Leadership Essential in Cybersecurity Dynamics

Are your C-level leaders sending a clear message about Cyber Security?

Despite the high profile security breaches making news headlines and increased attention around cyber risks, executives in the C-suites are still lacking commonality and communication of a clear goal when it comes to a cybersecurity strategy. These individuals need to work together to manage their organizational risks to help prepare, mitigate, and minimize the damage caused by cyber incidents.

Every organization needs a clear strategy and roadmap with supporting tools that protect critical assets. Read more about this topic and the crucial role the C-suite plays in the dynamics surrounding Cybersecurity.

https://securityintelligence.com/c-suite-dynamics-can-impact-the-organizations-cybersecurity/

Developing an Entitlements Management Approach

We were sitting down with a client during some initial prioritization discussions in an Identity and Access Management (IAM) Roadmap effort, when the talk turned to entitlements and how they were currently being handled.  Like many companies, they did not have a unified approach on how they wanted to manage entitlements in their new world of unified IAM (a.k.a. the end of the 3 year roadmap we were helping to develop).  Their definition of entitlements also varied from person to person, much less how they wanted to define and enforce them.  We decided to take a step back and really dig into entitlements, entitlement enforcement, and some of the other factors that come into play, so we could put together a realistic enterprise entitlement management approach.  We ended up having a really great discussion that touched on many areas within their enterprise.  I wanted to briefly discuss a few of the topics that really seemed to resonate with the audience of stakeholders sitting in that meeting room.

(For the purpose of this discussion, entitlements refer to the privileges, permissions or access rights that a user is given within a particular application or group of applications. These rights are enforced by a set of tools that operate based on the defined policies put in place by the organization.  Got it?)

  • Which Data is the Most Valuable?- There were a lot of dissenting opinions on which pieces of data were the most business critical, which should be most readily available, and which data needed to be protected.   As a company’s data is moved, replicated, aggregated, virtualized and monetized, a good Data Management program is critical to making sure that an organization has handle on the critical data questions:
    • What is my data worth?
    • How much should I spend to protect that data?
    • Who should be able to read/write/update this data?
    • Can I trust the integrity of the data?
  • The Deny Question – For a long time, Least Privilege was the primary model that people used to provide access. It means that an entitlement is specifically granted for access and all other access is denied, thus providing users with exact privilege needed to do their job and nothing more.  All other access is implicitly denied.  New thinking is out there that says that you should minimize complexity and administration by moving to an explicit deny model that says that everyone can see everything unless it is explicitly forbidden.  Granted, this model is mostly being tossed around at Gartner Conferences, but I do think you will see more companies that are willing to loosen their grip on the information that doesn’t need protection, and focus their efforts on those pieces of data that are truly important to their company.
  • Age Old Questions – Fine-Grained vs. Coarse-Grained. Roles vs. Rules. Pirates vs. Ninjas. These are questions that every organization has discussed as they are building their entitlements model.
    • Should the entitlements be internal to the application or externalized for unified administration?
    • Should roles be used to grant access, should we base those decisions on attributes about the users, or should we use some combination?
    • Did he really throw Pirates vs. Ninjas in there to see if we were still paying attention? (Yes.  Yes, I did).

There are no cut and dry answers for these questions, as it truly will vary from application to application and organization to organization.  The important part is to come to a consensus on the approach and then provide the application teams, developers and security staff the tools to manage entitlements going forward.

  • Are We Using The Right Tools? – This discussion always warms my heart, as finding the right technical solution for customers IAM needs is what I do for a living. I have my favorites and would love to share them with you but that is for another time.  As with the other topics, there really isn’t a cookie cutter answer.  The right tool will come down to how you need to use it, what sort of architecture, your selected development platform, and what sort of system performance you require.  Make sure that you aren’t trying to make the decisions you make on the topics above based on your selected tool, but rather choose the tool based on the answers to the important questions above.

