CDW Exec-Connect: Winning with Identity and Access Management

Identity and Access Management (“IAM”) solves the challenge of understanding what digital identities (human or non-human) have access to what resources (applications, devices, etc.) at the appropriate time based on that identity’s role within the context of the access request. It’s a concept that’s been around for over two decades and has always been one of the most critical elements of a cybersecurity program, though it was not often treated as such. When IAM first gained popularity around 10-15 years ago, it gained a reputation for being too costly and difficult to implement, so many organizations either built their own solutions or did the bare minimum. However, the advent of smarter technologies, a more seasoned and experienced IAM talent pool, and the recent rise in popularity of a Zero Trust model, has put IAM into the forefront of cybersecurity.

Zero Trust Architecture (ZTA) is the latest buzzword (you could even claim it’s an analogy in its own right, especially if you look at the Cybersecurity and Infrastructure Security Agency’s (“CISA”) “Temple” visualization model). It’s admittedly overused at this point, but it’s not a new concept. ZTA is simply another way of looking at a multi-layer security model but in the context of a modern security landscape that has no real boundaries. The mantra that “Identity and Access Management is the new perimeter” is no longer accurate, because there is no actual perimeter. It’s more than a marathon that we’re chasing nowadays: it’s a road with no end. As a result, tying security to an identity has turned IAM into the most critical component of a ZTA model to ensure access to sensitive data can be traced through all layers of a modern infrastructure at any point in time.  ZTA and IAM are 100% tied together in the CISA Zero Trust Maturity Model, which is an evolution of what the National Institute of Standards and Technology (NIST) framework developed.

But how do you convince senior leadership that this is so important to your overarching security program? How do you help them understand that identity controls—in addition to your next-generation endpoint, edge and network solutions—are legitimate budget line items? How do you explain to stakeholders the time and resources it takes to build a well-toned cybersecurity program? Or why IT needs to move faster/slower than they deem it necessary? What kind of logic will you use to get their buy-in? That’s where the Marathon metaphor comes in handy, and here is my interpretation of the 6 ways Marathon running can inform your approach to building an IAM and ZTA program.

When I run, I’m not competing against anyone but myself. In fact, I’m my own worst critic. I don’t need anyone else to egg me on to excel or win. Similarly, as organizations investigate how to build out their cybersecurity measures, the key is to not be swayed by what others are doing in their industry or get tricked into implementing universal tactics. Your organization is unique. Keep that in mind. Consider how your workforce gets work done. Are they at a desktop all day, or using mobile devices out in the field? Are they issued company devices, or do they use personal ones to accomplish their goals? And it’s not just your workforce – you also have to evaluate your third-party vendors and partners, as well as your customers.

You really need to understand how your security posture ranks when compared to a framework like ZTA. Most organizations are not starting at ground zero. They likely have many security controls already in place, and probably use NIST as the baseline for the program, which automatically puts them at a ZTA maturity level, especially when it comes to basic elements of IAM, like Multifactor Authentication (MFA) or Single Sign on.

Warm up by taking inventory of your infrastructure and technological debt. Find out what may be redundant or close to deprecation, and where your gaps are functionally. Review your business logic. Is it logical? What aspects can be automated, and which must stay as manual exception processes? How reliable is your data? Do your authoritative user attributes really determine the roles and responsibilities to assess who (or what) requires access to your organization’s most sensitive data, who doesn’t, on what devices, and to which systems? 

I’ve run multiple marathons. That experience does not trick me into believing that I will automatically be able to be the first across the finish line or even beat my last time. Likewise, it is important that organizations don’t have a “false start.” In racing, the goal is to clock the best time. In setting up a ZTA framework or IAM program in a ZTA context, your goal is to not expose your company to a breach. Whether running marathons or setting up a lasting IAM program, going too fast, too soon can be your biggest vulnerability. Every company has its own pace. Nobody, not even a third party will understand how fast your org moves or what your corporate objectives truly are because only you live it day in and day out. Overestimating your ability to keep up the pace can cause injuries that could be detrimental in racing and in security deployments.

Your leadership team may be in a hurry to report to their investors that they’ve “finished” an IAM initiative (a misnomer in its own right), but the speed of getting even a foundational IAM program up and running doesn’t matter if you’ve missed crucial vulnerabilities or skipped essential workforce training and communication planning. Also, remember that the pace at which your company implements your framework is vastly restricted by the number of resources you have and the other projects going on in IT and at the line of business level. Working IT staff into the ground to incorporate a new IAM solution at some predetermined but inconsequential time will only increase the chances of a configuration error or critical oversight.

Marathon training can take you so many different places, and everyone trains differently, even while keeping in mind their end goal. Some people run on city streets, and others run on tracks or treadmills. Most people track their progress using a wearable device to monitor vitals and clock performance. They are all useful at different stages of building endurance to run 26.2 miles (a number that is oddly specific, but it commemorates the run of the soldier Pheidippides from a battlefield near the town of Marathon, Greece to Athens in 490 B.C. to announce the defeat of the Persians). No matter where you start, or how you supplement your workouts, you have to keep in mind where and how you will end your journey. Sometimes it can feel like you too are trying to run an unattainable distance to end a war, but you have to stay the course to meet your goals.

