Hybrid Pathways surveyed IT and Security leaders and chief architects at enterprise companies across industries. The goal was to provide peer experience and feedback that could help with decision making and planning. The survey was conducted in the first quarter of 2022; this article contains valuable feedback from twenty senior IT/security leaders and chief architects from large enterprise companies in New England.
IT Leaders were asked to rate their IAM Program Maturity across seven areas:
· Identification
· Provisioning
· Authentication
· Authorization
· User Admin Resource
· Administration
· Governance
The Maturity Rating was aligned with the Gartner IAM Program Maturity scale: Initial, Developing, Defined, Managed, and Optimized.
The Good
Survey results overall show that Identity and Access Management (IAM) is top-of-mind for most of the respondents, with a majority reporting that a maturity level of at least “Managed” has been achieved for the Identification, Provisioning, Authentication, Authorization, and User Administration functions. Roughly a third of the respondents indicated a lesser maturity level of “Defined” or lower.
This is consistent with what we see across our client base and may indicate an adoption of industry-leading tools with strengths in those functions, for example, Microsoft Active Directory, Azure AD (Active Directory), and Okta.
Three-quarters of respondents indicated an intention to further refine IAM capabilities and reach the highest maturity level, “Optimized.” This shows that most enterprises are working toward a world-class IAM program and are evolving along with changes to the threat landscape, available tools, and cloud adoption.
The Bad
Respondents indicated the lowest maturity around the Governance and Resource Administration functions. This suggests challenges with user access recertification processes, which can be thought of as part of the governance around access to resources. Also known as Entitlement Reviews, access re-certifications are performed on a periodic basis to ensure that users who have access to a given resource still require the access going forward. Resources include everything from SharePoint folders to shared mailboxes to SaaS application access.
In many organizations, entitlement reviews are a manual or semi-manual process. Resource owners may obtain access lists and contact every user individually to determine ongoing needs. Slow responses (or no responses at all) drag out the process and leave questions about when to escalate or shut off access.
This highlights a potential opportunity to leverage Identity Governance & Administration (IGA) capabilities in leading tools such as SailPoint or ForgeRock IGA. Not only will the right tool help enforce organizational governance, but it may also reduce workload through increased automation. Unsurprisingly, the survey data shows that adoption of IGA tools is lower than for tools covering other IAM functions.
The Ugly
The most important (and potentially concerning) item from this survey is the small number of respondents that indicated alignment with NIST 800-63, a set of four documents published by the National Institute of Standards and Technology that specify best practices for Identity and Access Management.
Most organizations are aligned with an over-arching cybersecurity framework such as ISO27001, NIST 800-53, or the NIST CSF. Those three in particular can serve as the foundation for a comprehensive information security program and their importance cannot be overstated.
However, NIST SP 800-63-3, Digital Identity Guidelines, and its companion publications serve as the IAM Bible and provide holistic guidance for a wide range of IAM topics such as:
Understanding and applying assurance levels for identity proofing, authentication, and federation.
A common taxonomy of various terms used throughout the IAM lifecycle, e.g., Applicants, Claimants, Subscribers, etc.
Types of authenticators and how they map to authentication assurance levels.
Informative references, e.g., roles of resolution, validation, and verification in the identity proofing process.
If your team is not yet familiar with NIST 800-63, consider downloading it from the NIST website (It’s free!) and begin aligning your program to the NIST terminology and processes.
Conclusion
Enterprise IAM is a journey, and it’s likely that there are parts of every IAM program that are good and bad – maybe even ugly. Knowing how your program stacks up against leading practices is the first step to understanding what your current capabilities are and where there might be gaps. Our top recommendation, no matter where you are on your IAM journey, is to prioritize governance. Governance drives compliance, helps to establish priorities, and ties together the many distinct aspects of an information security program. With robust governance in place, implementing all the dependent IAM functionality becomes easier.
If your organization is planning governance and technical changes to its IAM program, it may also be the right time to modernize your IAM operations. Consider moving towards a more productized DevOps model and scaled agile teams. Adopting a methodology like the Scaled Agile Framework, or “SAFe®,” may be beneficial in enabling continuous delivery for IAM.
Hybrid Pathways has extensive experience with IAM for enterprise companies.
If we can help you, please let us know.