How to Get a Grip on Managing Identity Chaos

Introduction

Hey everyone, my name is Mike Lynch. I'm a Senior Sales Engineer with Core Security, specializing in the IGA Marketplace. And today's webinar is on How to Get a Grip on Managing Identity Chaos. And we'll look at the best approach for mitigating top identity risks, so they don't manage you. So let's go ahead and get started.

Agenda

So here's what we're going to cover today:

• First, we're going to look at the top challenges of managing identity and access within today's complex business environment.
• Next we'll talk about the most intelligent and efficient path to mitigating identity and access risk.
• And then we'll wrap things up by taking a look and talking about the impact of managing identity chaos with an industry-leading approach.

Top 3 Challenges of Managing Identity & Access

First let's look at the top three challenges of managing identity and access within today's complex business environment.

1. Limited Resources Straining Timeliness:

So challenge number one is limited resources, and this is, you know, probably going to be no surprise to all of you on the webinar today. You know, IT departments are dealing with managing, you know, 75 plus or even more different applications, smaller and mid-size organizations, we're dealing with the same problems as the large ones, often with even more limited resources and oftentimes it seems like there's always pressure to do more with less. And security requirements are the same regardless of whether you're small or large, regardless of the size of the organization. Also there is a difficulty keeping up with the complexity of providing the right access in a timely, reliable manner. As a number of applications within the organization grows, it becomes more difficult to provide timely access and have the resources that know how each of the applications are configured, and what permissions people need within them. So the solution to this problem in most organizations, is unfortunately just to hire more people just to keep up with the increased demand. So that's one of the big challenges.

2. Increased Complexity & Lack of Automation:

Another challenge is increasing complexity within the organization, as the number of devices, and applications, and accounts, and systems within the organization grows, it becomes more difficult to provide timely access and to have resources that know how each of the applications are configured and what permissions people need within them. So manual provisioning processes that used to work with smaller counts of these employees and applications no longer work, or break, are unreliable as your organization scales and gets bigger. So with access requests being manually processed, which is the way that a lot of people we talked to today do things, the organization lacks visibility into what access is actually being given. Also a lack of automation makes, you know, or may cause a user to wait weeks or even longer to get access to the applications they need to perform their jobs. So, you know, they're coming in on day one, and they don't have the access that they need, so they're not going to be productive.

And finally, without a centralized process in place, the organization lacks a clear picture of what systems and access their employees have. So it's unfortunate, but a lot of companies that we talk to have no idea what access people within the organization have, what systems they have access to, what the permissions are within that. And so, obviously not knowing that makes it really hard to tear down that access when an employee leaves the organization. Complexity is also driven by increased industry standards, new threats, and compliance demands. So these all lead to over provisioning, you know, giving people access to more entitlements than they might need, rubber stamping, when you're doing access reviews, if you don't really understand what you're reviewing, or what access somebody has, it tends to lead to rubber stamping, you know, a lot of inaccuracies increased risks, which is what you're trying to actually mitigate against and excessive distribution of access, right? So just getting it to people who don't need it.

3. Reducing Risk While Supporting Productivity:

And then the third challenge that we're going look at today is reducing risk while supporting productivity. So there's a common perception in the industry that there's a trade off between balancing a user security, for the organization and making things easy and efficient for the user, or ease of use. And so, I mean, it kind of makes sense, right? The harder and more secure you make things, and the more hoops you make people jump through, the more secure things are, and the less easy it is to use. So if we emphasize security, employees may struggle to access systems, or may have to jump through too many security hoops to gain access, and if we prioritize the user experience over mitigating risk, then the organizational security suffers. So the optimal solution is to strike some kind of a balance between security and user efficiency, to come up with a solution that meets the organizational security requirements, while also adopting a solution that doesn't impact user efficiency. Now this balance doesn't have to be 50/50, you know, maybe it's 60/40, it's going to depend on the organization and the data you're protecting, and a lot of factors. But yeah, it doesn't have to be excessively on one end or the other, is the point here.

