How To Know It’s Time To Change Your Identity Vendor

Changing Identity Governance Vendors Can Be a Difficult Decision

Your organization has already spent a lot of time and money trying to make the current solution work. You’ve invested a lot to integrate the solution into your application environment. You’ve trained your IT staff and end users on how to use the solution and don’t want to face retraining them.

But some situations make it almost mandatory to change identity governance vendors. At the end of the day, this is a business decision based on the facts. You invested in your identity solution to
solve specific business problems, strengthen security and improve operational efficiency. If your current solution is not addressing these core needs, you need to move to a solution that will. How do you know when it’s time to make a change?

Your Return on Investment (ROI) is Unacceptable

When it comes to assessing the business value you’re getting from your current identity solution, don’t pull any punches. Take the time to compile a realistic measure of how you’re doing vs. your initial goals for the project. Many companies never get close to their original goals as identity programs get bogged down with cost, complexity and customization. Begin with simple metrics: How many applications are being managed by your current solution? Does this include all your missioncritical applications? Are you able to systematically provision birthright accounts, entitlements, and roles for every on-boarding user? Are you automating password management for the majority of your end user applications?

To get to the real ROI, you’ll need to dig a little deeper: What is the total cost of ownership of your identity solution system?

To calculate this, you should consider:
• Licensing costs
• Maintenance and upgrades
• Consulting fees
• Professional services
• Internal identity staff

What quantifiable benefits have you achieved? Consider areas such as:
• Lower cost of compliance
• Reduced IT and helpdesk costs
• Improved end user productivity

If you don’t know the answers to these questions, then it’s time to find out. Look at staffing trends, on-boarding and off-boarding metrics and compliance metrics. You’ll learn a lot about how your identity program is performing. Lastly, don’t forget opportunity cost. If you stay with your current identity solution and you’re unable to address pressing business needs, what is it costing you? Is the cost to renew, maintain and potentially even upgrade your existing solution higher than what it would cost to switch to a better alternative? Are there real benefits that you could gain by changing vendors; what are they worth? If your current identity solution is under-performing, that opportunity cost could be a very big number.

Your Current Identity Provider Has Been Acquired or is Merging with Another Company

While the announcement of a company acquisition or merger can be exciting for some, it often can bring a feeling of anxiety for a customer of either company. The future becomes unclear as to what will happen: whether either company’s product will be available or maintained, or if you’ll be forced to migrate to another product altogether. Your organization’s security shouldn’t be up in the air. If your current provider can’t tell you what’s happening in the next few months, how you’ll be supported as a customer, and what the merger means for both you and the product, it’s time to start looking for a more stable option

Your Current Vendor Doesn’t Provide the Integration and Innovation Needed to Future Proof your Identity Solution

While many vendors include a base list of third-party integrations and connectivity for their solutions, they can sometimes charge exorbitant fees for the development and deployment of additional integrations that you need for your identity governance program. Other vendors may leave you to your own devices, forcing you to have your own development team create a connection point and hope that it works successfully with your system. Does your current identity solution integrate with all of your key systems, applications, file shares and cloud infrastructures across your hybrid environment so that your business can take confidence in a complete identity governance solution?

You should also ask your existing vendor how important identity governance is to their product line and go-to-market strategy. Is it something that they are heavily invested in, or is identity governance just a small product line that is offered in addition to other products and services that take a higher priority in terms of development and innovation? Does your current provider have a laser focus and broad innovative view of what identity governance encapsulates including data files, RPAs/bot identities and a rapidly growing AI identity governance capability? Is this the solution that is going to take your organization into the future and feel safe getting there?

Your Existing Vendor is Forcing You to Migrate to a New Architecture

When your identity governance vendor has “re-architected” its solution and all future investment will be allocated to this new offering, it’s a tough dilemma to face. Unfortunately, implementing the new architecture will require an expensive and timeconsuming migration project. You will, in essence, have to start over: rebuilding and re-implementing functionality such as custom user interfaces, policies, workflows and resource connectors.

The reality is that migrating to your existing vendor’s new architecture will require a “rip-and-replace” of your current identity solution. Instead, reevaluate your options and make the best choice for your business going forward by not assuming the best decision is sticking with your current vendor. In many cases, you will be better off switching to an identity governance vendor with a proven product and satisfied customers, rather than risking your business on new architecture.

