in the identity world for decades. Ensure you define clear and specific goals for your identity integrations that map to business outcomes. Here’s an example: “In order to reduce our attack surface and increase efficiency in the management of third-party users, we’ll integrate our Identity Governance and Access management (IGA) solution with our third-party identity solution.”
This accomplishes three things:
- It explains the precise results that you are looking to obtain
- It defines clear outcomes that have an effect on the business
- It gives you a north star to drive your integration requirements and team towards. Whether that’s the selection of products, or outcomes to the business, you have something to point to that you can track as you begin your integration journey.
There are a few essential requirements that you’ll want to consider as part of your business goals.
- First, you need to be able to support the scale of identities both in terms of the number of entities and the number of attributes or data points associated with each identity. This data can come from many places including social media, IoT devices, partner relationships, and so on.
- Second, you must be able to support the variety of data types including structured, unstructured, and binary data. This is important because as businesses move towards a more digital way of doing things there is an explosion of data types that need to be managed.
- Third, the system needs to be able to support the velocity or rate at which data is created, updated, and deleted. This is important– for the system to be useful, the data must be accurate and current.
- And finally, you need to consider the security of the system. This includes not only the physical security of the infrastructure but also things like data encryption, role-based access controls, and auditing.
These requirements are just a starting point. As you define your business goals for identity integration you may find that you need to add or modify these requirements. The important thing is to have a clear understanding of what you need before moving forward.
Standards, Standards, and More standards
The key to successful identity integration is standards. Using open standards simplifies the process when integrating different systems and increases the likelihood of success. Open standards provide well-defined methods for communication and data formats that can be implemented by any organization. This allows for more interoperability between systems and easier integration.
Identity-related standards to be aware of include:
- SCIM (System for Cross-domain Identity Management) is an open standard that allows for the automation of user provisioning.
- SAML (Security Assertion Markup Language) is an XML-based standard that is used for exchanging authentication and authorization data between systems.
- OpenID Connect is a standard that builds on top of OAuth (Open Authorization) and allows for the secure exchange of user authentication data.
Using standards like these will make it easier to integrate your identity systems as well as improve communication and interoperability between different systems.
The goal isn’t to rebuild Frankenstein’s monster, instead you want a collection of components that easily exchange data with minimal development effort. The good news on this front is that API driven design is the accepted norm for building applications, which means if you’ve purchased an identity system in the past ten years there is very high chance it has an API, and it has support for identity standards.
When evaluating new identity products or services, confirm their support for open standards as well as their APIs. These will be essential for a successful integration.
Knowledge is Power
Now that you understand the importance of standards and APIs, let’s take a look at how you can use them to integrate your identity systems.
The first step is to determine which data you need to exchange between systems. This will be based on your business goals as well as any compliance requirements. Once you have this information, you can start to map out the data flow between systems.
Next, determine how this data will be exchanged. This is where standards and APIs come into play. Each system will have its own way of handling data but by using standards like SCIM, SAML, and OpenID Connect you can make it easier to exchange data between systems. If you don’t have one already, this would be your chance to create your Identity Blueprint. It should list the ideal profile for a digital identity within your organization and contain the list of attributes that are needed, the sources from which those attributes come, and the rules defining how the data is shared and updated.
For businesses to move toward comprehensive identity management, it’s critical they have an accurate understanding of each individual entity’s relationship with the organization relative to its access needs across the lifecycle of relationship. By using open standards and APIs, businesses can make it easier to integrate their identity systems as well as improve communication and interoperability between different systems.
Think Big, Act Small
The best way to approach an identity integration project is to break it down into smaller pieces that you can deliver quickly. By starting small, you can demonstrate the value of the integration to the business and get buy-in for future phases. Identify point to point integrations that can deliver value quickly and easily. As an example: connect your IGA solution to your Security Information and Event Management (SIEM) tool to provide identity context to log data. When looking at SIEM logs you’ll see information around an account, and maybe some general information around who the account belongs to. By enriching that with data held within your IGA tool, you’ll be able to not only see who owns that account, but also see what other accounts they have, where they sit within the organization, and who their manager is. Take this a tiny step further and you can issue an access review of this user’s account if you’re seeing suspicious activity, or even deactivate the account while you investigate.
It’s important to maintain a big picture of how you want your identity systems to talk to each other. Think of Google’s BeyondCorp initiative. Establish a milestone you are reaching for, and each point-to-point integration will move you closer and closer to your goal. You know the saying, “it’s a marathon, not a sprint.” The same applies to identity integrations. The Bottom Line
An ever-increasing number of identities require access to systems and data, which most organizations complicate further by relying on multiple identity management systems. To achieve the next level in identity management, organizations must first have a clear picture of each entity’s connection with the company throughout the relationship’s life cycle. By utilizing open standards that enable communications and data formats across different systems, organizations can accelerate the time to value for integrating identity systems. Additionally, businesses should divide identity integration projects into smaller pieces that can be delivered quickly to prove the value of the integration. The pace of business isn’t slowing down, and the need to have more identities and, thus, more data means businesses must have a way to bring it all together.
- A Roadmap for Achieving Comprehensive Identity Management - September 27, 2022