Increasing Efficacy in Mitigating Identity & Assess Risk

1. Get Rid of Spreadsheets

All right, so now that we've looked at the challenges, let's take a look at the most intelligent and efficient path, to mitigating identity and asses risk. So this is all about gathering and organizing the data that you're all dealing with, and struggling to come through. If we take a look at the challenges that we just discussed previously, the limited resources, balancing security and efficiency, and then the increasing complexity, and if we apply them against the growing account, number of accounts, the devices, systems, and applications, we can see that we need a way to visualize the data through all this noise. And this is one of the biggest problems that organizations have today is, there just are so many different devices, and applications, and users, and they have trouble coming through all that data, and looking at it in a way that makes sense for the organization. So a lot of organizations use spreadsheets to try to keep track of this. And honestly, spreadsheets just aren't the solution, they work on a very small scale, you know, if you don't have a lot of employees or different applications, they can work, but as you start to scale, they're not really viable at all.

Many of the organizations I talk with actually try to manage processes by tracking user access, doing compliance reviews, and design, role design, via spreadsheets. And the reason why they come to us or they look for an IGA Solution, is that spreadsheets just don't scale with the business. The process is resource intensive, often requires manually exporting data from target systems, and applications, you know, and then once, even once the data is exported, it has to be combined, come through, and manually broken up, an email to reviewers, reviewers then make decisions in the spreadsheets, they have to email those back. And then all that data has to be compiled, you know, and what happens to somebody who doesn't update the spreadsheet, when the user's access is updated, now you no longer have an accurate view of everything. And that's the problem with a manual view of things, and why spreadsheets don't really work effectively as you scale.

2. A Portal Alone Isn't the Answer

The next thing that people typically try, I see many organizations had taken that next step and try to utilize a portal to manage access, right? That centralized portal. But again, this alone is not the answer. It's a step in the right direction, but the approval and review processes can still be overwhelming without the context of what all the entitlements mean, or the context around what is needed for a certain role. So the solution here is basically this strategic role-based access, which we'll talk about a little more, plus a visual first approach, so something that allows you to very easy see what's going on. Plus intelligent identity governance, and all that improves and enhances the way organizations approach access management, IGA creates the right balance between security and user efficiency, allowing companies to do more with less, mitigate risk and manage through identity chaos.

So if you take a look at this next slide here, most organizations provision users directly against entitlements, so if a user needed access to a single application with 10 different entitlements, there would be 10 user entitlement associations. And so what we start to see here those that as the organization grows, and the number of users increases, the number of applications entitlements increases, and you get more and more of these users and entitlements, it really makes things very complex. It's hard to figure out who has access to what, what access users have. The same thing applies to access reviews. You know, if you're trying to do access reviews on different users, and you're looking at a user with 50 or a hundred different entitlements, it just gets really complex and really difficult. And this is what leads to inaccurate reviews, rubber stamping, you know, people aren't clear about what their, what data they're reviewing.

3. The Solution: Role Based Access

So the answer to this, and I talk with a lot of current customers and prospects about this, the answer is role-based access, okay? So because of the complexity, many organizations actually are moving towards our back or role-based access controls, and a role is just simply a collection or a grouping of related access or entitlements. So think about it, you know, if you have a team of accountants at your organization, you can create a single role that defines all of the access or at least most of the access that those individuals should have, to various systems and applications that they need. And this makes both the provisioning process, and the review process much simpler, because now, you know you're giving the user access to that single role. And within that are all the individual entitlements, and applications, and systems that the user has or needs access to.

But, you know, the other challenge is, what do these roles represent? You know, are they job codes? You know, like I just mentioned the accountant job titles, are they location-based, are they project-based, how do you wanna go about defining the role, okay? Cause that's going to vary based on the different businesses. So you want it to be most applicable to multiple users for economies of scale, but not so big that the users are getting stuff they don't need, okay? So striking a balance there is really important. And so how do we do this? How do we go through the process of figuring out what access people need?

