Evolving Identity: Why Legacy IAM May Not Be Fit for Purpose
A Fun Science Fact
Are you familiar with the often misquoted study about how every cell in the human body is replaced around every seven years? While a complete body makeover doesn’t actually happen, there is truth that many cells are regenerated over time. In some parts of the body this happens faster than others. It would be fascinating if humans could truly change their identity every few years.
As an information security professional, you are aware that identity management is a very important part of the security landscape. Like many cells in the human body, identity access management (IAM) has not remained static. It started from some very simple beginnings, has changed and continues to change. Is this just the natural order of all things digital, or is there more to the evolution of IAM?
Glass Half Empty, Or Half Full
The proverbial phrase of whether a glass is half empty or half full is often seen as a way to measure pessimism or optimism. The joke amongst engineers is that a half filled glass is two times larger than it needs to be. One of the first challenges of identity access management is simply the way that a person views it. Specifically, is your IAM designed to allow the correct people in, or to keep the bad people out? To the modern information security practitioner, it must do both at the same time.
Early computing systems handled access as a simple yes or no to full system access, and when thinking about the typical home computer system this is still the case today. Most home users have their computer configuration set to allow full access to everything once a password is entered. This type of configuration would not be prudent in a networked system.
Beyond The Yes And No
Every information security professional has been on the receiving end of a frustrated person who does not understand the reasons for password complexity. Quite often, the information security professional has experienced this frustration too. In an effort to prove the importance of security, we can create our own nightmares by putting systems in place that hinder our own abilities. The old password requirements were clearly not living up to their purpose. Fortunately, the organization that devised the original password complexity guidelines has offered more sane method by suggesting passphrases, amongst other things.
Some methods to improve security only made the login experience even more frustrating. Multi-factor authentication is great for security, but can still be a chore for the average person to use. In some cases, people will choose weak passwords, relying on the security of the multi-factor process as the extra safety mechanism.
Here To Stay
It is clear that passwords are here to stay, and multi-factor authentication is the best way to enhance that security. Fortunately, through some diligent efforts of clever engineers, the password experience is becoming easier for many people. Some of the recent advances in authentication methods have removed the burden of remembering many passwords, as well as the necessity of a physical multi-factor token.
- Password managers – software that holds all the passwords in a “vault”, requiring a master password to unlock the vault.
- Fingerprint readers for mobile devices – this removes the requirement of remembering a password.
- Facial recognition – also primarily for mobile devices, this also removes the requirement of remembering a password as well as carrying a multi-factor device.
While all of these have their own vulnerabilities and shortcomings, to the typical person, they have made the login experience much easier and more tolerable.
The InfoSec Perspective
As an information security professional, it is your job to manage the identity process for your organization. This includes the full lifecycle of the IAM mechanism for the organization, including:
- Evaluation of the system that is best for your environment;
- Configuration of the system;
- Provisioning and deprovisioning of identities;
- Access review;
In many instances, the information security professional may only serve in an advisory role for many of the aspects of the IAM systems. A security engineer, or possibly a network administrator will perform the hands-on functions of IAM.
All of the network IAM systems offer a centralized approach. This makes the job much more practicable. With the emergence of cloud technologies, IAM has taken on new angle. Identity as a service (IDaaS) is one of the new models, often coupled with software as a service (SaaS). IDaaS expands the ability to manage identities, both inside and outside of an organization. Many more safeguards are built into these systems, including the ability to allow or restrict access from various geographic locations. While this new model also makes the login experience easier, it expands the responsibility of the information security professional.
How The CISSP Credential Can Help You Succeed
So much of what an information security professional does goes unnoticed. This is especially true when working with IAM, since, when it is done well, it is frictionless. IAM is one area of the vast and expanding knowledge set required to be a successful Information security professional.
When an organization needs subject matter expertise, they can rely on those who hold the CISSP designation for a wide breadth of knowledge and experience that is not limited to just information security. The CISSP is ideal for experienced security practitioners, managers and executives interested in proving their knowledge across a wide array of security practices and principles, including those in the following positions:
- Chief Information Officer
- Security Analyst
- Security Manager
- Security Engineer
To discover more about CISSP read our whitepaper, 9 Traits You Need to Succeed as a Cybersecurity Leader.