Your Vendor’s Customer Satisfaction and Retention Ratings Are Very Low

It’s important to remember that when you choose an identity solution, you don’t just buy a product, you buy a company. If you’re not getting the level of service you expect from your current vendor, the causes could be many. Perhaps your vendor is reducing its investment in identity governance in favor of other products in its portfolio. Maybe the vendor is overwhelmed with product quality problems or the company is suffering from internal issues such as high employee turnover or layoffs. Whatever the reason, the bottom line is that your vendor is not investing in your – or other customers’ – success.

You should broaden your perspective by doing some research on your current identity vendor. Talk to other customers that you’ve met at user conferences or trade shows and ask about their satisfaction levels. Make use of analyst firms like Gartner or Forrester. In the Gartner Magic Quadrant for Identity Governance and Administration (IGA), Gartner shares customer satisfaction ratings for the major vendors. To go deeper, schedule an analyst consultation and get more details about each vendor’s customer satisfaction and retention scores.

Bottom line: don’t accept poor customer support as the norm. Your company deserves better and other options are out there.

You Don’t Have Visibility into All Your Systems

Legacy identity solutions are limited in their availability to integrate with all the systems you use in the organization. In order for you to be the most secure and know exactly “who has access to what,” you need to implement a governance-based solution. This type of system can holistically see all data about your identities to make decisions easier, more efficient and most importantly, mitigate risk to the business.

Your Solution Has Been Moved to “End-of-Life” (EOL) Status

This may seem like a no-brainer, but it’s not uncommon for organizations to stick with an identity solution for months, sometimes years, after it has been moved to “EOL.” Many organizations are reluctant to sign up for the migration effort and are worried about business disruption. At the end of the day, though, you need to ask yourself: what is the strategic price you are paying to stay with software that has no future?

At a minimum, you’re giving up software updates and upgrades. Your software, which may already be a few years old, won’t keep pace with today’s changes. Identity requirements are constantly evolving, so how will you cope when your solution can’t manage cloud apps or unstructured data, handle mobile and social requirements, or meet new security and privacy mandates? At a more tactical level, to whom will you turn when your vendor no longer supports new releases of managed applications?

While you paid maintenance for all those years (and may still be paying for extended support), no one is going to respond to your requests for enhancement. While you may still get defect fixes, they will be few and far between.

The time to change is now.

Don’t let inertia keep you trapped in a sub-optimal identity program. It’s time to step forward with predictive identity governance solutions that can get your organization back on track. You can achieve big results that will improve end user productivity, strengthen compliance and security, all while reducing IT and helpdesk operational costs.

Send Me Info On Updating My Legacy IAM System

 

 

Meeting IAM Gaps and Challenges with New Product Offerings

PathMaker Group has been working in the Identity and Access Management space since 2003.  We take pride in delivering quality IAM solutions with the best vendor products available.  As the vendor landscape changed with mergers and acquisitions, we specialized in the products and vendors that led the market with key capabilities, enterprise scale, reliable customer support and strong partner programs.  As the market evolves to address new business problems, regulatory requirements, and emerging technologies, PathMaker Group has continued to expand our vendor relationships to meet these changes.  For many customers, the requirements for traditional on premise IAM hasn’t changed.  We will continue supporting these needs with products from IBM and Oracle.  To meet many of the new challenges, we have added new vendor solutions we believe lead the IAM space in meeting specific requirements.  Here are some highlights:

IoT/Consumer Scalability

UnboundID offers a next-generation IAM platform that can be used across multiple large-scale identity scenarios such as retail, Internet of Things or public sector.  The UnboundID Data Store delivers unprecedented web scale data storage capabilities to handle billions of identities along with the security, application and device data associated with each profile.  The UnboundID Data Broker is designed to manage real-time policy-based decisions according to profile data. The UnboundID Data Sync uses high throughput and low latency to provide real-time data synchronization across organizations, disparate data systems or even on-premise and cloud components.  Finally, the UnboundID Analytics Engine gives you the information you need to optimize performance, improve services and meet auditing and SLA requirements.

