A Planning Guide for Identity and Access Management
In the era of digital transformation, every organization is figuring out how to manage digital identities for its employees and customers. Traditionally, IT owned all technology functions, and as a result, identity management automatically fell in their lap. That may be true for employee identities, but what about customer identities?
Let’s rewind a bit and start from the basics. What is an identity, and what is an identity management system? In its simplest form, identity is a set of features or attributes to help identify people (customers and employees). Some of these attributes are similar across multiple people, and some are different. Combining a few attributes that are different helps us to uniquely identify and hence authenticate a person to a system. These can be passwords, fingerprints, random tokens and many more. The systems that capture identities and authentication information are generally referred to as identity management systems (IDMs).
In the digital era, a compromise or an unauthorized access of employee identity means lot more beyond compromise of organizational assets
Let’s take a deeper look at employee identities and their management. Who owns employee engagement in any organization? The obvious answer is Human Resources. HR in every organization determines employee benefits, workplace behaviors, ensures employees are authorized to work, compensation and many more aspects of employment. They collect employee related information to ensure internal and regulatory compliance obligations are met. But HR doesn’t specialize in technology management. As organizations evolve in their identity management practices, they are faced with one big question - Where do these systems belong? Who should manage them? Who should have oversight? What are the driving factors for overall governance? Who is responsible and accountable for safeguarding this information within these critical systems? The answer varies based on the maturity of the organization. In many cases, IDM systems are managed by IT with HR and Information Security oversight. That is an ideal situation from a separation of duties standpoint, but following good audit practices is also important.
Most cyber-attacks today start with a stolen identity. Obviously, Information Security departments fulfill a promise provided to employees to safeguard their information. This creates additional needs for information security oversight across IDM systems. Organizations that ignore the safety and adequate protections of the employee identity information are violating the employee agreements and the trust an employee has given to the organization. In the digital era, a compromise or an unauthorized access of employee identity means lot more beyond compromise of organizational assets. The damages extend to their personal lives, banking, social media, privacy and a lot more. When deciding the level of protections to safeguard the employee identities, organizations should also consider regulatory obligations. The ability to prove that organizations followed ‘due-diligence’ and ‘due-care’ in providing adequate protections will be invaluable in the event of a breach.
Defining a set of protection standards, including but not limited to access controls, auditing, logging, retention, and monitoring is what we call governance. Information Security combined with IT and Human Resources should develop these governing principles to protect IDM systems. Separation of duties is very important on who ultimately owns these governance principles, which ensures that they are followed and who is implementing them. That way the department who is accountable is different than who is responsible and different from who audits against these principles. While developing these principles, organizations should remember that IT in the recent past evolved as a service provider and is best suited to manage IDM systems. Information Security has always been an oversight and governance organization, and it is best suited for defining governance principles. HR is always responsible for employee engagement and a key business partner in the entire process.
On top of governance and oversight on IDM systems, it is important that organizations develop application-centric access policies. This is to protect themselves from the cloud evolution where multiple applications are served through the cloud outside corporate walls. Based on the risk appetite of the organization, they need to decide if employees can access cloud applications without logging into VPN or other remote access mechanisms. If so, organizations should think about how the data loss thru non-corporate assets can be being tracked, monitored and prevented. Organizations should consider device identification and authentication in those scenarios. We have also seen an evolution of cloud services wanting to automate onboarding and offboarding processes and having access to the identity management system. Before authorizing such scenarios, evaluate the cloud provider’s track record, level of auditing enabled in your IDM, your incident response plan and legal T’s & C’s to enforce breach notification and liabilities in the event a cloud provider gets breached. It is important to weigh the business benefit against the risk, as identity management systems are ‘crown jewels’ for any organization.
Switching gears, do all of these principles apply to customer identities? If the sole business model of an organization is B2B, then customers are businesses rather than consumers. In either case, someone who is responsible for customer engagement is also responsible, and may be accountable for safeguarding customer identities. Typically that department is product management and / or marketing. The goal for these departments is to enhance sales and customer reach which in-turn means ease-of-use products and services. With digital evolution, customers are dealing with multiple online systems, multiple passwords, multiple pass codes and struggling to protect their authentication information across many systems. That is multiplied with the evolution of social media.
Taking this one step further, in order to drive better customer engagement through ease of use, organizations are looking at options like ‘identity as a service’. There is some adaption in the market to this new model where you are depending on identities collected and stored by a third party to provide access to your systems. More adoption of this model is happening with customer identities rather than employee identities. Can customers use their Facebook account to buy something on your website? In that case, if their Facebook credentials are compromised, who is responsible and liable for the unauthorized purchase of products?
Again, like the case of employee identity systems, customer identity systems should also have stronger governance. Information security in many organizations is taking the lead and guiding product management teams to advise them on best practices. There are organizations who are also merging both customer and employee identities to a single system. In that case, we may be looking at conflicts as the governing principles may be different. Also, if there are no strict change management process, a system failure might cause interruption to customer logins, impacting sales and revenue. Also, if your organization sells internationally but only has employees within US, that forces the whole identity management system to comply with various international privacy and data protection regulations. Information security in either case should act as governing and oversight body providing guidance to HR, product management and IT.
To conclude, organizations and businesses should consider governing principles, document requirements, standards, policies, and technical controls with a separation of duties and privilege in mind. Organizations should develop policies for accessing cloud applications. Separating employee and customer identities is always a safe bet. These are some of the foundational elements for any successful identity management program.