Solving the Chaos of Identities
To paraphrase Princess Leia, ‘the more you tighten your grip, the more star systems will slip through your fingers.' The same can be said in trying to manage identities in today's enterprise. A number of weeks back, I got into a discussion with the 451Group's Steve Coplan about this very topic: the chaos of identities.
We talked about the value of single sign-on as not just a convenience and productivity play, but also a key lever to help manage the chaos of identities resulting from an increasingly distributed and decentralized working environment. Provisioning while critical to an identity management strategy by itself is not enough. The reasons for this are fundamental to the way businesses are run today. Organizations aren't centralized anymore; decisions are made closest to the point where the needs are. Department heads within lines of businesses perform a critical role in authorizing what applications are used and who within their organizations have access to them. This decentralized decision making not only streamlines the speed of business but empowers the departments to make the best decision.
With the trend towards using hosted applications, the responsibility for managing user access rights, data loss prevention and application security migrates away from IT to the hands of individual employees. Think about those applications used within the organization that are signed and managed by individuals within different business units and you start to appreciate how the [star] systems have slipped through the [IT] hands.
At the same time, however, IT is where the auditors focus when they need to assess compliance and where the investigators look when a breach occurs. It's a bit counter-intuitive from a security perspective, but rather than fighting the chaos brought on by the proliferation of applications and identities, we need to recognize this behavior naturally occurs as part of the business workflow and work to regain visibility and manageability of the identities created around the enterprise. Rather than trying to mandate control through centralized control of identities, IT needs to decentralize ways to regain visibility into what applications are used, by whom and through what accounts.
Any large company will attest to the thousands of apps they must manage, but this chaos, if managed correctly, can work in our favor. Extending the value of SSO to help manage this chaos rather than forcing employees to follow strict, time-consuming counter-productive protocol makes more sense... people are going to do what it takes to get their jobs done, so why add hurdles to the rat race that they'll simply find a way around anyway? Instead, managing the chaos can provide the observability (for auditing and accountability) and controllability (turning access to data, applications and networks on/off) that companies ultimately seek.
Embrace the chaos. So, tell us... how chaotic is your star system? Let us know what you're doing to embrace the chaos, or if you're fighting it!
-David Ting, CTO