The security industry often gets wound up in dissecting the latest mega breaches in deep forensic detail. But the reality is good security hygiene isn’t just about firewalls, intrusion detection systems and other controls. Managing the security around identities, access and the governance to systems – Identity Governance and Administration (IGA)– is critical to maintaining secure systems.
Chris Gacesa from RSA has been working with identity and access management systems since the birth of identity management systems early this century. Over the years he’s seen many changes in the attitude of companies.
“Back then, if someone needed access to the HR system, walls would go up whereas today it’s flipped on its head where now they want or need to know who is using their system”.
Gacesa says there are some basic questions that application developers and business owners need to address when establishing identity management systems.
“These questions are: Who has access, and to what applications? How do they get access to that application? How confident is the business that people have the appropriate level of access to applications? Are the compliance and regulation guidelines being adhered to?”
Successful IGA isn’t just about processes and procedures when users and systems are active. Gacesa says it starts when new personnel and applications are on boarded.
However, these aren’t new challenges. So why are they suddenly becoming a sharper point of focus?
“This has come about because the earliest players quickly learned that connecting to many different applications was really complex. It took a long time to get an application on boarded, for the users in the business to get access, and therefore be productive,” says Gacesa.
During a recent engagement with an airline, Gacesa discovered the company could only bring five of the 95 applications they wanted online due to challenges with their legacy provisioning solution.
“It took them over 650 labour hours to connect each application,” he says. “It was way too hard”.
The new world: Provisioning 2.0.
“This is now a world where we can very quickly provision all those applications with far less effort. This allows systems to connect with a focus on configuration rather than lots of complex coding,” says Gacesa.
As a result of this approach to provisioning, the airline was able to connect all of its applications and keep up with the demands of being a dynamic company. This included migrating older applications as there are now ways to secure critical data within legacy databases as well as via established application interfaces.
As well as facilitating the connection of the systems the airlines needed, there was another payoff.
“Because of this new way of provisioning and their flexible identity infrastructure, they were able to acquire another airline and easily connect to other apps. It simplified the process”.
Often, IGA is seen as being purely a technology issue with limited payoff for those adopting it. However, the ability to provision and decommission applications easily delivers benefits that can be easily understood and recognised in business terms.
As applications are more widely distributed and more devices are being used, an effective IGA strategy offers significant flexibility.
Of course, there’s also an obvious security benefit. Gacesa cited data from a recent Verizon security report which showed that 95% of breaches used stolen credentials. By understanding what identities are active, what they can be used for, and who is using them, it’s possible to limit the damage done by hackers and better identify the vulnerable points in the threat surface.
With the application platform, threat and regulatory landscapes changing, Gacesa says companies have a lot on their plates at the moment.
“One of the core challenges is that IGA projects were driven by IT. But they lacked an understanding of the processes they were trying to secure. What we’re now seeing is more of an influence in moving that responsibility back to the line of business application owners so they can easily define the workflows they need.
“There’s also an increasing need to report data breaches across the world. The regulations and audits associated with this requirement are challenges that businesses face as they must ensure they have the right governance and audit processes in place.
“The changing landscape of where these applications are consumed is also an evolving challenge. There are so many cloud apps, and different devices, which are providing further challenges for businesses.”
What’s RSA doing?
In the past, IGA was seen as a point in time project, but RSA has changed that through its Via Lifecycle and Governance platform. Having evolved from RSA’s Aveksa products, Via reflects RSA’s long pedigree and extensive expertise in IGA. It has also been recognised by Gartner as a leader in the IGA and user authorisation spaces.
“We provide a phased approach that looks at the monolithic identity management problem we see today. Gaining visibility and certification around who has access, how they get access – we see that as the first stage. Then we can apply policy behind that.”
Gacesa says this ensures appropriate controls are in place so that an identity that gives access to one system doesn’t create a situation where it allows access to another with unintended consequences. Gacesa likened this to the segregation of duties in a finance group that separates accounts payable and receivable functions.
This covers everything from adding and removing people from applications, through to compliance and audit reporting. And this can be done with minimal coding as Via is largely configuration-based so it can be used by business users, rather than technical staff.