For organizations with complex and overlapping identity personas, it is a constant struggle trying to correlate information silos to create one identity for each individual and provide contextual information for access and risk-based decisions. In the panel event ‘Rationalizing Complex Identity Relationships: The Concept of One Identity for Life’ several Saviynt customers and partners shared with the audience what made managing identity difficult before they began implementing the One Identity For Life project, and tips for creating an effective One Identity for Life strategy.
Why One Identity for Life Matters
Utilization of a single Identity for life ties together all other identities for a user to one cohesive identity. This identity can be used to gain a thorough vision throughout the organizational IT ecosystem of exactly what an individual has access to in order to prevent toxic segregation of duties (SoD) violations. This information also is used when calculating the risk of access to resources as it can see across both on-prem and cloud environments to locate areas where access might actually be a higher risk when all linked identities are evaluated together.
The educational panel event ‘Rationalizing Complex Identity Relationships: The Concept of One Identity for Life’ was moderated by Dave Culbertson, the VP of Products at Saviynt. With over two and a half decades in IT, his career in the IAM space has spanned 19 years and throughout that time Dave has helped hundreds of clients achieve their goals of better regulatory compliance and increased security postures
- Dawn Knoebber, Senior Manager, Identity Governance & Access Management at UCLA joined us as one of our panelists. Dawn directs the IT Security Identity Governance and Access Management (IGAM) program for UCLA Health Sciences and David Geffen School of Medicine including implementing security controls for identities, developing standard operating procedures for identity governance, provisioning, and de-provisioning user access, and defining processes that protect organization identities while ensuring the best possible user experience.
- Dan Zweifel, Assistant Director of Shared Computing Services at Washington University in St. Louis joined us as one of our panelists. Dan joined the Saviynt panel bringing over a decade of expertise in architecting and supporting identity, security and compliance solutions for Washington University in St. Louis.
- Tracy LaMantia, Manager, Identity and Access Management at Northeastern University joined us as one of our panelists. Tracy LaMantia joined Northeastern University in March 2019 as the Manager, Identity and Access Management where she has responsibility for the University’s authentication and access management services, Identity Governance solutions, LDAP services, and password management.
- Michael Amadei, Avanade National Digital Identity Leader & Global Avanade Saviynt Relationship Director at Avanade Inc joined our panel as well. Avanade is a valued Saviynt partner. Mike is an Information Security and Risk Management Leader with over 30 years of experience with a broad background in Cybersecurity, risk management, and technology consulting at progressing levels of responsibility.
While we welcome you to watch the video of our panel event ‘Rationalizing Complex Identity Relationships: The Concept of One Identity for Life’, our customers offered some key tips for how they solved different issues encountered in the process of managing identity and implementing One Identity for Life:
Sanitize your Data
One of the greatest challenges of implementing One Identity for Life is ensuring that when new identities are made, no matter what the source, duplicate identities are not created. In higher education, different systems such as HR, student registration, parking, visitor systems, etc all generate identity information which often leads to multiple overlapping identities. Using common values such as email, home address, and last name, you can start to uncover possible overlaps though these are not often discrete. One way to do this is to request common fields anytime an identity is created such as a home phone number that should be unique to the individual and will help create a common thread to tie the data together.
Dawn: “We have the concept of identity proofing, we use bruin card services and you have to go to get your name badge and every employee is required to do this. They show a driver’s license or picture ID.”
In addition, utilizing authoritative sources of information help to generate a core identity record all other record data can be examined against to locate overlapping identities. For example, data gathered from HR is often cross verified with government identity documents as well as other sources to ensure it is valid. Also, users tend to provide accurate information as it is tied to their getting paid. Using this type of identity record as the basis for all others to validate their additional fields against allowing for multiple fields to be possible indicators of duplicate data.
Create an Authoritative ID
An authoritative ID is actually referring to the unique ID that other identities will reference back to that is unique to an individual. While some organizations already have an internal identifier such as an employee or personID that they were already utilizing, some more complex organizations had multiple identifiers that did not have a common binding. In this case, our panelists had a few different suggestions for solving this problem. As Dawn discussed, at UCLA, a unique identifier was simply issued as the Saviynt identifier and once that was assigned, it was their base identifier for life.
Washington University had a different approach:
Dan: “We have a johnSmith 1 through 50 and be able to identify those people as unique. Prior to saviynt we were tacking on a number to the end of the name and people would ask why am I 2, 3, 4″…”As part of our saviynt journey we were decided we would use that unique identifier as part of the string so people would have a consistent experience and we would not be in the position of I was here first you were here second”
Choose a Core Role
The idea of a core role is important when dealing with organizations where it is common for an individual to carry multiple simultaneous roles at a time. For example in higher education, it is very common for an individual to not only be staff but also a student because they are taking a course and in some cases also a parent of a student attending.
Tracy: “We went with a concept of primary affiliation, you could have all these identities but there is one that trumps all of the others”
In such cases, there are different levels of access that are enacted and certain restrictions that come from the roles. So a staff member might require access to review student records in their career but this would normally be a default block for someone of the student role to do. Having a priority of the staff role above student and parent allows for effectively implementing permissions appropriate to their main role without allowing the other side roles to cause unneeded restrictions.
Be Sure to Sunset Roles
As with all organizations, there is the challenge of managing individuals that may leave for a period and return possibly with different identity roles. In the case of a University, this could be a student that attended for a period, left to work in the real world and returned years later as a contractor for the school. It is important to maintain a continuity of identity even over a gap period. The panelists commonly recommended instead of deleting an identity outright when it leaves, find ways to disable it or remove it from general usage so that it is available later if the individual ever returns in any capacity. This not only helps to maintain regulatory compliance but prevents the creation of an additional new identity when one already existed.
Saviynt is the innovative, disruptive Identity Governance and Administration solution leader per industry analysts. Saviynt’s third-generation IGA product (Identity 3.0) is a hyper-converged platform that brings together intelligent Identity Governance & Management, Application GRC, identity-centric cloud security and cloud Privileged Access Management (PAM). Saviynt enables organizations to leverage ‘identity as the true perimeter’ across a multi-cloud and hybrid IT environment and ensure appropriate access with its usage-driven identity intelligence and analytics. Saviynt provides industry’s most comprehensive out-of-the-box continuous compliance controls library and cross-application Separation of Duties (SOD) risk rules for mission-critical applications such as SAP, Oracle Cloud ERP / EBS, Epic, Cerner, Infor, MS Dynamics GP, PeopleSoft, Salesforce and Workday. Saviynt’s identity 3.0 solution extends security for IaaS providers such as AWS, Azure, GCP, Alibaba Cloud, and collaboration or data storage platforms such as Office 365, SharePoint, Box, NetApp and more. Saviynt has recently ranked in the top third of the Inc 5000 list of America’s Fastest Growing Private Companies.
For more information about managing identity security for your organization, contact us for a demo.