Security may have been a distinct domain from identity management in the past, but these days, IT admins need to think of them in concert, according to Kevin Kampman, a Gartner analyst.
That’s no easy task, as identity management software continues to evolve and point solutions sometimes run rampant in the enterprise. But, as Kampman points out in this Q&A, with the rise of regulation, companies need an identity management strategy now, one that includes employee, as well as customer data.
Are organizations beginning to blend identity and security management together?
Kevin Kampman: Identity management has typically been subservient to security. It’s either been under information security or operations and hasn’t been recognized as a discipline on its own. It’s always been associated with particular processes or sometimes a technology like Active Directory. No one has looked at it and said how does this affect the organization?
But what I’ve seen more recently is greater recognition of what impact identity management has on different elements of the organization, including information security. And it’s a fair statement to say security and identity management tend to run in the same circles.
If you were to talk to organizations about identity management, there’s a high probability that you’d be talking to someone within the information and security space. What we’re starting to see identity management gain [is] recognition that it is something parallel to information security. But if you look at the technology, nothing happens without identity. If you don’t have people, you don’t have anything. A lot of the information and security technology — like event management or behavior analysis — relies on a good understanding of how identity plays in that equation.
There is a significant overlap between the two. How that is substantiated in an organization has a lot to do with the organization itself.
What challenges do IT admins face when bringing an identity management strategy and security together?
Kampman: As you start to look at the breadth of influence of identity on an organization, oftentimes it’s around access management or credentialing or some kind of technology driver. That is a challenge for organizations — that technical view is very discontinuous, and nobody owns it but everybody uses it.
Organizations are dealing with customers, employees, contractors, partners and all these types of entities that influence how your enterprise runs, but you don’t have a consistent view of who owns that, how you manage it and the identity management software you deployed. There are a lot of point solutions that don’t operate in concert, which is a huge management challenge.
Organizations also need to think about emerging regulations, which require that you have that overarching view of identity inside and outside of your organization. That’s really important. If you ask a security guy what he’s doing with consumer data, he’s going to say, ‘That’s not my domain. That should be in the CRM system.’ In a modern identity system, there would be an acknowledgment that customer data would be part of that equation.
How does this identity management strategy transformation impact the organization?
Kampman: It’s a business shift. Ten percent of this is the technology. They solve the point problem from a technical point of view. When you start thinking about relationships and how you are applying analytics to data or start to look at the organization, these are all process. It’s the organizational elements of how you recognize and leverage identity information to support or initiate business decisions.
In a recent survey [Gartner] did; in addition to technical skills, secondary skills organizations are looking for in identity principles is a good understanding of how the business is operated. We’re trying to get people to stop concentrating just on the technology and concentrate more on the business value and the impact on the people.
How are newer security measures like passwordless authentication affecting end user experience?
Kampman: In the technology space there is a lot of evolution. We’ve heard about passwordless authentication for years. The tech has improved in different areas and made it easier — with things like voice recognition and biometrics, we’re starting to see those influences. You also have mobility — you’re carrying around a super computer in your hand that acts as your avatar really. You see the ways to leverage that to make authentication easier but still need to do the data collection and management and risk assessment — all the things used to determine if that avatar is coupled to an identity you recognize. And that evolution is going to continue.
The harder things that come about are authorization. Once I know it’s you, what are you allowed to access? What do I know about you? These are all big aspects of identity governance. That can become very complex in a large enterprise.
These newer standards are starting to become mainstream for organizations. This is the digital transformation we’ve been speaking of and it changes the way organizations do business. There [are] shifts in power and emphasis and [they are] forcing identity to reach out to the business to see how this transformation is taking place and how they can support it.