Access Governance in Hybrid Scenarios
Identity Governance and Administration (IGA) practitioners sometimes become blind to the increasing impact of hybrid IT scenarios, running the risk of staying too focused on their customary views.
By Martin Kuhlmann, Lead Solution Consultant, Global Blackbelt Team
From Blind Spots to Full Overview – Access Governance in Hybrid Scenarios
Have you ever experienced the “blind spot” in your eye? It’s a small area in the retina where the optic nerve enters the eye and no photoreceptors are present. It makes some things invisible even though they are in your field of view. It is my impression that sometimes Identity Governance and Administration (IGA) practitioners become like this, running the risk of staying too focused on their customary views, even though the effects of digitalization can be seen everywhere in today’s organizations. We see that companies are exposed to more and more “hybrid” IT scenarios, technology and business processes. Not seeing nor reacting - from an IGA perspective - to these quickly leads to organizations completely losing their overview and ability to master security risks. But what should we pay concrete attention to?
One key characteristic of hybrid IT is the opening up of parts of the organization’s IT infrastructure to partners, customers and other outsiders, to be able to deliver services or to be part in a supply chain. Another characteristic is the use of cloud applications and cloud infrastructure.
Clouds in your strategy and execution
When making a strategic move to the cloud and adopting new technologies, both governance practitioners and business managers need to be aware that access governance policies must be extended and enhanced accordingly. Failing to do so will evoke blind spots in governance and lead to security risks, as the following examples may illustrate:
- In 2018, FedEx disclosed the theft of personal data of 119,000 customers, due to unsecured Amazon S3 buckets. Before this, Swisscom had reported an incident where “misappropriation of a sales partner’s access rights” had led to a data breach affecting 800.000 customers. These cases demonstrate that it is of key importance for security departments to invest in expert knowledge on new platforms quickly, and to extend governance procedures to external users which might still not be in the scope of the established Identity and Access Management procedures.
- Due to fast-changing business models, many business units are flexibly subscribing to cloud services on their own behalf – oftentimes without involving IT Governance departments, making these services invisible for the corporate access governance procedures. Furthermore, for these services, the business units will not be able to benefit from any automation provided by the established corporate identity lifecycle management. Business and IT need to make a joint effort to remediate this situation. If IT can provide a fast and non-bureaucratic onboarding of the new services to the company’s IGA platform, business owners will much more easily see the benefits they get from IGA.
- Collaboration platforms such as SharePoint Online make it easy to exchange information between companies. But again, traditional governance processes need to be enhanced. For SharePoint, external users can be invited and immediately get guest accounts in Azure AD. However, in many companies these accounts are unsupervised and pose a considerable security risk. Introducing periodic access reviews, access request procedures, and assigning internal owners for the external identities will put companies back in control of these guests.
So how do you improve alignment in a hybrid IT world?
To consider how we can systematically align access management and governance with the requirements in a hybrid IT world we need to take a step back and consider the issues through a macro lens. I have structured them into five key areas:
Like with any legacy application and system, you need to familiarize yourself with the security concepts of cloud applications and cloud infrastructure platforms. You need to understand how to protect the platform or application. From a governance perspective, you should decide who really needs access and how you remove it from those who already have it but shouldn’t. Policies like Segregation of Duty need to be extended to the cloud platforms. Customers and partners must understand that you care about security, and that it is not a static state of being – take them on the journey with you. When working with partners, new models for responsibilities must be set up: you may establish policies to delegate access management tasks to the partner organization, while still you keep the overall control. Avoid getting into the same mess of the past where you might have with insufficient Active Directory group concepts or SharePoint access management!
If new services are provided to the business, it goes without saying that existing compliance policies must be adhered to. Business flexibility is not an excuse for neglecting personal data protection and data proliferation regulations such as GDPR, industry-specific legislation such as recertification requirements in finance, or internal information classification and data ownership standards.
- User Convenience:
When an increasing number of cloud services is needed for the daily work, end users start to struggle with storing URLs, memorizing passwords or finding the right persons who can grant them access. In a scenario where internal and external users access both on-premises and cloud applications, a comprehensive Single-Sign-On concept is needed, as well as a central landing page for access to all applications.
Digitalization enables the changing of business models at a higher pace. News sourcing models are tried out and established, services are subscribed to and decommissioned, partnerships are created and abandoned, regulatory requirements are ever increasing. In this context, IGA teams can only survive if they can react in a timely fashion. They need an IGA solution which enables them to reconfigure access policies and governance policies quickly, to on- and off-board all types of new apps with minimal effort, and to master the change management that comes along with organizational shifts.
Collaboration implies that more people are using corporate applications, and that the turnover rate is increasing too. The amount of managed identities might increase from a couple of thousand to a million or more. IGA teams need to consider how they can scale while the team size is not necessarily proportionately growing. They can only be successful with an IGA solution that provides a high degree of automation, and that offers the possibility to distribute and delegate the work appropriately.
When the organization moves to a hybrid IT world, IGA teams must think ahead and be agile enough to prepare for future scenarios. Unless they do, the transition will be ungoverned, and the organization will be vulnerable. You need to have both your eyes open so that an attacker cannot hide in a blind spot.
Omada | April 2019
Dr. Martin Kuhlmann, Global Black Belt Senior Solution Architect, Omada, advises strategic customers and designs identity and access management solutions. Martin has been active in the IT security space for almost two decades and has been a frequent speaker and panelist at international conferences. As a consultant and strategist, he had a leading role in various security integration projects in large organizations, specializing in identity management and access governance, and risk and compliance. Martin has published numerous journal articles and several scientific papers on role-based access control (RBAC) and application security. In 1992, he completed his doctorate in mathematics from Bochum University, Germany.
Omada Identity Governance and Microsoft Azure AD Premium
Get full provisioning and lifecycle governance capabilities across all enterprise systems on-premise and in the cloud.
Omada and Microsoft Shared Guide
Get insight of business requirements and high-level capabilities of next-gen identity management and access governance.