Popular Approaches to Role Based Access

1. Top-Down Approach

You know, there's a couple of popular approach to this. There's what's called a top-down approach, which is, you know, having a manager or somebody in the business that knows, let's say a certain job really well. And they go through and just list out, okay, here's all the applications the person needs access to, and this is what they need to do within them. And they kind of just start from that top, that top-down approach, right? Where they think they know what it is, and that's where they start.

2. Bottom-Up Approach

I think more organizations tend to use a bottom-up approach, where you look at the access people already have, and then you do some kind of an analysis on that, it's called a bottom-up approach. And basically you look at the access people already have, compare it, go through some analysis, and some, learn some intelligence on that data and look at it, and then you come up with what the role should be. So those are a couple of different approaches there.

3. Visual-First Approach

The other thing that we see people doing now, is leveraging a visual-first approach. So, you know, basically moving on, kind of what I talked about previously, moving beyond spreadsheets, to a visual-first approach for the creation and management of roles, for example, as well as access reviews. And we'll take a closer look at this later. You know, it allows you to quickly see common user entitlements and rapidly identify outliers within the organization and enhance access certification accuracy. So this is something that, you know, a lot, that's important to a lot of businesses that are going through these processes. Initial observational studies show that the ability to literally see and visualize role design and certification process had twice as much accuracy and reduced time spent on reviewing by 50%. So, you know, it's basically a more effective way if you can leverage a visualization, it's more effective to the reviewer to see data that way, they're more accurate, and they can perform their reviews, or their processes much quicker.

• Example: So here's an example of a visual first approach, along with some underlying access intelligence that helps us decide what needs to be added or, and removed, and remove the noise basically of what's left over. So this is looking at my users over on the left, looking at the entitlements they have across the top. And you notice that the users listed On the left, in this case and the entitlements listed at the top aren't in alphabetical order. So most approaches that involve the spreadsheet, you'd look at things alphabetically. And looking at data arranged that way, makes it really difficult to see what people have in common, cause there's really no rhyme or reason to the data itself. A good visual first approach not only provides the visualization, but it also provides some underlying intelligence. And in this case, what's happened is that, the data itself was analyzed and grouped together in clusters, right? So it's like access that users had is built into clusters here so that we can see very easily like access and outlying access. And so what we can do here is we could select the entitlements that we think make up this particular role. We can see the access that everybody has in common very easily here. In this case, we're looking at a user that might be under provisioned. So if this user at the top has the same role as everybody else, then why don't they have this extra access that everybody else has. So maybe they're under-provisioned. Under-provisioning can be a big detriment just as well as overprovisioning. You know, if somebody doesn't have enough access, then they're likely to go borrow access from somebody else. So, you know, having this visual approach, and looking at the data this way is very beneficial. So now if you take that visualization and you actually use that in the context of a solution that helps you, in this case, this is a role designing solution.

• View Roles By Department: And basically what we're doing here is, we're, if you look over on the left, navigational bar there, we're basically picking out a department that we wanna look at, in this case, it's the QA department. And what that does is it narrows down our search to just look at those particular users and the entitlements that they have. But basically the idea here is that you can filter and look at different parts of the organization. You know, once we select that department, then we can actually apply a role to that data. You can see here we've got the role there listed in green. And then this allows us to go in and, you know, view the detail of the role. You know, what users are in that role, what entitlements make up the role. And then we can start looking at other data here because there may be one role that we've, that we determine that might be job-based, like you know, the green role there might be what all accountants get regardless of, you know, they just get that cause of their job title, but there may be other roles we can create by looking at other groupings of data.

• View Roles By Location: Maybe there there's a location-based role. You know, the accountants that are in Minnesota also need these extra, you know, they need access to these printers, or they need their key card to work in a certain building. So the role designing process goes beyond just the primary grouping of what most people think a role's for, which might be like a job title, but they can apply it to other things as well.

Harnessing Intelligence With Visual Based Analytics

1. Identify Risk 

So next, I just wanted to talk a little bit about harnessing intelligence with that visual based analytics and the access intelligence. Basically what this allows you to do, to just sum it up is identify, and prioritize, and manage access risks with an advanced access intelligence. So that was the clustering that I talked about, pointing out what likely roles might be based on what access people have, or don't have in common. You know, leveraging a true access analytics engine to rapidly correlate identity and access relationships to reveal potential risks.

