CISO EXECUTIVE FORUM SUMMARY: IAM BEST PRACTICES
Every month, Fortify Experts holds CISO Executive Forums discussing the latest trends and topics. Recently, we discussed how these successful security leaders have been able to create higher-performing security teams. Here is a summary of their top tips or suggestions on establishing best practices around Identity Access Management (IAM).
HERE ARE THE BIGGEST IAM CHALLENGES FACING LEADERS:
- The biggest challenge right now is during a merger how to bring those two worlds together from an IAM perspective (process, policy, procedure, etc.) because they are so different (one immature and one mature).
- Biggest challenge is getting our business processes organized and making sure they find a technology solution that can implement IAM
- Culturally getting folks to buy into IAM which will help them be more efficient with onboarding/offboarding and provisioning.
- Biggest challenge is that there are many processes that people have had to create for not having a centralized Identity management system.
- Biggest Issue is getting the right integrations done, all within a timely manner.
- Not having an automated system in place
- Having a lot of manual processes and scripting processes that need to be integrated into Workday.
- The biggest challenge is that there is no IAM strategy in the company and not knowing what the company wants and where they want to go.
- Struggling to define what IAM means, the strategy to define it, plus selling the idea of IAM internally.
- Not having a universal plan to maturing IAM processes and integration.
WHERE CAN WE MAKE THE BIGGEST IAM IMPACT THE FASTEST?
- Getting to a point that LDAP is your friend. Moving to single sign-on (SSO) will make the biggest impact because then you can control who gets access to what, from where, for how long, to what access level, and even when they get access.
- Need to have tools in your toolbox to move from on-Prem to the cloud to keep SSO intact.
- One leader concluded that he will never get to single sign-on so he devised a group that would be an on-prem managed group and kept them in they’re own connection. He put out models for people to go to if you wanted to use a cloud service so they would have a specific model to refer to. If they want to connect to a certain model, they did not have access to, then they would need to sign a waiver with the cyberteam. This helped mature the business units and started seeing the value in productivity which helped get the single sign-on to work in other areas
- One leader can identity who the people are, but is struggling getting people in the door provisioning, deprovisioning and keeping up with the access. Wants to find the right solution to identity and access management, because he has so many people in different departments having access to the company’s information.
- One leader said they need to build the IAM foundation so users can see the benefit of the single sign-on and multifactor.
EXPERIENCE WITH ONBOARDING/OFFBOARDING PROCESS:
- Need to establish an authoritative record source, (i.e. Workday?) and if so, HR must be timely in termination and creating accounts.
- Using HR as the starting point of the onboarding process and then using automation from there has helped.
- When HR is not the source, issues tend to arise.
- Cross boarding has also been an issue when they are making a transition in the company. One leaders explained how they addressed it: If there is a change/move in position within the company, allow them to make that change from role A to role B, and then manually go back in add the access to their old positions and have an expiration date for the permissions to have access to their old work. This wasn’t the greatest because it was manual, but it did work for them.
- There should be a technology to enable the process of the cross boarding easier
- Establishing a user data store could be useful in mitigating these issues
IS THE GOAL OF IAM TO GET TO ZERO-TRUST AND IS THAT A COMMON GOAL?
- One leader was curious how zero-trust plays into reducing the risk and improving the overall security posture. Plus, will zero-trust eliminate a perimeter so does that mean that we are losing all the things we are putting so much time and effort into because zero-trust architecture is coming down the pipe. No, we need to do IAM correctly.
- This is still a role-based access and starts at the point of hire, and then it changes dynamically as they change their role, and that will set up zero-trust very well.
- Without IAM you’re not going to get into Zero-trust.
- One CISO, only made process when he trained the IT community and IT engineers on their security controls/IT controls in their circle of influence. Also having a CFO that understands that they need to do something and holds the focus of the strategy that they have put together.
- Role definition, securing documents, and provisioning of these roles is essential to the enterprise IAM model.
Tools and how they how helped but has also exposed lack of skill in other areas:
- SailPoint has been the main tool of most of the leaders but other options that other have tried is Microsoft Identity Manager and OKTA, but you need to find the right partner to helping with IAM especially with Microsoft’s limited staff.
- Finding good partner is difficult and takes time to find. There are not many competitors to SailPoint
- SailPoint & Octa have overlapping features and it can be challenging to figure out what software does what properly, such as Octa for Authenticating, and maybe only SailPoint for account provisioning, but it is still a work in process.
- Orchestration is the end goal. Strata Identity does orchestration across points on cloud and on- prem with OCTA and other vendors. That is where things are headed.
- However, if your processes are not well-defined and you are not doing your basic block and tackling (role definition, provisioning, etc.) on the forefront, these tools will just expose how bad things are currently in a company.
- IAM needs to be a full-time project for a team to work on, not a part-time team.
- Your organization needs to be able to point to your IAM owner, otherwise, it becomes an issue.
- Awareness and education outside of IT, including HR & Executives, is key to a successful IAM implementation.
Thanks to the input of the security leaders who joined our CISO Forum which provided such insightful advice to on how to better prepare against the threat of ransomware.
If you are a security leader and would like to participate in our monthly CISO Forums where we discuss valuable and actionable information as well as best practices and challenges, please register here.
About Tim Howard
Tim Howard is the founder of 4 technology firms including Fortify Experts which helps companies hire the Best Cyber Talent on the Planet as well as provides expert consulting and NIST based security assessments.
In addition, he has a passion for helping CISO’s develop Higher Performing Teams through coaching, by creating interactive CISO Forums and by helping them create highly-effective team cultures.
With each new hire, his firm produces an Employee Operating Manual to help clients understand how to motivate and maximize productivity while meeting the needs of each employee.
He also teamed up with Lyndrel Downs to launch Cybersecurity DIVAS to help promote the most influential women in cybersecurity and provide a mentoring program to help encourage and support more diversity within the industry.
Tim is married with 3 kids. He is an avid runner and has completed two IRONMAN Texas events. He is also a graduate of Texas A&M University.
Invite Tim to connect: www.linkedin.com/in/timhoward