Identity and Data Governance

SailPoint provides industry leading IAM governance capabilities for both on-premise and cloud-based scenarios.  IdentityIQ is Sailpoint’s on-premise governance-based identity and access management solution that delivers a unified approach to compliance, password management and provisioning activities. IdentityNow is a full-featured cloud-based IAM solution that delivers single sign-on, password management, provisioning, and access certification services for cloud, mobile, and on-premises applications.  SecurityIQ is Sailpoint’s newest offering that can provide governance for unstructured data as well as assisting with data discovery and classification, permission management and real-time policy monitoring and notifications.

Cloud/SaaS SSO, Privileged Access and EMM

Finally, Centrify provides advanced privileged access management, enterprise mobility management, cloud-based access control for customers across industries and around the world.  The Centrify Identity Service provides a Software as a Service (SaaS) product that includes single sign-on, multi-factor authentication, enterprise mobility management as well as seamless application integration.  The Centrify Privilege Service provides simple cloud-based control of all of your privileged accounts while providing extremely detailed session monitoring, logging and reporting capabilities.  The Centrify Server Suite provides the ability to leverage Active Directory as the source of privilege and access management across your Unix, Linux and Windows server infrastructure.

With the addition of these three vendors, PMG can help address key gaps in a customer’s IAM capability.   To better understand the eight levers of IAM Maturity and where you may have gaps, take a look this blog by our CEO, Keith Squires about the IAM MAP.  Please reach out to see how PathMaker Group, using industry-leading products and our tried and true delivery methodology, can help get your company started on the journey to IAM maturity.

With today’s increasing Mobile Enterprise Security Threats, do you have a strategy to mitigate the risk on your Corporate Network?

Corporations are increasingly utilizing mobile enterprise systems to meet their business objectives, allowing mobile devices such as smart phones and tablets to access critical applications on their corporate network.  These devices provide advanced technologies over traditional desktop clients, such as: information sharing, access from anywhere at any time, data sensors, location, etc. But what makes these mobile devices desirable, by their very nature, also poses a new set of security challenges.  Reports by research agencies in recent years show an alarming trend in mobile security threats listing as top concerns: Android malware attacks, and for the IOS platform issues with enterprise provisioning abuse and older OS versions.

These trends highlight the need for corporations to start taking seriously a mobile security strategy at the same level to which cyber criminals are planning future attacks. A mobile security strategy might involve adopting certain Mobile Security Guidelines as published by standards organizations (NIST) and Mobile OWASP project. See the references at the end of this document:

The following guidelines are a subset of Mobile Security Guidelines I pulled from various published sources with most coming from NIST. It is by no means a comprehensive list, however they can be considered as a starting point or additional considerations for an existing mobile security strategy.

1 – Understand the Mobile Enterprise Architecture

You should start with understanding and diagramming the flow from mobile application to business applications running on the back-end application server. This is a great starting point and should be done at the beginning stages, as most of the security guidelines will depend on what is known about the architecture.

  1. Is the mobile application a native application or mobile web application? Is it a cross-platform mobile application?
  2. Does the mobile application use middleware to get to the back-end API, or does it connect directly to a back-end Restful based Web Service?
  3. Does the mobile application connect to an API gateway?

2 – Diagram the network topology of how the mobile devices connect

Is the mobile device connecting to the business application servers over the cellular network or internally through a private WiFi network, or both? Does it go through a proxy or firewall? This type of information will aid in developing security requirements; help with establishing a QA security test bed and monitoring capability.

3 – Develop Mobile Application Security Requirements

At a high level, a security function must protect against unauthorized access and in many cases protect privacy and sensitive data. In most cases, building security into mobile applications is not at the top of the mind-set in the software development process. As such, these requirements should be gathered as soon as possible in the Software Development Life Cycle (SDLC). It has been my personal experience in many cases that you have to work with application software developers in adopting best security practices. So the sooner you can get that dialogue going the better. Security objectives to consider are:  Confidentiality, integrity, and availability. Can the mobile OS platform provide the security services required? How sensitive is the data you are trying to protect. Should the data be encrypted in transit, and in storage? Do you need to consider data-in-motion protection technologies?  Should an Identity and Access Management (IDAM) solution be architected as part of the mobile enterprise system? Should it include a Single Sign On functionality (SSO)? Should there be multi-factor authentication, role based or fine-grained access control? Is Federation required? Should the code be obfuscated to prevent reverse engineering?

