New tech steers identity and access management evolution

Identity is everything

While some organizations still treat identity and access management as an afterthought, Nemertes Research CEO Johna Johnson said it forms the very foundation of cybersecurity.

"If only the people who have the right to get access to data, applications or resources get access to it, then you have a secure environment," she said.

Of course, that's easier said than done, especially in today's evolving IT environment. While Johnson said identity and access management was once fairly simplistic -- she cited Microsoft's Active Directory as an example -- its complexity has exploded in the past five to 10 years.

Johna Till Johnson

"Cloud throws a monkey wrench into it," she said. "The fundamental principle behind access management is, one user gets access to a particular machine or application. But, now, you might have instances of your cloud-based applications strewn all over Amazon's or Microsoft's infrastructure."

Containers further complicate IAM, with users needing granular access to particular services and subservices within a distributed application. And user identities themselves have evolved beyond just full-time employees, with more customers, contractors and other third-parties requiring highly specific, tailored and controlled access.

Entegrus Powerlines, an electric distributor based in Ontario, began a significant IAM modernization project in 2018 -- driven in part by their adoption of cloud and containers. Dave Cullen, manager of information technology and security, said Entegrus' traditional approach of securing systems primarily from a physical perspective -- say, with firewalls -- had become too complex.

"We quickly realized centralizing identity and access management is the best way to achieve our objectives," he said. "IAM used to be for large organizations with large budgets, but now it's much more universal."

IAM helps enable the zero-trust model of cybersecurity, which amounts to granting a user access to the right resources at the right time.

"You can't really count on having a firewall somewhere in the middle making that decision for you," Johnson said.

IAM and user experience

Jon Lehtinen

Media company Thomson Reuters also recently embarked on an centralization initiative in its approach to identity and access management, part of a broader push to modernize and harden the organization's cybersecurity strategy. Jon Lehtinen, principal identity engineer, said he has long considered identity "the tent pole of security." Like ThoughtWorks, Thomson Reuters previously had a legacy SSO system built in-house that didn't use a standardized protocol -- such as the Security Assertion Markup Language (SAML), an open standard for sharing security information about identity, authentication and authorization across different systems. This meant applications had to integrate and negotiate sessions at the code level. This resulted in a tedious user experience, with a plethora of usernames and passwords across various applications.

"At the end of the day, everybody just wants to feel accomplished and not have unnecessary friction in accomplishing their tasks," Lehtinen said. "So when we pitched this to executives, we said, 'We're going to introduce one more username and password that will get rid of the rest of them."

They vetted a number of IAM authentication tools and ultimately landed on PingFederate -- an enterprise-grade, SAML-based identity federation server -- deeming it "a reliable workhorse."

"We were a small team, and I am a lazy man who does not like getting phone calls late at night for operational issues," Lehtinen joked. "So we put ourselves to the task of figuring out how to turn the PingFederate on-premises product into our own robust and living identity as a service [IDaaS] platform."

"The old systems we are replacing, which were run by managed service providers, carried a pretty significant cost," Lehtinen said. "The new system will save Thomson Reuters $1.2 million per year."

Additionally, he estimated that building rather than buying the customized IDaaS saved the company between $700,000 and $2.2 million. Not that it was easy: Thomson Reuters' divestiture of its finance and risk organization complicated the IAM authentication project by adding a massive separation initiative to the team's plate, as well as non-negotiable deadlines.

"It's simultaneously harrowing and exhilarating," Lehtinen said. "But there are some real quality-of-life improvements we get to pursue alongside our mad dash to get everything up and moved in time. We get to really have a tangible impact on the day-in-and-day-out operations of individual Thomson Reuters workers."

Who owns IAM?

"In a lot of cases, the person that runs IAM is actually not in cybersecurity," Johnson said. "They're in the user-access team or the customer- or employee-enablement team."

Ask yourself who should have access to what and under what circumstances. And that's actually a harder problem than most folks are used to dealing with.

While that might make many security pros cringe, she believes that, in some cases, it actually makes sense.

"The whole goal of IAM is to make it a whole lot simpler for the user, rather than having to log on and configure access on thousands of different applications," Johnson said. "And the person on the user- or employee-enablement side of the house is really thinking about, 'How can I implement all this permissioning in a way that makes the users' lives easier, not harder?'"

Organizations can run into trouble with IAM, however, when the right hand doesn't know what the left is doing, Johnson added. While the CISO and cybersecurity team might operate under false assurance that person X does not have access to resource Y, for example, someone in employee enablement might have in fact granted that access -- unaware of the security implications at play.

"Then, when something bad occurs, the board might say, 'How could this happen?'" Johnson said. "And it was because of this gap between the person running IAM and the cybersecurity folks."

She added that Nemertes' own research indicates that the more direct control the cybersecurity team has over access, the better their operational metrics. But, anecdotally, she has observed that identity and access management actually seems to work most smoothly when the point person has a dotted line into security, rather than a hard one.

"I hear competing philosophies and arguments for identity as an infosec, technology or human resources function," Lehtinen agreed. "Ultimately, I think it touches all three: Identity is the interconnecting thread across all of these business functions. How an organization chooses to staff or place its identity team is ultimately irrelevant, as long as that thread is continuous and hardened all the way across those functions."

Dave Cullen

Cullen similarly said Entegrus now starts weighing IAM considerations as soon as they begin scoping a new project or upgrade -- bringing application stakeholders from both the business and security sides to the table as early as possible.

"In an ideal world, you have those parties working together, because they're all key," he said.

Getting identity and access management started

Johnson recommended that organizations looking to modernize their IAM systems should reach out to vendors and start assessing leading products based on their high-level selection criteria. Security pros should consider to what extent tools would integrate with their current and future cloud-based resources and applications.

At the same time, Johnson suggested sitting down and tackling the concept of identity governance.

"You need to ask yourself who should have access to what and under what circumstances," she said. "And that's actually a harder problem than most folks are used to dealing with."

In Entegrus' case, they tested several platforms in a lab environment, keeping score cards for each. Key metrics included ease of integration with existing architecture, ease of adoption for new users, whether it was standards-based and open, and level of pre- and post-sale engineering support from vendors. Ultimately, they chose Idaptive, which it deployed alongside its Network Access Control from Pulse Secure.

"Having both access-layer security and identity implemented and married together, there is significant benefit," Cullen said. "We have a very dynamic computing environment. It's quite powerful."