With the increased use of the Web and proliferation of heterogeneous applications, businesses are facing now more challenges than ever in terms of authentication, authorization and identity management. The complication arises when modern architectures not only have to provide access to one, isolated system, but a whole network of services. (Gaedke, Meinecke & Nussbaumer, 2005). Thus, with the different requirements and specifications for each technology, topics concerning privacy, system integrity and distribution in the web represent the new buzz trends for experts within the identity and access management (IAM) field.
What about cloud computing and IAM? Cloud networks are vulnerable to a series of threats, concerning cyberattacks and privacy issues. Key elements such as multi-tenancy and third party managed infrastructure in cloud environments require IAM mechanisms (Indu, Anand & Bhaskar, 2018).
What does the future hold? With the rapid development of technologies, such as the Internet of Things (IoT), firms will face new obstacles for their IAM. Traditional protection layers such as general security, resource constraint devices, interoperability, and scalability will no longer be sufficient (Nuss, Puchta & Kunz, 2018).
To tackle the topic of Identity and Access Management, we organized on 1st of December an online panel discussion entitled “Using Identity Data to get the Best out of IAM”. In this round table, we brought together members of some of the best-in-class IAM departments in The Netherlands to discuss their experiences with applying these approaches in practice. Moderated by Chief Technology Officer of Elimity, Maarten Decat, the event explored data analytics and identity intelligence driven approaches to identity governance. Guest speakers included the Owner of Identity and Access Management at Rabobank Nederland, Philip van der Most, and Former Identity Management Architect and IAM Consultant, now working as Team Lead for Identity, Credential, and Access Management (ICAM) for Belgian Railways, Laurent Vandenbemden.
Presentation by Laurent Vandenbemden, Team Lead for Identity, Credential, and Access Management (ICAM), Belgian Railways:
Presentation by Philip van der Most, Process Manager & Owner of Identity and Access Management, Rabobank Nederland:
Having control over who can access which data within your organization is the key to addressing many cyber threats, regulations and privacy.
Identity governance has long been considered the answer to this challenge. With well-known approaches and tools, identity governance does a great job in automating provisioning and supporting governance processes such as access requests, approvals and reviews.
However, these governance processes are manual, highly technical, time-consuming and error-prone. They are having a hard time keeping up with today’s digital transformation, the increasing number of identities and applications, and the growing compliance pressure from regulatory bodies. As a result, many organisations are struggling with security risks such as access creep, account explosion, toxic access and role proliferation.
Newer approaches such as data analytics and identity intelligence can help cope with these challenges. See below the conversation topics tackled during the online panel discussion.
What were the topics debated?
Siloed departments: What is the main challenge faced when working in different departments (multidisciplinary teams) with Cloud systems? The main obstacle comes down to assigning authorization, and is especially constrained by the fact that not the entire team or department needs to get full authorization. Thus, maybe at points, working with a temporary authorization can be a solution, and also keeping in mind a constant comparison framework of what people should have compared to what they actually have.
Overviewing governance: How to best overview the process? What do do in terms of legacy problems? Data owners can be valuable, but inside some companies this is still at a discussion phase and not actually implemented. Another solution is to have user administrators, who can decide user access. It is also of essence to establish tasks and ownerships (RO, SO, IAM).
Connected & non-connected applications: With a lot of apps within the banking system, not all are suitable for connecting. When it comes to onboarding a lot of apps within the company (considering the availability, trackability, confidentiality check-up system), the first step is to try to connect the systems directly to IAM, but if that doesn’t work, it can be done via tickets manually.
Communication with people outside IAM: It is hard for people outside the IAM system to understand what it is given, why they have to go through the proposed process and also they do not always have a clear reference on the information that is given to them. How to overcome this challenge, to humanize the whole management of identity & access management? Is the business responsible for the movers?
With most of the time, businesses are not taking responsibility for the given access, so it is up to the IAM to decide. The difficulty remains when the user is moving to a new position. It is hard to know how to look at the users, to identify when the user is supposed to have the access and when not, and to determine legacy access.
Regarding movers, a solution could be to track all the authorization someone has, and give them to the user. For example, very often in the banking sector, movers are treated more like leavers and joiners, the HR is in this case the golden source (they say someone has changed position and then IAM acts on that to differentiate movers from leavers/ joiners).
Problems about roles: Within the banking industry, how do you cope with the roles problem, due to the fact that in this industry there are excessive amounts of new roles being added? Do you have any engines to find whether roles are not conflicting with other roles? Because in a journey with an employee in the bank, they can have multiple roles with conflicting access?
Keeping control on the role set can be a challenge especially for a bank’s central office. For example, standardized processes are easily accessible outside the central office, and they can be used in over 100 banks. With additional roles added, there is a clear side where the conflicts are, but in the central office, it becomes a little more challenging to have control. The process for central offices implies having the role owners designated with the responsibility of creating the right roles based on the system owners (and also based on rules, such as “this authorization group can be used/ not used with this”). It becomes increasingly difficult on the whole chain to get it right, and an additional expertise source is necessary to support the role owners in following up on the right procedures.
What’s next? Future topics to address: segregation of duties, data quality issue (data science, data driven organization), data delivery.