Since the dawn of the Federal Identity Credential and Access Management (FICAM) program (c.2009) and the Continuous Diagnostics and Mitigation (CDM) program (c. 2013) – and even long before, government agencies have spent countless hours and many millions deploying legacy Identity Governance and Administration (IGA) and Privileged Access Management (PAM) solutions. They wanted to improve the efficiency of managing employees, contractors, vendors, and provide new and improved services to the public sector. Unfortunately, much of this has not been realized.
Why? Many of the CDM authorized solutions required massive hardware footprints and complex software stacks to run. Keeping those environments current became cost-prohibitive. In addition, the number of FTEs required to run and sustain the solution meant that many of these programs rarely got beyond connecting to just a handful of automated connections, AD, a few databases, maybe an LDAP or mainframe. And to add even more mass to the gravity of this “problem”, in many cases extensive customization and coding are required to integrate these solutions into agency requirements further impacting upgradability and the ROI value promised, be it economics or efficiency.
For any or all of these reasons, many programs fall short of the lofty goals of full automation and 100% governance coverage for all their various identity types: human, privileged, service accounts, non-human (IoT, RPA, OT), and the access they should have. In the end, these “solutions” essentially just become digital plumbing, moving data and flipping bits based on policies that were configured by IT personnel and not business analysts who understand the agency’s service or mission. Without that critical business understanding, future access is based on existing access patterns without regard for what is appropriate access versus access that is stacked and over permissioned.
The struggle is real
Digital business transformation initiatives have swept through many agencies already, as they adopt SaaS-based collaboration and enablement solutions like Microsoft Teams, Office365, Salesforce.com, Workday, Slack, etc. Dealing with tightening budgets, many agencies are also shifting their workloads from traditional data centers to IaaS platforms like AWS, Azure, and GCP. Agencies also have long held dependencies on mission-critical ERP solutions like Oracle EBS, SAP, and Microsoft Dynamics to run financials, inventory management, logistics, and other major planning functions. Some of this has also been evolving and transitioning to SaaS as well. But with these new and cloud-reimagined business enablers come exponentially larger identity challenges and risks.
The elastic and ephemeral nature of cloud workloads, mixed-use of multiple IaaS clouds, and the complexity and seemingly uncontrolled proliferation of SaaS solutions creates blind spots for traditional IT organizations both in the way they manage identity, govern access, and enforce policy and control. To keep with the pace of change, it’s imperative that agencies look to modernize their IGA, PAM and even GRC solutions in support of better service to their workforce, as well as to their citizenry. While CDM did a reasonably effective job of addressing SSO and Federation into the new SaaS and cloud landscape, many of the legacy CDM IDM and PAM solutions have struggled to keep pace with this transformation. In many cases, the identity administration is still being left to tenant administrators and largely outside the scope of IT Security and Risk organizations. The truth is, simply lifting and shifting these platforms to a cloud infrastructure isn’t modernization – it is just moving the legacy burdens from one place to another. Other than potentially reducing operational cost, it’s not truly modernizing the solution at all.
But, wait there’s hope
Fear not, for all is not hopeless… Organizations all over the globe are waking up to this reality and doing something about it. Let’s explore some new modernization trends and approaches. Modernization should start with an objective-based strategy and clear goals about what the “future state” should look like and the services it will provide and for what benefactors.
At a minimum, it should be efficient, scalable, low maintenance, and provide a frictionless user experience for all users. Likewise, it must deploy quickly and integrate with the entirety of the agency’s applications in a phased approach from most critical and highest risk, to lowest criticality – as an order of priority.
Explore the future now
A modern solution should be cloud delivered so that you’re allowed to focus on the implementation of business functionality rather than installing/updating software and supporting infrastructure. If the solution is supporting Federal agencies, certifications like FedRAMP, FIPS 140-2 are a must. It should provide a rich and intuitive user experience, not just for end-users, but also for the administrative users so that adoption rate is high and service-desk incidents related to access and password issues are minimized or even eliminated.
Regarding IGA solutions specifically, connectivity to systems and applications for management and governance should be simple, and even automatable (think “factory” onboarding of applications, by Business Analysts, not IT personnel). With a modern solution, integrating 100’s or even 1000’s of applications per year is very achievable. Integrations with these apps should use centralized logic and policies and avoid complex and brittle connector-based logic. Business analysts should be able to set and adapt policy to the needs and mission of the business. Provisioning policies should adapt via Machine Learning algorithms to provide peer inlier/outlier insights and avoid over-permissioning. Machine Learning should also assist the analysts in defining new roles based on discovered patterns of access requests and usage change trends in parity with the changing demands of business.
A truly modern IGA solution also needs to support agency’s complex ERP deployments with sophisticated Segregation of Duties (SoD) rules and provide both mitigation and remediation controls as well as analytics for a clear view of the status to policy adherence. Additionally, as politics and new administrations shift and merge or dismantle agencies across various federal departments, a need may also arise to have cross-ERP platform SoD controls – this is something that legacy CDM approved GRC solutions simply cannot do. They are typically proprietary to the ERP vendor and not able to span between multiple solutions without radical customization. Whether deployed as on-premise or consumed as a SaaS, the magnitude and complexity of ERP system access controls, require modern solutions to provide strong governance capabilities that have flexible, scalable, data models to support changing business dynamics.
For PAM solutions, cloud workloads (especially multi-cloud workloads) should be dynamically discovered, inspected, and validated for security benchmark controls, and only then, made requestable without human intervention. Furthermore, worrying about deploying enough jump-boxes to support the elastic nature of IaaS workloads should never be a consideration. Minimize the attack surface of workloads: deploy privileged credentials just-in-time to perform the work, log activity, record sessions, and remove those credentials when done. Hackers, can’t abuse accounts that don’t exist, right?
A point where we meet
True modernization further elevates the need for convergence around identity. Convergence and integration of many different security solutions to provide a single, unified view of Identity and risk. After-all – it is near impossible to manage your organization to zero risk, the goal should be understanding acceptable risk and unacceptable risk, then orchestrating a governance strategy to support that. Without proper optics and remediation controls in place, any strategy might well fail.
As modernization takes hold, we start truly understanding that in order to get the best picture of a user’s risk to the organization – it is more than just simply calculating static values arbitrarily assigned to entitlements and roles. We must be able to listen to and correlate signals from many sources; SIEMs, UEBAs, CASBs, IDP/MFAs, WAFs, Vulnerability Mgmt. systems, and even ID Proofing providers. This empowers us to have a holistic view of the user, not just what they have access to, but additionally things like their recent activity and behavior, asset risk (has the server or app been compromised in some way?) as well as even level of assurance. Using AI and Machine Learning – we can put all this information in a digestible and easy to consume “Insight Panel” format in front of Access Approvers and Access Reviewers to help prevent rubber-stamping workflow approvals and attestations. More importantly, it will drive up revocations of undesirable and over-permissioned access and drive down organizational risk.
There is much more to the story, and Saviynt is rapidly innovating to address these needs for our clients. It’s something we call Identity 3.0, and it is revolutionizing the way we think about identity and risk. Please join me on March 31st, 2020 for a webinar on this IGA and PAM Modernization topic, presented for the DoE and other US Federal departments to learn more. Ask my guest, Jean-Paul Bergeaux, and myself, David Culbertson, questions concerning these innovative new approaches to Identity. Registration link located here.