I have often been asked, about how Identity Management could be “sold” to the CIO, to the Board. The premise of this argument, often being that Identity Management being a subterranean discipline, needs to be explained to everyone. It has to be somehow dressed up at its best to be presented, else it will be discarded contemptuously as another “Infrastructure” line item, in other words, an overhead. If it makes it to the CISO’s transformation programme, it has half-made it, but then has to vie for a place amongst other more pronounced line items like Security Operations, Vulnerability Management, and Incident Response, to name a few. Identity Management is like the lone sibling who hasn’t made it in life yet, on this family dinner table.
So, how does this change in the post-COVID world? At the risk of sounding militant, let me just say that if a case for a refresh of your tottering under-invested Identity Management infrastructure has to be “sold” to your senior management, Identity Management is the least of your Organization’s problems.
Or maybe it is not. Maybe you do want to continue with your greenhouse gas expelling data centres while your competitors move their business applications to the cloud. Maybe you can just wing it with your decade-old identity management platforms by jazzing up the user interface with another layer of customisation while sanctimoniously sticking to the tenet of “sweating the assets” in difficult times. Maybe you can demonstrate to the auditors that baseline controls work, even if they are not as effective, and creates a world of issues to end-users, i.e., long-suffering employees and business partners. Maybe you can argue that putting your head out of the parapet is not a wise option with the implementation of multi-factor authentication. Why not continue to be as invisible as you are today? Why risk a whole lot of pain for the business with all that irritating prompting for Authentication steps? See, did I not tell you that Identity Management will not be the least of your problems?
If you are not reviewing your investments in Identity Management today, you are kicking the grenade down the road, and by the way, be careful when you kick it. There are three primary reasons why Identity Management is not subterranean anymore. First, technology is bringing in the bacon or saving the day, for most of the businesses out there today. Be it your humble florist or an international airline; if you are not leveraging data, you do not drive insights, which in-turn means you cannot reach consumers or take decisions that will protect your business, lockdown, or not. Data requires processing power, and today cloud platforms like AWS, Azure, and Google cloud provide everyone from small businesses to FTSE 100 companies means to spin up persistent or ephemeral infrastructures to do the number crunching for them. Just before you start thinking that I am digressing, here is the kicker - your data in the cloud is not safe until you figure out access to it, not just for users but for infrastructure and processes that use it. Identity Management ties it all together, i.e.; provides efficient access to your data while keeping it secure. Second, with your infrastructure transforming and moving to the cloud rapidly, old rules do not apply. It just takes a script kiddie to find a publicly exposed S3 bucket in AWS and that too with code that is available on easily searchable web forums. Identity Management is not just about Active Directory and your Identity Governance solution anymore. It has to be natively managed in every cloud platform that you have migrated your assets to, save the fact that the controls in place have to be preventative, embedded in code, or managed through Lambda functions. A world, very different from the Identity Management person sitting in the basement scanning through lists for access certifications! Third, Security is not an arbitrage item between the business and the CISO’s team anymore. The nuanced discussions over “risk acceptance” due to the possible business disruption caused by security measures like risk-based authentication of access are a thing of the past. The business has to think about security, first and foremost. You will not have any business to run if your passwords are compromised, and your assets are stolen, or worst still, your critical processes have taken out. If you think this is scaremongering, just look at the litany of attacks that have happened since the last 10-15 years. Every one of them has either a compromised Credential, Key, or a Secret behind them. If you think protection of passwords, Strong Authentication measures, and consequently, Identity Management is still a subject to be nuanced around, there is a bigger issue with your business. The issue is, what do you consider your business to be?