4 – Incorporate a Mobile Device Security Policy

What types of mobile devices should be allowed to access the organization’s critical assets. Should you allow personal mobile devices, Bring Your Own Devices (BYOD’s) or consider only organization-issued or certified mobile devices to access certain resources? Should you enforce tiers of access? Centralized mobile device management technologies are a growing solution for controlling the use of both organization-issued and BYOD’s by enterprise users. These technologies can remotely wipe the data or lock the password from a mobile device that has been lost or stolen. Should Enterprises consider anti malware software and OS upgrades to become certified mobiles on the network? To reduce high risk mobile devices, consider technologies that can detect and ban mobile devices that are jail broken or rooted, as these can pose the greatest risk of being compromised by hackers.

5 – Application Security Testing

According to a study performed by The Ponemon Institute, nearly 40% of 400 companies surveyed were not scanning their applications for security vulnerabilities, leaving the door wide open for cyber-attacks. This highlights the urgency for security teams to put together some sort of security vetting process to identify security vulnerabilities and validate security requirements as part of an ongoing QA security testing function. Scanning application technologies typically conduct two types of scanning methods: Static Application Security Testing (SAST) which analyzes the source code and Dynamic Application Security Testing (DAST), which sends modified HTTP requests to a running web application to exploit the application vulnerabilities. As the QA scanning process develops, it can be automated and injected into the software build process to detect security issues in the early phases of the SDLC.

6 – System Threat Model, Risk Management Process

What will typically come out of the application scanning process will be a list of security vulnerabilities found as either noise, suspect or definitive.  It will then be up to the security engineers knowing the system architecture and network topology working with the application developer to determine whether the vulnerability results in a valid threat and what risk level based on the impact of a possible security breach. Once the risk for each application is determined, it can be managed through an enterprise risk management system where vulnerabilities are tracked, fixed and the risk brought down to a more tolerable level.

7 – Consider implementing a Centralized Mobile Device Management System

Depending on the Mobile Security Policy that is in place, you may want to consider implementing a Centralized Mobile Device Management System especially when Bring Your Own Device (BYOD) mobiles are in the mix that can:

  • For mobile devices, manage certificates, security setting, profiles, etc through a directory service or administration portal.
  • Policy based management system to enforce security settings, restrictions for organization-issued, BYOD mobile devices.
  • Manage credentials for each mobile device through a Directory Service.
  • Self service automation for BYOD and Reducing overall administrative costs.
  • Control which applications are installed on organization-issued applications and check for suspect applications on BYOD mobile devices.
  • A system that can remotely wipe or lock a stolen or loss phone.
  • A system that can detect Jail-broken or rooted mobile devices.

8 – Security Information and Event Management (SIEM)

Monitor mobile device traffic to back-end business applications. Track mobile devices and critical business applications and correlate with events and log information looking for malicious activity based on threat intelligence. On some platforms it may be possible to integrate with a centralized risk management system to specifically be on alert for suspicious mobile events correlated with applications at higher risk.

References:

Your journey toward IAM maturity requires the right MAP

Leadership Essential in Cybersecurity Dynamics

Are your C-level leaders sending a clear message about Cyber Security?

Despite the high profile security breaches making news headlines and increased attention around cyber risks, executives in the C-suites are still lacking commonality and communication of a clear goal when it comes to a cybersecurity strategy. These individuals need to work together to manage their organizational risks to help prepare, mitigate, and minimize the damage caused by cyber incidents.

Every organization needs a clear strategy and roadmap with supporting tools that protect critical assets. Read more about this topic and the crucial role the C-suite plays in the dynamics surrounding Cybersecurity.

https://securityintelligence.com/c-suite-dynamics-can-impact-the-organizations-cybersecurity/

Developing an Entitlements Management Approach

We were sitting down with a client during some initial prioritization discussions in an Identity and Access Management (IAM) Roadmap effort, when the talk turned to entitlements and how they were currently being handled.  Like many companies, they did not have a unified approach on how they wanted to manage entitlements in their new world of unified IAM (a.k.a. the end of the 3 year roadmap we were helping to develop).  Their definition of entitlements also varied from person to person, much less how they wanted to define and enforce them.  We decided to take a step back and really dig into entitlements, entitlement enforcement, and some of the other factors that come into play, so we could put together a realistic enterprise entitlement management approach.  We ended up having a really great discussion that touched on many areas within their enterprise.  I wanted to briefly discuss a few of the topics that really seemed to resonate with the audience of stakeholders sitting in that meeting room.

