Blunders that lead to costly identity and access management failures
While IAM project failures may not quite rank up there with the biggest ERP blunders on record, they still rank high among some of IT security's most embarrassing wastes of investment. When organizations fail to properly align business processes with technology, don't account for the dynamic demands of users in accessing IT assets, and don't confer with the right stakeholders prior to deployment, IAM initiatives are put at risk. The following are the most expensive IAM mistakes many enterprises make today.
[Will mobile biometrics be an IAM driver? See You're Nobody Without Your Mobile Device.]
1. Underestimating Mobility's Impact On IAM
As enterprise strategies change, so, too, must the way they manage user access to systems and data. One big mistake organizations are making right now is underestimating the impact of mobile devices on the enterprise, says Darren Platt, CTO of Symplified.
"Mobile device adoption by users will result in access to internal corporate resources from managed and unmanaged hardware devices," he says.
According to Lee Cocking, vice president of corporate strategy for Fixmo, today's IAM solutions typically hinge on the identity of the user without accounting for the identity of the device he is using. It's one of the factors of mobility that needs to be folded into IAM strategy.
"Right now mobility is essentially a bolt-on and does not play too well with other incumbent enterprise solutions like IAM. This has to change," Cocking says.
2. Making Provisioning A Revolving Door That Spins Halfway
Many enterprises spend a lot of time and hard work in making employee on-boarding as easy as possible through expedient provisioning. But they usually fall short when those same employees give their notice, says Jonathan Sander, director of IAM business development at Quest Software, now a part of Dell.
"When people take on provisioning, they often end up with a revolving door that only spins halfway around," Sander says. "But the real trick to doing provisioning right is doing deprovisioning right."
When enterprises fail to properly address account deprovisioning, they end up leaving lots of huge potential security holes open over time.
"I can't tell you how many times I've found people sharing accounts of people who have not worked at the organization for years because that account had 'all the right access' and they all knew the password," he says. "You need to make sure your provisioning is a revolving door that spins in a full circle."
3. Automating Bad Processes
Many security vendors will tell you that automation is the magic salve that will cure just about any compliance- or security-related sickness, including those around identity and authentication. But the truth is that if the organization hasn't intelligently addressed the business processes they're planning on automating, a set-and-forget automation technology may make the problem worse.
"In large companies, identity-related processes can be so complex and touch so many people that people don't know how to fix an inefficient or broken process or where to start," says Frank Villavicencio, executive vice president at Identropy. "Unfortunately, what usually ends up happening is that instead of determining a better way to do it, they automate a process that no longer serves the needs of the business."
On top of that, the automation technique needs to be thought through, as well. According to Stuart McClure, CEO of security startup Cylance, in his time running the IAM team at Kaiser Permanente, the very team there built out a lot of Web applications to scale the IAM on-boarding process. That was good for automation, but bad for opening up security holes.
"With an ID, of course you could get email and internal resources," he says. "But it was quite easy to perform a Web attack against the applications that automated the user."
4. Thinking IAM Serves End Users Only
When enterprises buy into IAM products and processes, they'll curse themselves later if they don't look beyond the end users as potential account-holders seeking legitimate access to data.
"One mistake enterprises make is buying IAM only to address the needs of employees," says David Baker, CSO of Okta, "and not thinking about how to make access and usage of customer and partner facing applications better to improve satisfaction and increase revenue."
Successful enterprises tend to take a comprehensive approach to IAM that not only covers all applications and devices, but also all users, whether they're employees, partners, or customers, he says.
"And that can change easily over time as their infrastructure, apps, and people change," he says. "IAM solutions should scale to address not only the needs of internal employees, but of customers and partners as well."
5. Rushing Into Unsupportable Infrastructure
We've all heard the horror stories around costly IAM projects that burn through a lot of cash and eventually fizzle into failure. Organizations must vet IAM platforms for ease of implementation and ease of use to ensure that once the technology has been purchased, it actually gets used.
"Many companies purchase IAM solutions -- only to hold off on implementation because they find they are too complex to integrate with existing applications, too," says Okta, explaining that security should be but one part of the product evaluation process. "We've found it to be absolutely critical that IAM solutions are easy to use and implement so that you will actually get value out of them."
Additionally, organizations have to really understand what it will take to maintain that IAM infrastructure throughout its life span, particularly in the form of customizations. Villavicencio suggests organizations follow an 80/20 rule.
"Assuming that your IAM solution leverages vendor-supplied technology, 80 percent of the functionality in the infrastructure should be standard functionality of the product, and 20 percent should be customized functionality," he says. "Beyond this balance, the infrastructure quickly becomes unsupportable -- ust wait for the first upgrade cycle."
6. Ignoring Politics
While the technology may play a big role in the success or failure of an IAM process, politics may play an even more fundamental part.
"The technical part is the easy part," says Dave Mahdi, senior manager of product marketing for Entrust. "It's getting all of the business stakeholders to agree and to have an executable, realistic action plan. IAM is just as much, if not more, about the people and processes than the technology."
Villavicencio agrees, stating that, as an example, the provisioning and deprovisioning of accounts is so fundamentally wrapped around the overall process of on-boarding or terminating employees that failing to liaise with human resources would be a fatal step.
"[This] project must have the appropriate support from human resources, with active support from stakeholders -- particularly during the requirement analysis and design phases," he says, explaining that failing to involve these stakeholders is one of the most common reasons why IAM initiatives fail.
7. Not Knowing The Difference Between Authentication And Authorization
Plenty of ink has been spilled on authentication -- technological mechanisms such as two-factor authentication, tokens, biometrics, and so on. But what often gets forgotten and taken for granted in the whole IAM picture is the equally important process of authorization, says David Gibson, vice president of strategy for Varonis.
"When it comes to authorization, organizations assume, incorrectly, that their security groups are aligned with their data -- reviewing security groups' memberships, by itself, is enough to manage authorization -- and that they are keeping track of which data sets belong to a business unit or business owner," he says.
Effective authorization is equally important in the IAM ecosystem to keep the rule of least privilege from turning into no rules and all privileges.
Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.