Boston’s Bay Back Bay buildings, reflected in the Charles River. The City of Boston was named Identity Management Organization of the Year for its successful launch of its IAM program “Access Boston.” (Robbie Shade, CC BY 2.0 https://creativecommons.org/licenses/by/2.0, via Wikimedia Commons)
Developing a new identity management program can be a years-long transformation, so it’s best to get off on the right foot. On Tuesday, the first-ever “Identity Management Day,” experts identified key early steps to kick-start fledgling IAM initiatives in the right direction, including: defining the parameters of your program, establishing a governance model, communicating with stakeholders, and finding champions to support your efforts.
First, companies must define what constitutes IAM within their organization and then develop the project’s mission and scope around that.
“When we started our identity management journey… we were struggling with defining it,” admitted Greg McCarthy, chief information security officer with the city of Boston. “We wanted… a clear definition [so that] our users would understand what we’re doing. So we really focused on defining it as the security discipline that enables the right individuals to access the right resources at the right time for the right reasons.”
McCarthy spoke at an online panel session held to mark the inaugural Identity Management Day, a joint creation of the Identity Defined Security Alliance (IDSA) and National Cyber Security Alliance (NCSA). The two organizations named Boston their Identity Management Organization of the Year for its successful launch of “Access Boston” – a two-year multi-million-dollar reimplementation of an IAM program designed to improve the user experience, establish identity lifecycle management and access control, and modernize legacy systems.
McCarthy noted that Boston faced an array of identity challenges, but it largely boiled down to lack of efficiency. “We had a lot of manual processes, people creating accounts manually,” he explained. Additionally, “we weren’t relying on a central identity store. We had some legacy architecture that that was failing. We really needed to ensure that we were able to support our employee population, and access to critical applications, in a secure manner. So we realized that a reinvestment was required in order to actually accomplish that.”
There’s no shortage of factors to consider when starting up an identity management program, or rejuvenating one like Boston did. Organizations must ask, “What are the best things for me to tackle?,” said fellow panelist Tom Malta, head of IAM at the Navy Federal Credit Union. “It might be something regulatory related, it might be an efficiency gain, it might be a return on investment for a particular product.”
Greg McCarthy, CISO of Boston.
To properly address these issues and determine what to prioritize, you first must become intimately familiar with your business operations, pinpoint key sources of identity-based risk, and then form a governance structure around that. “It’s really making sure you learn the business process – and that’s the starting point before you even before you even think about implementing technology to drive that business process and make it more efficient,” said McCarthy.
One of the most critical business processes to understand is “how people move throughout the organization, and [how] access – whether it’s granting or revoking that access – changes while people move throughout the organization,” McCarthy continued.
Governance includes matters like: “Do you understand who’s coming in and out of the firm? Are you even managing your identities properly from onboarding and off boarding?” said Malta. “A lot of times, managers will call up the help desk: ‘Hey, I got this guy, I need him to start today and to give him credentials.’ But when he leaves, everybody forgets about that, and the guy ends up having access for too long.” This leads to orphaned accounts belonging to former employees remaining active and enabled, just begging for a malicious actor to take over without anyone noticing.
A particularly risky business process that frequently occurs in the government sector is the repeated transferring of employees from department to department, job to job. Malta called this the “most dangerous identity event there is” due to the “accumulation of… privileges. And that toxic combination of access that can get you in a lot of trouble.” And so it is highly important that workers’ access rules change along with their roles.
Fundamental governance issues such as these should be identified early in IAM planning stages.
“Definitely start with those basics,” said Malta. “And then as you mature, you start to add more controls, more layers to it. But getting the foundation right is so important. I can’t tell you how many times I walk into a company and just basic things aren’t operating correctly.”
An excellent way to learn how businesses processes work, and where potential risk exists, is to regularly communicate with all of the key players who stand to be impacted by the IAM initiative.
“[Make] sure you’re listening to your stakeholders, your customers, your members,” so you can give them a frictionless IAM experience, said Malta. “And we need to open that up for our employees as well.”
Stephen Lee, vice president of tech strategy at Okta, said that as an executive of an IAM vendor, he understands that many different organizations within a single company own a part of identity management. “You have IT folks, you have the person that’s hosting your directory, you have HR, you have people that are bringing things to your office, setting up your chairs and desk and all that,” said Lee. “They all own a little bit of identity, and the only way to ensure success is [to] make sure there’s alignment.”
“I think it’s important to identify all that and make sure that nobody gets left out, because ultimately you’re going to need everybody’s voice and all that ammo to help you satisfy the requirements,” Lee continued. “A lot of people… try to solve the problem themselves, only to [be] running into walls because other people are not in agreement.”
“We did many, many discovery sessions with our business stakeholders, understanding where some of the pain points were,” said McCarthy.
By allowing stakeholders across the business to weigh in and collaborate, “you’ll find that the wins will come easier that way because they’ll be behind you… all throughout your journey,” said Malta. IAM “is a three-to-five-year project if you’re just starting out – so it’s an expensive, long-term function that a lot of people need to see value in. And if you bring them in, keep them close, keep them part of your core team, you’ll be very successful.”
Then, among all your varied stakeholders, find individual willing to act as champion to support the initiative and build a consensus throughout the organization. And it doesn’t even to be a technologist, necessarily.
“One of our big project champions in the city was our CFO,” said McCarthy. “That’s always a really great person to have as your project champion because they hold all the money.”
Moreover, IT and security professionals sometimes have a potential to speak in “nerd” or “techie” language, which sometimes hinders them from communicating the mission to the rest of the company. But a non-technical champion can help translate the message. “So I think having a business stakeholder as your product champion is really beneficial,: McCarthy concluded.
Introducing Identity Management Day
The founders of Identity Management Day and other IAM thought leaders cited several key lessons that they hoped would come out of awareness this new cybersecurity “holiday” would generate.
This includes the need for responsible password policies, including the use of longer and stronger passwords, never using the same password more than once, and the use of password managers, according to Kelvin Coleman, executive director of the NCSA.
“A password manager is a great way to keep long and strong passwords so you don’t have to log in,” said Coleman to SC Media. “For enterprises, the same goes for using a password vault to lock up shared administrative passwords so they can be checked out, used once, and rotated after being checked in. The days of password spreadsheets in a drawer should be over.”
Coleman also encouraged the use of single sign-on, multi-factor authentication and privileged access management. Neglect of these best practices is simply inviting trouble.
“Rather than penetrating firewalls and staring at lines of code on a screen, today’s cyber adversaries simply have to take advantage of individuals and businesses mishandling identity protection – a problem only amplified by the shift to remote work,” said Julie Smith, executive director of the IDSA, in an email interview. “The vast majority of data breaches making headlines are the result of poor identity management. Twitter, Marriott, Nintendo… the list goes on.”
“Our hope is that the annual awareness day will ultimately prevent breaches from occurring and introduce best practices for organizations and individuals to bolster defense of identities throughout the year,” Smith continued.
Indeed, “a strong, accurate, timely digital identity is going to be the foundation of robust security architectures going forward,” said Marc Rogers, executive director of cybersecurity at Okta. “Implementing a modern, best practice IAM architecture would virtually eliminate all simple ATO [account takeover] vectors and greatly reduce more complex vectors while also making them much more prone to detection.”
“Identity is the absolute core to providing security, privacy and protection for human beings and the digital world,” added Richard Bird, chief customer information officer at Ping Identity. “For the last 20 years, businesses have not been able to answer the most important question about their employee and customer identities, which is: Are you who you say you are? The inability to answer that simple question has resulted in hundreds of billions, possibly trillions, of dollars and economic loss and hardship for everybody.”