(For the purpose of this discussion, entitlements refer to the privileges, permissions or access rights that a user is given within a particular application or group of applications. These rights are enforced by a set of tools that operate based on the defined policies put in place by the organization.  Got it?)

  • Which Data is the Most Valuable?- There were a lot of dissenting opinions on which pieces of data were the most business critical, which should be most readily available, and which data needed to be protected.   As a company’s data is moved, replicated, aggregated, virtualized and monetized, a good Data Management program is critical to making sure that an organization has handle on the critical data questions:
    • What is my data worth?
    • How much should I spend to protect that data?
    • Who should be able to read/write/update this data?
    • Can I trust the integrity of the data?
  • The Deny Question – For a long time, Least Privilege was the primary model that people used to provide access. It means that an entitlement is specifically granted for access and all other access is denied, thus providing users with exact privilege needed to do their job and nothing more.  All other access is implicitly denied.  New thinking is out there that says that you should minimize complexity and administration by moving to an explicit deny model that says that everyone can see everything unless it is explicitly forbidden.  Granted, this model is mostly being tossed around at Gartner Conferences, but I do think you will see more companies that are willing to loosen their grip on the information that doesn’t need protection, and focus their efforts on those pieces of data that are truly important to their company.
  • Age Old Questions – Fine-Grained vs. Coarse-Grained. Roles vs. Rules. Pirates vs. Ninjas. These are questions that every organization has discussed as they are building their entitlements model.
    • Should the entitlements be internal to the application or externalized for unified administration?
    • Should roles be used to grant access, should we base those decisions on attributes about the users, or should we use some combination?
    • Did he really throw Pirates vs. Ninjas in there to see if we were still paying attention? (Yes.  Yes, I did).

There are no cut and dry answers for these questions, as it truly will vary from application to application and organization to organization.  The important part is to come to a consensus on the approach and then provide the application teams, developers and security staff the tools to manage entitlements going forward.

  • Are We Using The Right Tools? – This discussion always warms my heart, as finding the right technical solution for customers IAM needs is what I do for a living. I have my favorites and would love to share them with you but that is for another time.  As with the other topics, there really isn’t a cookie cutter answer.  The right tool will come down to how you need to use it, what sort of architecture, your selected development platform, and what sort of system performance you require.  Make sure that you aren’t trying to make the decisions you make on the topics above based on your selected tool, but rather choose the tool based on the answers to the important questions above.

Building an IAM Roadmap – A five step process

Since 2003, our teams have been part of over 350 efforts to implement or rescue Identity and Access Management (“IAM”) projects.  Our customers, most of whom have become great friends, are from all over the US, crossing many disparate and unique industries.  In most cases, they are working to solve similar business problems and to fix or improve the same processes.

On many occasions, we started from the ground floor and had the opportunity to create a roadmap for their long-term strategy.  To those familiar with IAM capabilities, it may seem obvious what to prioritize and where to start, but let’s not be so quick to jump to what looks like an easy decision.  All IAM capabilities are not created equal.

Our job as a systems integrator is to successfully implement these complex IAM security technologies, and to ensure that our customers maximize the return on their significant IT investments.  As we help guide our customers through these decisions, this ROI is always our priority, which leads us to the topic for today.

So how, exactly, can we accomplish this?  This article is all about alignment.  Having alignment between IT and the other key stakeholders will significantly reduce the risk of your IAM projects failing and losing or wasting precious budget dollars.

How can you ensure you have correct alignment?  Here’s how our IAM Roadmap process breaks down.

Step 1 – We start by prioritizing a list of over 100 key IAM capabilities.  This list was compiled from our work over the years and is vendor agnostic.  After a brief explanation to help educate the stakeholders, we apply a ranking of low, medium or high based on their opinion on how important the organization needs a certain capability.  Typical examples of high priority capabilities are automated provisioning of accounts, self-service password reset and role recertification.