Building an IAM Roadmap – A five step process

Since 2003, our teams have been part of over 350 efforts to implement or rescue Identity and Access Management (“IAM”) projects.  Our customers, most of whom have become great friends, are from all over the US, crossing many disparate and unique industries.  In most cases, they are working to solve similar business problems and to fix or improve the same processes.

On many occasions, we started from the ground floor and had the opportunity to create a roadmap for their long-term strategy.  To those familiar with IAM capabilities, it may seem obvious what to prioritize and where to start, but let’s not be so quick to jump to what looks like an easy decision.  All IAM capabilities are not created equal.

Our job as a systems integrator is to successfully implement these complex IAM security technologies, and to ensure that our customers maximize the return on their significant IT investments.  As we help guide our customers through these decisions, this ROI is always our priority, which leads us to the topic for today.

So how, exactly, can we accomplish this?  This article is all about alignment.  Having alignment between IT and the other key stakeholders will significantly reduce the risk of your IAM projects failing and losing or wasting precious budget dollars.

How can you ensure you have correct alignment?  Here’s how our IAM Roadmap process breaks down.

Step 1 – We start by prioritizing a list of over 100 key IAM capabilities.  This list was compiled from our work over the years and is vendor agnostic.  After a brief explanation to help educate the stakeholders, we apply a ranking of low, medium or high based on their opinion on how important the organization needs a certain capability.  Typical examples of high priority capabilities are automated provisioning of accounts, self-service password reset and role recertification.

Here’s a common example of the final output

Step 2 – Once you have a high priority list to work from, we dig a little deeper into three categories of analysis.  The first category is Business Benefit – How significant is the true Business Benefit of this capability?  Is this just a shiny new IT toy or will the stakeholders see lift and leverage from adopting this functionality.  It’s critical to have your business stakeholders at the table so they can weigh in.

Step 3 – The second category is for your technical staff regarding Technical Complexity – How technically difficult will it be to configure or customize this solution?  Are there products that provide this feature and function out of the box?  Will your team be able to update and maintain the tools going forward or is this going to be way outside of their comfort zone and expertise?  Is it cost prohibitive based on the benefit?  This is where we can weigh in to help provide some context as well.

Step 4 – The third and last category is about Organizational Readiness – can the company readily adopt the capability?  Are there so many competing priorities that gaining mindshare and focus will be difficult?  Do you have the buy-in from stakeholder leadership?  Is everyone at the table truly on board with this project and these priorities?  Will they drive the effort through their organizations?

Step 5 – Once you’ve made it through this list and conducted a robust debate and Q&A with these three key questions, it’s time to score and rank the results.  Amazingly you will see a handful of capabilities that float to the top where the Business Benefit is high, the Technical Complexity is low and the Organizational Readiness is high.  After a short review of the results with some discussion and debate, a solid scope of high priority capabilities emerge as candidates for the first one or two phases of a successful program.

The next step is to choose a product that can fulfill these priorities, and then you are off and running.  The advantage you have is that your stakeholders are more educated and have bought into the process and priorities – they are aligned.  At the first sign of deviating from scope or questioning why we are including specific capabilities, you simply go back to the prior analysis and remind the team of the decision-making rationale.

Does this IAM Roadmap process guarantee a successful project or program?  Not necessarily.  But having all your stakeholders at the table and aligned provides a huge advantage and a great start.

 

Considerations in Role Design

The connected world of business today requires that people perform various tasks culminating in a desired goal while having different responsibilities. The level of complexity creates problems for anyone managing access to various systems. Roles, being a collection of permissions to be assigned to users, are being used to manage the complexity.

Design of roles is fast becoming a subject of interest in both the academic and corporate world for obvious reasons. Every organization attempts to perform its own exercise, due to the fact that they all have different functional needs and structures. The attempt is made mainly as a bottom-up or top-down exercise. It must be understood that role design is not an activity; it is a process which keeps evolving. The changes can occur due to corporate restructuring or business demands.

In both cases, the roles can be structured in multi-level hierarchies to represent business and technical capabilities. These levels can depend on the complexity of the existing system and the number of functionalities that needs to be assigned; the bigger the size of the business, the greater the number of roles and levels. Read more