Over the last 15 or so years working in the identity space, one thing I’ve noticed is that it is an industry full of specialists in particular parts of the field. This applies to both individuals and vendors – in fact, we are used to thinking of vendors as being almost synonymous with a particular technology area. For example, if we think of Identity & Access Management, we are likely to think of Ping Identity or Okta. If we think of Privileged Access Management, we are likely to think of Thycotic or CyberArk.
This is great in many ways, as specialist vendors go really deep in their particular field, giving us the ability to address the most complex scenarios. The downside is that it can lead to organizations focusing all of their efforts in one particular area. That’s not necessarily a problem if an organization is focusing on addressing one particular issue or use case, but does become problematic when we consider the role of identity management within an overall security framework.
Identity management technology is unusual in that it is both a productivity and security tool. Typically, there is a tension between convenience and security – but if we think about federated single sign-on (SSO) for example, it helps users to be more productive by removing the need to log in multiple times, and improves security by transmitting tokens instead of passwords. This means that often when we deploy identity management solutions, we congratulate ourselves on both helping our users to work better and making them more secure. And with 81% of breaches starting with compromised credentials, identity security is paramount. So high fives all round!
But. (there’s always a but). This is where the ‘specialism’ in the industry becomes a problem. Because if we only focus on one area of identity management, then we need to question whether we are really ‘doing’ identity security.
Let me explain what I mean…
If you deploy federated SSO to all of your applications, but you do not have governance over who has an account and group memberships in your authentication directory – are you really making things more or less secure? If you have accounts in your Active Directory which shouldn’t still be active, you’ve just given them access to everything via SSO!
If you deploy an Identity Governance & Administration (IGA) solution to control who has access to which systems according to their role in the organization, good for you! But if you haven’t also deployed federated SSO then you are most likely provisioning usernames and passwords into each application – increasing your attack surface for hackers and potentially encouraging poor password hygiene as your users write down multiple passwords to remember them.
If you deploy both of the above, but you don’t have a Privileged Access Management (PAM) solution to protect your admin and other privileged accounts, then all bets are off. Just one of your privileged accounts becoming compromised can undo all of the good work you’ve done implementing IGA and SSO – and worse.
And if you deploy a PAM solution, but you’re not protecting it with SSO and multi factor authentication, and you’re not controlling access to it with IGA, then you’re potentially leaving the door to the castle wide open.
So, to do identity security properly, it is essential to look at identity management beyond any particular specialism and understand how the various elements build upon each other and work together to provide a truly secure environment for your users. SSO, IGA and PAM working together is the ‘identity security triangle’ of identity management, and all organization need to be planning to implement and integrate all three technologies as part of their security roadmap.
At ProofID we work with our best-of-breed specialist partners, Ping Identity, Thycotic and Fastpath (formerly ideiio) to provide a fully managed, hosted and fully integrated identity security solution encompassing all elements of the identity security triangle. We like this approach as our customers benefit from the specialism of each vendor and their ability to ‘go deep’ in their technical area, while being sure that all elements of the identity security landscape are being taken care of.
We’ll be at Identiverse in Washington this week. If you’re there please come and talk to us about this on our stand, where you’ll be able to assess your own identity security environment with our self assessment tool. I hope to see you there.