Industry Webinar: Addressing the IAM Data Problem
What is IAM Data?
In it’s simplest terms we can consider the three P’s: Profiles, Permissions and Policies. Why? Well in the simplest form we are referring to the relatively static and stored-on- disk signals that make an identity exist and useful for relying systems and services. Clearly there are also a lot of moving parts to consider as well - such on identity providers, session management systems, PDPs and so on - each with additional data points they can leverage.
“In the old days” - before cloud, AI and mobile - we stored much of our employee identity data in directory services and attempted to roll out single sign on (SSO) across all the main systems in use - and sometimes linked that to the Windows desktop. Profiles got created, copied, rarely removed, added to groups (again, rarely removed), more groups added as we forgot what the initial groups were for, forgot to add in descriptions and added some roles for good measure. And forgot about what they were for too. Line managers came and went and approvals were not really approving anything other than “leave it as it is”.
Accounts got shared - especially the high risk admin and root ones - passwords stored in spreadsheets and secret accounts often setup by “local admins”. It was great.
No, it was terrible. End users didn’t get the right access. Admins were over worked, lacked process and auditors were hated. Help desks did more than reset passwords, they often changed access to get “things working” and get end user off the phone.
What Problems Does it Have?
Does any of that really matter? Well, yes. The good old days may have gone, but the data is often left behind. As are poorly crafted processes, disconnected systems and offboarding workflows that either never fulfil or fulfil very very slowly. The issue today of course, is that we have more identities, more identity types, more applications being accessed and more systems integrating with our IAM fabric than ever before.
So if your offboarding process isn’t working, the impact is now much more far reaching. Cloud systems, SaaS, expensive licenses and shadow systems not only cost organisations millions of dollars, if not governed correctly they are a risk contributor and a productivity reducer.
We have workloads, non-human identities and agentic-AI to think about too - not to mention partnerships, joint-ventures, federated relationships and supply chains. The amount of excess and misalignment for identities, accounts, permissions and policies starts to become big news.
What Are We Trying to Solve?
As more systems (think network security, data security, endpoint security, secops and forensics) rely upon and integrate against identity providers, policy based access control systems and the like, they can make assumptions. Assumptions around the quality of data, assurance, ownership and the fact that they certain governance steps have taken place.
Of course those governance and optimisation steps may not have been taken. Orphan accounts, standing permissions, excessive permissions, claims in tokens not needed, used or approved and so on can be missed.
The result can be a reduced security posture, as well as inefficient access request and access review processes as this bloated identity data landscape is not being managed effectively.
But What Can We Do?
Well all is not lost. Organisations have many existing data sources, processes and tools that can be augmented to help streamline this identity data world, with improved anomaly detection, secure running states, slimmer permissions associations and ultimately moving towards zero standing privileges, just in time access and improved visibility and accountability.
Ticketing systems hold vast information regards access request and misalignment, whilst configuration database management systems often hold records of applications and systems disconnected from the core provisioning model.
Context of any sort helps hugely when it comes to not only discovering and understanding the identity and application flows, but also the streamlined on going management. The advent of generative-AI can play a role here too - adding support for permissions descriptions, group owner identification and the like. Co-pilots, chatops and assistance systems are now becoming common and can provide guidance for access request, review and policy cleanup decisions.
What Next?
There is a lot to uncover on this topic and more will emerge in the coming 12-18 months. Join me for The Cyber Hut’s next industry webinar where IAM Data will be the core topic.
I’ll be in conversation with Wade Ellery and Sebastien Faivre from Radiant Logic on the core challenges and some ideas on possible solutions to improve compliance and security.
We’ll be in discussion on July 22nd 4pm UK time. Join us to find out more.
Further Resources
Article: IAM as a Big Data Problem
Article: Migrating to Data Centric ISPM
Article: Is IGA in Distress? If So Why?
Article: Are PAM and IGA Converging?
Article: RBAC: An Opportunity to Innovate?