It’s rare to see a marathoner run without shoes or water-resistant clothing. It’s true some brands are better than others, but most have the same elements. Similarly, a mature IAM program will draw on a number of time-tested standards, tools and solutions. While there really isn’t one right direction, a program that doesn’t adopt a sound cybersecurity controls framework (like NIST, ISO – or ZTA) will likely fall short of helping you reach your destination. And since ZTA is based on the NIST framework, the two playbooks will take you on a scenic route past the necessary landmarks of Identify, Protect, Detect, Respond and Recovery.

Intelligence is also a factor. Like a FitBit or Apple Watch, deploying the proper analytics and intelligence-based solutions will provide specifics about your threat landscape that you wouldn’t normally notice or easily track. Integrating your SIEM with your IAM tools and pairing it with related elements of your cybersecurity program like user entity behavior analytics, threat hunting, incident response, and network traffic analysis will provide the level of visibility you need to truly counter external or internal threats. And if operationally, you do not have the capability to have your own Security Operations Center (SOC), the keen expertise of a third-party vendor who can monitor, detect and respond to these metrics and patterns 24/7 can fill in gaps in your staff where needed: this is why Managed Detection and Response (MDR) as a component of ZTA has become so popular in recent years as well. 

Despite that I run 6 to 7 times a week, I’m acutely aware that doesn’t mean I can go out and run a marathon tomorrow. I’d likely need to stop after seven miles. One long practice run on a Wednesday won’t make or break a marathon. Running a marathon is not a one and done kind of thing. Neither is setting up a ZTA framework or IAM Program. It’s the preparation over months and even years that will really sustain you. Sometimes, IT teams are so confident in their expertise that they question why certain deployments can’t be introduced earlier in the timeline. With setting up a secure program, it’s important to operationalize your processes. Given the resource challenges of late, the skilled team you have now may not be with you later. Building out a scalable, repeatable, documented process which can be taught to predecessors is the epitome of cybersecurity succession planning. Also, as the threat landscape evolves, so too must your program evolve. This can be done by adding time in your roadmap to modernize equipment, renew software licenses, update employee training, and streamline processes with an overall eye towards continuous improvements.

Running a marathon can be depleting, but so is operationalizing any element of your cybersecurity program. The night before a marathon, I load up on carbs like pasta, rice, and bread. But by mile 18 the next day, my energy has diminished entirely. So I eat gummies, because (of course!) carrying a loaf of French bread is not convenient and honestly just weird. Gummies are light and easy to carry with you while you run. They infuse my body with needed glucose, but without causing gastrointestinal distress. With gummies, I can increase my stamina at opportune times during the race; like when I feel everyone is passing me. But I’m usually on autopilot, and I reach for the gummies during regular intervals to replenish my strength.

Like any good sustainability plan, automating security controls across the company can help your organization reliably monitor and economically assess risk. IAM introduces a lot of automation—like your daily user on-boarding and off-boarding processes--as do most security technology investments, especially ones that embed machine learning and analytics capabilities. Most of the security investments you make will allow your organization to scale with less risk, which is crucial in a world where we have an extreme security talent shortage.

There is one final thing that I do when running a marathon, which I believe will be a benefit to those working to enhance their identity and managed detection program. I remind myself what I’m running for. Like I mentioned earlier, running helps with my ability to unwind. I absolutely do it for fun, but I’m a big fan of running to benefit a charity—especially those that have impacted my close friends and family. I’ve run for Breast Cancer and Multiple Sclerosis research and awareness quite a bit.

As I run, I don’t need anyone else to egg me on to excel or win: the causes I run for keep a fire under me. The impact of cyber breaches also has real world consequences for the industries they affect. Everyone focuses on the direct financial costs, but opportunity, reputational, and market costs are just as substantial and critical to why we need to invest and build a cyber program that guards against these risks. Not to mention the costs carried by individuals. For instance, when hospitals are attacked with ransomware, medical devices are disabled, and access to medical records are lost preventing patients from receiving timely care. “Ransomware attacks on hospitals are not white-collar crimes, they are threat-to-life crimes,” says the American Hospital Association. When building out an IAM and overarching cyber security and risk management program, I’ve found it helps to consider how an attack on your organization would affect your business outcomes and your customers or your customer’s customers. Visualizing the costs they will pay in time, health, or loss of financial security will inspire you to run your best race and subdue the attempts made by bad actors.

Finally, while there are many parallels between cybersecurity and marathon running, the truth is that after months and even years of preparing, one ends, but the other one doesn’t. In fact, not only will your preparation against a cybersecurity breach not end, but also it probably will not end well. As I’m sure you’ve heard before, the question is not IF you will be breached but WHEN. Securing your organization from cyber threats by defining roles, requiring authorization, and enforcing governance are never-ending. There is no finish line, and an IAM architecture is only one element of a full-stack solution. An end-to-end solution will include Network and Cloud security posture management solutions, Next-gen firewalls, incident response, DevSecOps, and much more.

Also, unlike marathon running, defeating bad actors doesn’t need to be done alone. Team up with a third-party vendor like CDW. With the help of our deep-seated partner bench and certified security specialists, we can assist with managing your risk before, during and after an event. We’ll run this race with you.