Identity theft is a big issue for everyone, but especially for those in IT security. To combat this problem, companies need a strong yet carefully managed and controlled approach to identity governance. That's especially difficult because it entails carefully managing who has access to applications and services, and making sure that information is properly recorded and readily accessible to those that need it. If someone unauthorized compromises the virtual private network (VPN) gateway your company uses for remote access, then you need to start your fix by knowing exactly who has access to the gateway and exactly what rights each of those users control.
Identity governance also involves staying compliant with regulations that govern data privacy, including the Health Insurance Portability and Accountability Act (HIPAA) for health care data and the EU's General Data Protection Regulation (GDPR). The GDPR demands that identities are verified and multifactor authentication (MFA) is instituted for anyone accessing any personally identifiable information (PII). Strong identity governance also means taking a hybrid approach to identity management (IDM) in the cloud and on-premises. This hybrid approach to governance requires using a unified process, according to Darren Mar-Elia, Head of Product at enterprise IDM vendor Semperis. At the recent Hybrid Identity Protection Conference in New York City, PCMag caught up with Mar-Elia to get his take on best practices in identity governance.PCMag: What does hybrid IDM entail?
Darren Mar-Elia: A hybrid IDM system is just an identity system that's been extended from on-premises to the cloud, and usually it's for giving access to cloud-based applications.
PCM: How does hybrid IDM relate to Active Directory (AD), Microsoft Office 365 , and the cloud?
DME: A lot of companies run AD and have run it for years. That's where your usernames and passwords are held, and that's where your group memberships are held. All of that stuff can make its way up to the cloud, or you can create accounts from scratch in the cloud and still have on-premises AD. Now you have a cloud-based identity system that's granting access to cloud apps, and it's just a way of providing identity. In other words, who am I and what do I get access to in a cloud environment, whether it's Microsoft Azure or Amazon, or whatever it happens to be.
PCM: Where is the actual software dashboard used to manage that type of governance? DME: Microsoft, of course, provides a management portal for managing cloud identities. There's also a piece on-premises that allows you to do that synchronization up to Microsoft Azure Active Directory ; so you control that piece. That's a piece of software that you would run and manage, make sure it's working and all that. Depending on how much flexibility you need, you can do most from their portal. It's obviously running in Microsoft's cloud, and it's giving you a view of your tenant. So you have a tenant that defines all of your users and all of your access to apps.
PCM: To what types of apps do you need to manage access?
DME: In the case of Microsoft, you can manage access to Office apps like Exchange, SharePoint , and OneDrive. Those are the apps that you would typically manage in that environment. And managing means giving access to, let's say, somebody's mailbox to be able to send on behalf of another user or being able to do reporting. For example, you can view how many messages were sent through my system and where they were sent to. In the case of SharePoint, it might be setting up sites through which people can collaborate or specifying who can grant access to that information.
PCM: What are the key challenges in addressing IDM in the cloud versus on premises?
DME: I think the big challenge is being able to do it consistently across both cloud and on premises. So, do I have the right access on-premises and in the cloud? Do I have too much access in the cloud versus what I have on-premises? So that kind of disparity between what I can do on premises and what I can do in the cloud is important to keep track of.
PCM: What's the best way to strike the balance between on-premises IDM and what I do in the cloud?
DME: Whether it's user provisioning, user access management, or user certification, all of those things need to take into consideration the fact that you might be in multiple cloud identities in addition to on premises. So, if I'm doing an access review, it shouldn't just be of the stuff I have access to on-premises. It should also be, what do I have access to in the cloud if I'm doing a provisioning event? If I'm in the human resources (HR) job function, I will have access to apps on premises as well as in the cloud. When I get provisioned into that job function, I should have all that access granted to me. When I change job functions, I should have all of that access for that job function removed, and that's on premises and in the cloud. That is the challenge.
PCM: What role does machine learning (ML) play in IDM or hybrid identity?
DME: Cloud identity providers have visibility over who's logging in, where they're logging in from, and how often they're logging in. They're using ML on those large data sets to be able to infer patterns across those different tenants. So, for example, are there suspicious logins going on within your tenant; is the user logging in from New York and then five minutes later from Berlin? That is a ML problem essentially. You're generating lots of audit data whenever someone logs in, and you're using machine models to basically correlate patterns that may be suspicious. Going forward, I think ML will be applied to processes like access reviews to be able to infer context for an access review as opposed to just giving me a list of groups that I'm in and saying "yes, I should be in this group" or "no, I shouldn't be in that group." I think that's a higher-order problem that will probably get solved eventually, but that's an area where I think that ML will help.PCM: As far as ML helping in hybrid IDM, does this mean that it's helping both on-premises and in the cloud?
