Hybrid IT is disrupting many processes in IT organizations and contributing to organizational complexity. That complexity extends to identity management, which allows organizations to understand not only who has access to the environment, but what has access as we expand into the internet of things. So what impact does hybrid IT have on identity management? To answer that requires an understanding of how we arrived at our current position.
The waves of identity
The history of identity management can be described in three waves.
The first was driven by IT operations teams, who were reacting to disgruntled business users who were tired of waiting days or weeks to get access to IT services when they first joined a company. Operations had to become more efficient by automating the provisioning of entitlements, and revoking those entitlements quickly when employees left the company or no longer needed it.
The second wave hit in reaction to regulations that require the enforcement of least-privilege controls, such as Sarbanes Oxley section 404, PCI DSS requirement 7, and HIPAA §164.312. Governance and compliance became the focus as “identity governance and administration” (IGA) became the preferred terminology. Requirements shifted to emphasize tools that could gather entitlement lists from systems or applications and make it convenient for business managers to certify that only the proper users have access, in an effort to satisfy demanding auditors. The wave of automating identity entitlements slipped backward into greater acceptance of manual provisioning and de-provisioning processes.
The emerging wave
The second wave has now crashed and is beginning to recede back into the ocean of trends. If the first wave was driven by the winds of operational efficiency, and the second by compliance mandates, then the emerging third wave is driven by a need for identity-centric security in reaction to hybrid IT and a more prominent focus on risk.
Hybrid IT brings with it a complex combination of traditional and cloud computing, along with IoT and edge computing, that changes faster than many second-wave identity management systems can handle. There is an extended enterprise whose growing scale and scope is beyond the reach of identity management systems that depend upon manual fulfillment and policy enforcement. Where there is an internet of things, particularly in retail, industrial, and health care organizations, there is a need for an identity of things.
That is because a hybrid environment cannot depend on perimeter controls around the enterprise to provide for the confidentiality, integrity, or availability of services and data that are in the extraprise. But identity can be a control point for access to services and data wherever they exist, to address modern risks that target sensitive data, or attempt to sabotage for political or financial gain, by exploiting gaps in controls.
An identity-centric security approach to reducing risk demands automated fulfillment to keep up with the pace of change in today’s enterprise. Scanning systems and applications for credentials every two weeks or waiting days or weeks for manual fulfillment of an entitlement change, as we see in second wave systems, is wholly inadequate to address current risks that mutate with alarming agility.
It also demands an adaptive approach that uses machine learning to identify patterns of unusual activity. Often referred to as user behavior analytics (UBA) or user and entity behavior analytics (UEBA, which includes “things”), identity evolves from being simply a governance control and efficiency tool to a source of threat intelligence.
Imagine if UEBA had been in place during the 2013 Target hack and provided a more refined warning system that indicated that point of sale systems were unusually communicating to a compromised server. The problem in that case and others was not a lack of monitoring, but rather a lack of supporting information to raise the visibility of the highest-risk activity on their networks.
Automated fulfillment and UEBA are’t sufficient on their own for mitigating today’s risks, though. The scale and pace of growth in the enterprise risk footprint is only going to accelerate, and that will require further evolution into automated response measures. Temporarily disabling entitlements when risk dictates will be necessary to fully realize the benefits of identity-centric security. We’ve seen numerous examples of an administrator’s credentials being stolen by an outsider using a spearphishing attack, and then used to exfiltrate sensitive information. That unusual activity should trigger an immediate revocation of all entitlements that privileged user possesses, to minimize data loss. Once the investigation clears the user and credentials have been changed, entitlements can be quickly restored.
Each wave of identity management emerged in response to conditions that produced necessary approaches to solve the challenges of the day. Today’s challenges exist in the scale and scope of hybrid IT, as well as the agility of attackers. Identity-centric security that brings together adaptive identity governance and administration, analytics, security monitoring and automated response will be the logical response to these challenges.
This article is published as part of the IDG Contributor Network. Want to Join?