Is Your IDM Technology Healthy?

Is Your IDM Technology Healthy?

Now, there’s a question asked by every infrastructure manager, never. In fact, I have already made an assumption in that first sentence. Do/should the Infrastructure Team even care that they have an Identity and Data Management (IDM) programme? Surely, something like IDM is an SEP (Someone Else’s Problem). Once all the server and network passwords are locked down (locked down, of course, can mean anything from a list of passwords on a piece of paper in a desk drawer to a full-on Privileged Access Management (PAM) solution), then all that messy user management is down to, well, service desk? Desktop team? Application owners?


But let’s backtrack a little. Given the proliferation of abbreviations, acronyms and plain old jargon in the industry, I think it is always worth making sure everyone is on the same page. So, for example, IDM – Identity and Data Management. This means taking a holistic view of Identity Governance, Access Management and Data Governance and Protection. In other words, finding the right blend of people, processes and supporting technology.


A robust, strategic and healthy Identity and Data Management programme should be at the core of all cybersecurity operations. In today’s digital transformation landscape, businesses are faced with trying to control access and data security for their own employees, contractors, suppliers, customers and devices, with no real perimeter or network to rely on. Identity remains the only constant in today’s world, connecting every activity within a business. IDM, therefore, must enable, through a blend of policies, process, people and technology, the right resources to have the right access at the right time – all while enabling business agility and protecting sensitive data. 


Where Does IDM Fit?


IDM is the cornerstone of an effective, healthy security programme. If we look at the NIST Cybersecurity Framework, the five core pillars are:


  • Identify: Develop an organizational understanding to manage cybersecurity risk to systems, people, assets, data and capabilities.
  • Protect: Develop and implement appropriate safeguards to ensure delivery of critical services.


Identify and Protect are the two foundational stages that need to be completed successfully if an organization is to have any chance of achieving the final three functions:


  • Detect
  • Respond
  • Recover


Identifying is all about understanding the business environment and drivers, the resources and assets that support critical business activities and having a risk management strategy based on an agreed upon set of cybersecurity risks pertinent to the business and impacts. Skipping the Identify stage is a precursor to failure. The Protect function is really about developing and implementing the appropriate safeguards for those identified services critical to the business. There is also the very persuasive argument that identity is the new perimeter.


Hidden in that last paragraph is the reason why so many tech-led, IT-based identity management solutions are doomed to fail. If you don’t have a clear understanding of the business environment in which your enterprise operates, agreement on business drivers, critical business activities (and risks to them), and, ultimately, business buy-in and collaboration from users, you will fail. Remember: People will only accept the level of security controls that they deem is right. For example, if they don’t see the point of locking documents away in a drawer, or keeping a fire exit closed, they won’t. And what’s wrong with using one password for all 23 apps they need to access? Assuming you have the consensus and support of key stakeholders, relevant and proportionate policies, an engaging user-education program and a live-risk register, then you are in a good place to deploy an identity ecosystem that might just be accepted by users, super-users, admins and developers. The most successful IDM deployments integrate IDM infrastructure and tools with enterprise cybersecurity technologies. Let’s have a look at what that ecosystem could look like. 


Identify Users, Joiners, Movers and Leavers


A healthy IDM ecosystem will have the ability to identify users correctly, their privileges and sensitive data across multiple security technologies and to ensure the correct access levels are granted in real time. Successful IDM deployments encompass data classification and governance and are able to manage joiners, movers and leavers. The IDM system will also be able to create detailed records of access history – critical not only to improve security but also to generate reports for regulatory compliance audits. And keep it simple – a patchwork of ad hoc identity and access technologies can prove unwieldy to manage and can miss the bigger picture. The use of disparate and decentralized IDM products requires that each product be separately deployed, updated and managed, resulting in additional time and expense. 


As we have discussed, IDM is essential yet challenging, involving policy design, role-mapping, identity and data controls, planning, implementation and operations. And that’s before you throw technology into the mix. To make the most of it and to create a healthy IDM programme (and make sure it is not merely a bunch of tactical, quick-lose, identity projects), you need to be extremely clear on what your IDM strategy is, including a strong understanding of exactly what you’re hoping to achieve. 


Healthy Identity and Data Management encompasses the entire identity, access and data management programme, which should be designed to ensure that all the necessary policies, processes and supporting technologies work together as seamlessly as possible while being nearly invisible to users. That last point is really important. Users’ lives are busy and complicated enough today without extra barriers to work. Additionally, it is essential that these components work together as simply and in as unified a manner as possible – all attackers love complexity.


So, is your IDM programme healthy? If it is built to implement a holistic and strategic vision for identity governance and administration across your enterprise; acknowledges business drivers; protects critical business activities; enables digital transformation; reduces risk and increases business opportunities; is fully integrated, interoperable, simple to maintain; and makes life easier for all users – then the answer is yes.


Maximise your business objectives and ensure your IDM programme is healthy with our IDM Health Check.

Kevin Tongs
Senior Solutions Architect
Following a career in Military Intelligence with the British Army, predominantly in the SIGINT field and latterly in training policy and Information Assurance/Cyber Security, Kevin joined Optiv Security Ltd. He serves as a client advocate to help businesses, governments and educational institutions plan, build and run successful security programmes through the right combination of cybersecurity products, services and solutions.