Digital leaders who want to create an effective approach to identity management must ensure their IT specialists work with key business stakeholders to build an enterprise-wide strategy.
That was the conclusion from a customer panel on identity security at the recent SailPoint Navigate event in London, where three senior digital leaders discussed the risks and opportunities associated to data management. It was suggested by all three panelists that the potential rewards from effective identity control are great, but nothing should be taken for granted.
Managing identities effectively
Karen Thorogood is Cybersecurity Manager at Bank of England. Identity management is incredibly important to her organization, but the critical role of identity means the “journey” towards effective access management is never really over, she said:
Our cyberstrategy focuses on sustainability and resiliency. We recognize that, as fast as we implement the controls and capabilities, attackers will find new ways to circumvent them.
The bank has raised its identity maturity significantly during the past decade through dedicated investment and effort. The organization has a three-year rolling cyber-defence program, which aligns with business strategy and evolves constantly to stand up to new challenges, such as the rollout of new technologies:
As we see more services migrate to the cloud, we have to make sure identities are properly managed and governed. As much as 50% of our stuff is probably outside the perimeter these days – we've got to keep pace.
The bank is about to start its journey with SailPoint Identity Security Cloud. As part of this shift, the organization is looking to build a tighter, richer integration with its Human Resources (HR) system. Managing identities, such as contractors, is a huge challenge, especially as the bank gets involved with bigger delivery partners. The aim is to simplify the management of these identities, explained Thorogood:
Successful identity lifecycle management prioritises human engagement and security culture at the organizational level. There needs to be a golden source of HR records. And identity management is a business process, so security and governance teams dealing with access need to work closely together. At the bank, we're quite fortunate. We have really good security culture campaigns to educate staff in the importance of access management.
Getting the business onside
Mark Ward, Risk Analyst at financial services firm Legal & General, recalled that his firm’s approach to identity management was quite immature when the company began its journey seven years ago. Access was federated and the company had changed Managed Service Providers while also trying to move to the cloud. To satisfy risk and audit partners, Ward’s team focused on re-certification and then recognized it needed to provide secure access in a way that suited the business:
Knowing what our businesses wanted, and when they wanted it, was really difficult to understand. So, we started to actually partner with our business – and rather than just being a technology team, we started to be a business enabler.
The strategy moved towards role-based access. During this process, the rest of the business could see Ward’s team were experts in identity and it was recognized that these experts should provide a centralized access management service to the enterprise. Ward explained:
We’ve taken 25 identity access people and reduced that team down to seven. So, now we are providing an essential service for a lot less money. People can start in our business from day one and they get access straight away, not weeks later. We've evolved our processes and we're providing a central service. We're not just secure, the user experience is much better – and our cost to serve is drastically reduced.
In addition, the business is now more agile because security is thought about at the start of any technology project. To achieve long-term success in identity management, Ward advised that access can’t be separated into specific organizational domains:
It can’t be an IT issue on one hand and a business issue on the other. There has to be a joined-up approach to identity – and getting the board onside is crucial.
Avoiding the pitfalls
Simon Gooch, Global Identity and Access Management CIO at Accenture, argued that there is a range of pitfalls that digital leaders need to avoid if they want to create an effective approach to security and identity. First, they need to think carefully about vocabulary:
I hear the phrase ‘identity program’ and it feels like it has a start and an end – and there isn’t an end. One of the first things we need to think about is how do we change our thinking and our use of the word program? Instead of programs, I talk about ‘services’ – I talk about the fabric and the services that live within that fabric.
He added that there are several other foundational elements that he’s focused on when it comes to avoiding identity management pitfalls. In particular, identity, security and technology strategy are seen as one and the same thing at Accenture:
We don’t think of them separately and, in fact, we spend a lot of time making sure that we understand key questions, such as, ‘What are we trying to enable? And then how do we do that with security and identity at the core?’ Those conversations are at the heart of our strategic approach.
Measurement is another important factor, says Gooch. He’s disappointed at the way that many people still think about identity, governance and administration. For example, too many people talk about onboarding applications rather than reducing time to access systems and data. His advice is to take a different approach to measurement:
You have to think about your value measures. How do you tell the business and your stakeholders about the impact you’ve made. You have to give measurement some sort of relevance that is not an infrastructure play. Infrastructure metrics is not the future. It's not the thing that will get you consistent investment.
Finally, don’t see change as a pitfall. Some people might think of the concept of change as “fluffy”, but Gooch argued it’s fundamental to identity management success:
Many organizations do not invest enough time and energy in thinking about the impact and the implementation of their security services in a way that gets everyone to understand why change matters.