Identity - the value it creates

^This post is more about workplace IDAM. CIAM is another topic. It is also an opinion piece based on my thoughts and not necessarily representative of the company I work for.

I remember one organisation I joined years ago, I joined and they had made a supremely awesome effort to have my laptop, mobile phone, notepad and pencil and a keep cup on my desk. It was a really nice touch!

But the varnish wears off thin when 6 weeks later, you're still trying to get access to systems to do fundamental things to do your job. And sometimes the answers to solve the problem were a bit concerning "just give him the same access as Bob!" Except Bob had been with the organisation for 23 years and had collected more access to numbers of systems than a 7 year old's pokemon card collection.

And it made me reflect on my journey into consultancy working for an end-to-end information security software provider that made identity & access management solutions. Back then, Y2K had just happened, Michael Jackson was "on the nose" but we all still listened to his songs (PWE: Pre-Woke Era) and ... Identity Management tools were expensive and time consuming to get deployed.

It seems that IT leaders have long memories of that time. (Y2K was forgotten, there's new music to listen to, but the pain and cost of IDAM projects linger).

Which is a real shame because a well executed Identity play in any modern large organisation yields HUGE amounts of value. There are several parts to achieving a productivity and security play. And in my view, these are fundamentals to allow you to leverage and unlock other high value cybersecurity paradigms - like Zero Trust. (I still don't like using the name Zero Trust, but I'll save that for a offline rant)

The above is what I'd call a pretty stock standard high level relationship between 4 very key and important components:

HR Master - The source of truth, where all user journeys start. One of the most critical applications in the organisation to manage the workforce, from start to end.

Identity Engine - Not to be confused with any vendor lingo of the same name, for me the identity solution IS the glue that binds. It is the engine room that takes information about new, changing and exiting employees (often referred in user lifecycle management terms as J-M-L or Joiner-Mover-Leavers). Whatever this system is, it binds the upstream (HR Master) and downstream (Directory Services or Business Apps) together to give access to the systems a person needs to perform the role, as close to Day 1 as possible.

Right person, right access, right time. (maybe a more marketable term than military "need-to-know-basis")

Directory Services - Of course, these days this means Active Directory and Azure Active Directory for the most organisations that are Microsoft shops, but it can mean other things. It wasn't that long ago that Novel eDirectory was a thing and there were other directories viable on the market. They just lost the battle for supremacy, and everyones forgotten that there used to be choice in this space.

Directory Services enable the users, users groups, security groups that give access to many applications or features especially native to operating systems, and applications that leverage permissions from those directory services. This definition is very high level, but it's also a very important aspect of ensuring things work.

Business Applications - increasingly, these can be applications that are on-prem, in the cloud, SaaS based or a mix. The business applications usually have their own security and permissions settings, and roles that relate to functions of how people use those business applications.

So...you maybe you can see the end-to-end value here of a streamlined, quality identity chain of all 4 systems.

EG. Rita, joins company X as a Data Analyst. She completes her onboarding compliance work and Day 1 comes around. The HR Master triggers an activation of Rita's employment going live, and sends a request to the Identity Engine. The Identity Engine sees that Rita's role is "Data Analyst" and knows that not only does a directory account need to be created, but she also needs Y number of business applications to be enabled. Rita logs into her computer with her username and password, is provided with a multi factor authentication (MFA) application, and a dashboard of her applications. Rita feels like she's all ready to rock - and is pumped to get started!

Although simplistic (there are of course complexities not covered above) this should be the nirvana that organisations set for themselves to demystify and unlock the value of Identity.

Good identity:

• Makes people like Rita, be productive as close to day 1 as possible
• Avoid wasted time for employees to be be adding value since they are now costing an organisation
• prevents people from having access to things they shouldn't thus minimising the aggregate risk of over-permissive access that ascerbates cyber incidents caused by social engineering or credential theft
• means you have an up-to-date library of what people have access for the roles, and can even model licensing requirements based on real-life use from authentications (cost efficiency)
• forms a reliable basis for other zero trust initiatives

A few weeks ago I ran a poll (n= 54) and the results were that 93% of folks either had good identity in place (13%) or were more content to say that yes identity was a top priority (80%). Back in 2022 at a CISO Tribe meeting, all CISOs from that industry stated that Identity was a Priority #1 or Priority #2 in the strategies.

So I'd like to unpack I think the reasons why certain organisations are still stuck with their head in the sand about Identity by discussing some myths:

1. Identity is a grudge spend just like Cyber, it doesn't save us money
2. Identity projects take forever, integrations are super expensive!
3. Our Cyber team have not been able to adequately sell the value

Cost vs Reward?

If you find your management and leadership still feel Identity is a grudge spend, then they are likely unaware of how much time and effort is being wasted in the squillions of service desk tickets for new users, changing users, terminating users, changing access, etc. Which is actually a bigger problem because its likely ITSM, CMDB, Asset Management and other awareness of thematic time-sinks are not bubbling up. Because, when identity access management is not deployed, you usually find a metric ton of wasted time and effort in manual work to action things.... and the corresponding wasted productivity of 10s or 100s of staff which is not costed.

So actually the reverse is true, if you invest in Identity you'll get ROI. And Security. :) BUT.... If management is demanding to see accurate costs in order to justify ROI upfront and the information isn't available in your ITSM reports... then that is an unfair request.

Takes forever?

That used to be the case. And if IT Management are still playing that card, they are stuck in the 2000s. IDAM used to be expensive, as integrations were all customised and there was no library of common integrations. The world has moved on, and most of the leading platforms now have extensive integration libraries with out of the box SSO and Provisioning connectors. What used to take 6 weeks of costly professional service PER APPLICATION! and allowed an IBM Consultant to afford properties in Brunswick, a holiday home in Queensland, and a lambhourgini... this integration work is much much faster now. After the initial hurdles of tested and safe integration with the important building blocks.... the "plumbing" becomes much more sustainable. Of course there is more high brow Identity Governance work that can be done, but the time and cost to get a SaaS application in and authenticating with organisational credentials to the right people - no longer takes weeks or months to do.

Cyber can't sell IDAM?

More and more I'm finding this to be part of a strawman. If you work for an organisation that is trading on the inability for teams to sell the business case - it's more likely that the organisation is not listening rather than something wrong with the telling. I've heard of examples in other organisations with other CISOs where teams are sent on a wild goose chase proposing insourced teams, then going to RFP, then being asked to split up the RFP...and is it any wonder that IDAM projects have trouble launching?

Of course, all Information Security and Cyber teams can do better jobs of putting business cases together, and that is where the power of the community is strong. There's organisations out there that have successfully done this before and you'll find lots of people willing to share what worked, what didn't, and so on.

Identity is now a foundational, fundamental thing that more corporate Australia need to get behind, if not for security, for the productivity of their organisation.