DME: To some degree, that's true. There are particular technology products out there that will collect, for example, audit or AD interaction data between on-premises AD and also cloud identity data, and be able to surface that with the same kind of risk list where suspicious logins are on-premises AD or in the cloud. I don't think it's perfect today. You want to paint a picture that shows a seamless contextual change. If I'm a user in an on-premises AD, then chances are, if I'm compromised, I might be compromised in both on-premises and Azure AD. I don't know that this problem's been solved completely yet.
PCM: You've spoken about "birthright provisioning." What is this, and what role does this play in hybrid IDM?
DME: Birthright provisioning is simply the access new employees get when they join a company. They get provisioned with an account and [IT managers determine] what access they get, and where they get provisioned. Going back to my previous example, if I'm an HR person joining the company, I get an AD [entry] created. I'll probably get an Azure AD [identity], maybe through synchronization but maybe not, and I will get access to a set of things to do my job. They may be apps, they may be file shares, they may be SharePoint sites, or they may be Exchange mailboxes. All of that provisioning and access granting should happen when I join. That's birthright provisioning essentially.
PCM: You've also spoken about a concept called "rubber stamping." How does that work?
DME: Regulations for a lot of publicly traded companies say that they have to review access to critical systems that contain things like personal information, customer data, and sensitive information. So you have to review access on a periodic basis. Usually it's quarterly but it depends on the regulation. But typically the way that works is, you have an app that generates those access reviews, sends a list of users in a particular group to a manager that's responsible for that group or app, and then that person has to certify that all those users still belong in that group. If you're generating a lot of these and a manager is overworked, it's an imperfect process. You don't know they're reviewing it. Are they reviewing it as thoroughly as they need to? Is it really that these people still need access? And that's what rubber stamping [entails]. So, if you're not really paying attention to it, it tends to be just a check indicating "Yes, I did the review, it's done, I got it out of my hair," as opposed to really understanding whether the access is still needed.
PCM: Is rubber stamping access reviews a problem or is it just a matter of efficiency?
DME: I think it's both. People are overworked. They get a lot of stuff thrown at them, and I suspect that it's a hard process to keep on top of in addition to whatever else [they're] doing. So I think it's done for regulatory reasons, which I totally agree with and I understand. But I don't know if it's necessarily the best approach or the best mechanical method for doing access reviews.
PCM: How are companies addressing role discovery?DME: Role-based access management is this idea that you assign access based on a user's role in the organization. Maybe it's the individual's business function or the person's job. It could be based on the individual's title. Role discovery is the process of trying to discover what roles might naturally exist in the organization based on how identity access is granted today. For example, I might say this HR person is a member of these groups; therefore, the HR person role should have access to those groups. There are tools that can help with this, basically building roles based on the existing access that's been granted in the environment. And that's the role discovery process that we go through when you're trying to build a role-based access management system.
PCM: Do you have any tips you can provide for small to midsize businesses (SMBs) on how to approach hybrid IDM?
DME: If you're an SMB, I think the goal is to not be living in a hybrid identity world. The goal is to get to a cloud-only identity and try to get there as quickly as possible. For an SMB, the complexities of managing hybrid identity is not a business they want to be in. It's a sport for really large enterprises that have to do it because they have so much on-premises stuff. In an SMB world, I think the goal should be "How do I get to a cloud identity system sooner rather than later? How do I get out of the on-premises business sooner rather than later?" That's probably the most practical approach.
PCM: When would companies use hybrid versus just on-premises or just cloud?
DME: I think the biggest reason that hybrid exists is because we have larger organizations with a lot of legacy technology in on-premises identity systems. If a company were starting from scratch today...they're not deploying AD as a new company; they're spinning up Google AD with Google G Suite , and now they live in the cloud entirely. They don't have any on-premises infrastructure. For a lot of larger organizations with technology that's been around for years, that's just not practical. So they have to live in this hybrid world. Whether they'll ever get to cloud-only, it probably depends on their business model and how much of a priority it is for them and what problems they're trying to solve. All that goes into it. But I think for those organizations, they'll be in a hybrid world for a long time.
PCM: What would be a business requirement that would push them to the cloud?
DME: A typical one is like a business app that's in the cloud, a [Software-as-a-Service or] SaaS app like Salesforce , Workday, or Concur. And those apps are expecting to provision a cloud identity to be able to give access to them. You have to have that cloud identity somewhere, and so that's typically how that happens. Microsoft's a perfect example. If you want to use Office 365, then you have to provision identities into Azure AD. There's no choice about it. So that pushes people to get their Azure AD and then, once they're there, maybe they decide they want to do single sign-on to other web apps, other SaaS apps in the cloud, and now they're in the cloud.
PCM: Any big predictions for the future of IDM or governance?
DME: People aren't yet thinking about hybrid identity governance or hybrid IDM as a single thing. I think that has to happen, whether they get pushed there by regulations or the vendors step up and provide that end-to-end identity governance solution for those hybrid worlds. I think either one will inevitably have to happen, and people will have to be solving problems like separation of duties across hybrid identity and access management. I think that's probably the most inevitable outcome that will happen sooner rather than later.