Here’s a common example of the final output

Step 2 – Once you have a high priority list to work from, we dig a little deeper into three categories of analysis.  The first category is Business Benefit – How significant is the true Business Benefit of this capability?  Is this just a shiny new IT toy or will the stakeholders see lift and leverage from adopting this functionality.  It’s critical to have your business stakeholders at the table so they can weigh in.

Step 3 – The second category is for your technical staff regarding Technical Complexity – How technically difficult will it be to configure or customize this solution?  Are there products that provide this feature and function out of the box?  Will your team be able to update and maintain the tools going forward or is this going to be way outside of their comfort zone and expertise?  Is it cost prohibitive based on the benefit?  This is where we can weigh in to help provide some context as well.

Step 4 – The third and last category is about Organizational Readiness – can the company readily adopt the capability?  Are there so many competing priorities that gaining mindshare and focus will be difficult?  Do you have the buy-in from stakeholder leadership?  Is everyone at the table truly on board with this project and these priorities?  Will they drive the effort through their organizations?

Step 5 – Once you’ve made it through this list and conducted a robust debate and Q&A with these three key questions, it’s time to score and rank the results.  Amazingly you will see a handful of capabilities that float to the top where the Business Benefit is high, the Technical Complexity is low and the Organizational Readiness is high.  After a short review of the results with some discussion and debate, a solid scope of high priority capabilities emerge as candidates for the first one or two phases of a successful program.

The next step is to choose a product that can fulfill these priorities, and then you are off and running.  The advantage you have is that your stakeholders are more educated and have bought into the process and priorities – they are aligned.  At the first sign of deviating from scope or questioning why we are including specific capabilities, you simply go back to the prior analysis and remind the team of the decision-making rationale.

Does this IAM Roadmap process guarantee a successful project or program?  Not necessarily.  But having all your stakeholders at the table and aligned provides a huge advantage and a great start.

 

Have you had your Security Wellness Check?…

So you think your organization is secure . . . think again! IBM X-Force 2013 mid-year report says that many of the breaches recently reported were a result of “poorly applied security fundamentals and policies and could have been mitigated by putting some basic security hygiene into practice.” Covering the basics is exactly what we help companies achieve through our “SecurePath” 16 domain rapid security assessment. In one week we can review your security posture, cover all your bases and help you prioritize the big security gaps in your environment.

Gartner Identity and Access Management Summit

How Can a Company Guarantee a Successful, Strategic Identity Access Management Program?

The Gartner Identity and Access Management Summit is right around the corner and leaders from all over the world will be coming to try to get this question answered.  Here are a few ideas from our ten years in the industry.

Strategic Identity and Access Management (“IAM”) projects can be difficult and the new challenges with mobile, social, and cloud compound the problem.  Protecting the perimeter is not enough anymore.  Safeguarding identities are the key to a truly secure enterprise.

The industry has seen way too many train wrecks with IAM.  To get beyond basic capabilities and really use IAM systems as a foundation for strategic IT, a company MUST take the time up front to consider the long-term plan.  Near-term, immediate priorities can be solved with client-based single sign-on, basic provisioning, simple roles and audit reports.  But with a short-term (and maybe short sighted) plan, a company can just as easily limit their ability to solve more complex problems.

Read more

Security Framework

With so many aspects to consider for IT security, this framework is a very useful approach to analyze how well an organization is addressing overall IT security.  This framework breaks security into people, data, applications, and infrastructure.

PEOPLE- The focus on people looks at controlling and monitoring what information people can and do access.  User provisioning is one of the big considerations.  Does a user have appropriate access to the systems he or she need, and only the system he or she need?  In smaller organizations this is often handled without automation.  Requests come often through a service desk ticket by management or HR for a person in a particular role to be granted access to a specific set of applications.  The challenge with this method is human error.  With movement in an organization, it is easy to end up with a user who has access to systems to which he or she should not be authorized because changing their access was overlooked.  A more thorough method of managing this and more cost effective method in larger organizations is to use an identity and access management system.  This is a centralized engine that manages the user’s privileges rather than administrators changing access application by application.  SIEM (Security Information and Event Management) tools provide another key aspect of people security, because they can detect targeted attacks in early stages and minimize any damage by monitoring user activity and data access. Read more