Managing the Complexities of Identity and Access Management

I believe that the success or failure of virtually every cyber security program on the planet will hinge in the coming years on its ability to properly support identity and access management (IAM) functions both on-premise and in the cloud. With the challenge of supporting both attack defense and service enablement, IAM has evolved into one of the most complex aspects of information technology (IT) management. I’ve joked in the past that many IAM designs have grown to the point where they are officially more complicated than derivations of Maxwell's equations. And with the familiar progression of most organizations to the deployment of virtualized workloads in hybrid cloud infrastructure, this complexity – if not properly managed – could get out of hand. At the kind invitation of Ping Identity, I was able to immerse myself for a week into these topics during their wonderful Identity Summit in New Orleans several months ago. And during the event, one of the great experts in this area, Patrick Harding, CTO of Ping Identity, was kind enough to share with me his insights into this tough challenge.

EA: Patrick, in your experience, is there any aspect of an enterprise security program more important than identity and access management?

PH: Given our focus and passion at Ping Identity, I guess that’s an easy question to start with, because clearly we see the growing value of identity and access management in the enterprise for cyber security. For many years, this was considered a back-office component in IT, with the registration and maintenance functions viewed as including less attractive work such as the mundane, day-to-day administration of user accounts and access to business applications. Even the user support functions were often relegated to bureaucratic teams who would place you on hold for an hour if you needed to reset a password. The cloud, mobile computing, and the rise of APIs have all contributed to making IAM critical for virtually every customer we deal with.

EA: What role does the cloud play as either an enabler or detractor from the identity and access management goals of an organization?

PH: It is certainly the cloud that has made identity and access management the new primary control in enterprise security with cloud and SaaS applications now being used on par with private cloud and on-premise applications. The Ping Identity Platform gives users quick, secure access through a common set of federated identity and access functions that provide multi-factor authentication, single sign-on, access security, intelligence and analytics, directory, and provisioning. All these functions have to look like a seamless interface, but also must provide a uniform level of security control for cyber security teams and auditors.

EA: So many teams have had colossal failure trying to extend their identity and access management program to larger contexts. For example, failed programs to merge identity and access often follow corporate mergers. Similar failures have been seen trying to do this with cloud. Why so much difficulty getting this aspect of a security program right?

PH: It’s all about managing the complexity of these projects, and at Ping, we’ve tried to create a platform with simple, easy-to-use features so that federation, cloud integration, and other common failure points can be easily managed. Take multi-factor authentication, for example; it is no secret that employees are pretty tired of the non-uniform management of passwords for accounts, systems, networks, and other points of access. This is further complicated by the use of one-time passcodes, hard token, and biometrics. We have simplified this through an MFA service that uses a mobile app authenticating users with a swipe or touch on their self-registered device. Although, we can’t change decisions organizations make about authentication policy, we can provide a flexible platform that can make it easier to support those policies. Single sign-on is another good example of a solution that improves productivity for users, improves security, and simplifies complexity in this area, especially with the progression of enterprise identities to cloud applications.

EA: In your estimation, is the identity and access management function best positioned with the CISO or with the CIO?

PH: We see both, and the truth is that the local staff in each area will play important roles. Maybe it’s less important which organization managed the identity and access functions, and more important that the correct set of individuals with the right backgrounds, funding, and support should have this responsibility in the enterprise. By the way, as a new primary control, it is also true that identity and access management become a more distributed responsibility across the entire organization. Internal and external audits, for example, almost always have identity and access as either a finding or a recommended control improvement, so no enterprise group can just hand off these important functions to a single group and have them take care of matters. Everyone in the organization must participate in making the identity and access infrastructure and set of services work in a way that is secure and enabling of the local business requirements.

EA: Do you see federation models continuing to grow? For larger organizations, the federation model is beginning to look like a rat’s nest of distributed trust. What do you see in the future?

PH: It will grow as long as the supporting platforms for identity and access management are maintained in a simple, well-designed manner. Our support at Ping for Microsoft Office 365 and Google Apps, for example, simplifies the user experience for native apps like Lync and Outlook, so that the cloud service looks like its hosted in the data center on premise. Similarly, hundreds of other SaaS applications are treated this way. Now the trust model has to be carefully considered. If a company decides to accept federated identities from a separate entity such as Google, then that is a local decision. But I don’t see banks ever accepting federated identities from many external organizations, like on-line gaming companies, for instance.

EA: Do you see API security and API access management as growing responsibilities in identity and access management platforms?

PH: Yes, and these might be the most important responsibilities with the expanded use of mobile, tablets, and wearable in the consumer and enterprise environments. Technologies such as HTML5, for example, require that platform solution providers like Ping offer support for the API gateways that result. Even legacy Web access management systems and gateway appliances require support at the API level as they transition to a common enterprise identity and access support model.