Identity is the fact of being, the distinguishing character or qualities of a person — what differentiates us from others. Interestingly enough, the dictionary now includes the aspects of a person ... or a thing. We are living through rapidly changing times, and it's imperative that we understand the instrumental questions that matter to our societies at large, especially in this digital era. Now more than ever, it is critical to have the answers to the universal questions: What?, When?, Where?, How?, and Why? However, the critical question really is Who? The moment has arrived to unequivocally have the right answers to the right questions at the right time. And that deserves a different angle, an identity-powered approach that fundamentally has the assurance that the right people (and things) have the right access to information.
The discipline of identity and access management (IAM) has been building concepts and architectures for decades. The dimensions of "the 3 A's" (Authentication, Authorization, and Administration) have nurtured different ideas and viewpoints that have helped organizations around the world. However, in a world that expands and amplifies its reach thanks to technology, in times when cloud systems are pervasive and companies have myriad platforms, systems, and environments, it is critical to embrace the world of "the 6 A's" (Authentication, Authorization, Administration, Assurance, Auditing, and Authenticity).
On top of that, we not only have people requesting access to information — which is made out of data — but we also have "things," such as applications, scripts, algorithms, etc. And they also "declare" an identity that has to be governed. It will come as no surprise, then, why the industry has created concepts such as user and entity behavior analytics (UEBA) or veteran ideas like the Internet of Things (IoT). It's clear that we need to ensure that these "entities" have proper access, during the required time (no more, no less), with the right entitlements, and the capabilities to monitor their actions. Seems obvious that being able to collect all that information and (super)correlate it is a skill set very much appreciated. This is where IAM meets the worlds of security information and event management (SIEM) and cross-functional detection and response (XDR). If we don't execute that the right way, IoT could easily become the Internet of Threats or the Internet of Trouble.
Given the need of ensuring access, governing rights, and observing the law (of course), everybody would agree that these are times for bringing another variable into the risk equation: context. The way one connects to back-end systems, the time of the day, the device being used, the location, and other attributes provide a wealth of information to define and decide if the access should be granted. In this context-aware authentication event, the http headers, the cookies within the browser, or the device fingerprint are as important as other credentials (I'd say that even more since they can tell more than a regular username and password). When combined with other fields within IAM, such as robust authentication, it can trigger different actions depending on the risk associated (which is calculated on-the-fly). Actually, I love how technology has led us to a passwordless scenario, adding different layers of authentication.
Identity and access management has grown up and while the things we still need to do have not changed for decades (making sure that the right people have the right access to the right information at the right time), the industry has uplifted the discipline to another acronym: IGA (identity governance and administration). It sends the message of the need of governance in an era where identity powers everything; it's the start of every process, be it for a human, a thing, or for people and applications. It tells a story of a journey that starts with identity and necessarily touches data security, application security, and security operations. It develops an approach where context must be factored in. It represents the unique opportunity of adapting and adopting change, embracing new processes and procedures that are business-focused, process-driven, and results-oriented. These are the times for a mindset that intelligently combines different cyber-resiliency disciplines — the world of the 6 A's for an identity-powered epoch.
About the Author
With a background education in business administration (MBA) and law, Ramsés Gallego has been a security professional for more than 22 years, with deep expertise in the risk management and governance areas. Ramsés is the International Chief Technology Officer, Cybersecurity, at Micro Focus, where he defines the vision and mission, purpose and promise of the company in that arena. His certifications include: CISM, CGEIT, CISSP, SCPM, CCSK, ITIL, COBIT, and Six Sigma Black Belt.