2. Assess Risk 

So, you know, you're looking for at groupings of data to see what likely roles would be. But if you look further out, and that visual approach, and you look at items that maybe only one user has are entitlements or access that only one user has, that might be a risk. Why does that one user, why are they the only person that needs a particular piece of access in a group of people that should have similar job roles? So that could point to risk. And finally it helps us resolve immediate threats, right? With an advanced analytics and comprehensive real-time view of access. So basically just to sum this section up here, the best practice here is to have an industry leading identity, and access intelligence analytics solution. And just to throw another acronym that yet, is referred to as IAI.

3. Prioritize Risk 

Basically the solution identifies access and arms you with actionable information and an insights, basically a proprietary in-memory property graph, continuously gathering and synchronizing identity and access information from multiple sources, to compile a complete picture of identities, and access rights, and resources throughout the organization. And this concept of a continuous governance, and automated policy management, you know, basically enabling you to evaluate and act upon a risk associated directly with user access. So a lot of people will have, you know, at the very beginning of their IGA process they'll have some provisioning in place. And then periodically they'll have, you know like every three months, or six months, or annually, they'll do access reviews, but those are only point in time reviews of information. And so this concept of continuously looking at risks and identifying things, and not waiting until that next access review comes around to identify those.

The Impact of Managing Identity Chaos 

1. Buy Back Time & Enhance Decision Making 

So next let's look at the impact of managing identity chaos with an industry leading approach. So these are some of the typical problems that people are looking to solve with an IGA Solution. So they're under a regulatory compliance constraints. They're looking to reduce risk in the organization, they're are looking for a way to handle business change. You know, maybe there's some mergers and acquisitions, or they're changing this structure around, and they want an easy way to manage that. Managing costs is clearly a big one, right? Trying to provide this reduction of risk and quicker access for users while managing the costs within the organization, right? We don't wanna have to hire people more, and more, and more, exponentially as the complexity increases. And then there's this IT service delivery, right? Improving the delivery of that service, making things happen faster.

So essentially the things that help make this happen, or help address these, the approach here is reduce your critical access related risks, basically going in and managing the identity chaos, and simplifying access management processes, building a more intelligent, efficient, and impactful identity governance, and access management program. Quickly visualize what the access looks like in your business, and significantly increase visibility into your environment. That's going to help you solve a lot of problems. Leveraging industry, disrupting technology with a visual based identity and analytics, and an analytics engine and insight. And then finally enhancing decision making capabilities with intelligence enabled data.

2. What Would IGA Mean to You? 

So let's go ahead, if you don't mind, I'm going to pop up a quick poll question here. And basically what we're doing is we're, the question we're posing to you, if you can take a minute, what areas of identity governance would you like to learn more about?

• Role Management: And we've got access requests for entitlements and user access, provisioning, provisioning of those entitlements and access. Role management, you know, looking at the different roles in your organization, and applying that visual first approach. We've got access certification.
• Access Certifications: So, if you've had some audits recently and you're under pressure to provide those access certifications or you're in an industry that requires that.
• Password Management: And then finally, you know, we didn't talk a lot about this today, but the password management is a big part of IGA, right? So allowing users to easily self-service, resetting their password, unlocking their account, and taking that burden off of IT and reducing costs there. So it looks like we're getting some good responses in here right now.

Conclusion

It looks like right now the big winner so far is role management. So 82, 83% of you have selected role management is one of the options there. So that is really good information. I'll give you guys just maybe five or 10 more seconds here and we'll close that poll down. All right. It looks like we we've got all of our answers there, so we'll close that out. All right. And then finally, we'll give you guys back, two or three minutes today. That's the end of our webinar. Hope you enjoyed the information. Thanks for joining us. If you wanna learn more about how this could look in your organization, we'd love to chat with you. You can reach out at the email address on the screen there, or go to our website, and we can get you pointed in the right direction. Thanks a lot, everybody, have a great day.