At Radiant Logic, we’ve been harping on the importance of bringing together different sets of user information—and the value of leveraging the relationships across these disparate data sets to derive contextual meaning about identity—since the beginning of time in 2013. Which is why we are so utterly delighted that the market seems to be picking up on this concept in a massive way, as evidenced by the growing popularity of “fabrics” everywhere—from the data management space to our world in identity.
Why should you care, practically speaking? This is where a report by 451 Research called “Identity and Access Security: Strengthening the Resilience of Cybersecurity’s Front Lines” is illuminating.
The practice of Identity and Access Security (IAS) is focused on identifying the opportunities for compromise from the attacker’s perspective, to then mitigate those risks. It’s adjacent to and interlocking with the spheres of Identity and Access Management (IAM) and Zero Trust security, but really zeroes in on the “adversary” and what approaches they might take.
The report calls out one of Radiant’s nemesis—identity sprawl. It’s not just a pain in the butt to manage, it’s also a security risk. Identity sprawl leads inevitably to security gaps. “Once the number of entities reaches any kind of scale, however, managing things like access permissions and keeping authentication safe from abuse becomes unwieldy.” So true.
Why does identity sprawl happen to good people? I keep coming back to this idea of reinventing the wheel. For example, one of the workarounds we’ve seen companies going through a merger/acquisition make, is to take copies of user information and synchronize that into various repositories to give those users access to the systems they need. And then they have to maintain that going forward—multiple IDs, passwords, stores, connections, sync flows—in a redundant, expensive, and totally avoidable manner ☹.
Meanwhile, the files… are IN… the computer. (It’s so simple.)
The identity data was there all along—there are tools (okay, mostly just RadiantOne) for repurposing the identity data you’ve already got and making it useful again for new and different applications and initiatives—so you can avoid this very likely scenario.
Which is why we’ve been so stoked about context—and why we’re explicitly connecting it (see what I did there?) with the concept of identity knowledge graphs. The ability to link the digital life of a user across all the different business objects in your system and deliver an easy-to-understand rendering of these users’ various contexts, is the function of an identity graph. It builds a map of each user as a player within your system—no matter how many subsystems make up that landscape, or how many personas that user may operate as.
Let me digress into why RadiantOne is well positioned to help build your identity graph (and enable you to leverage the systems you ALREADY HAVE to build the IAM program of your dreams). Our unique ability (we call it model driven virtualization) to extract existing objects relationships out of data silos and link objects across these silos allows us to generate a global object and relationship map—which allows you to model infinite context-driven views that reflect how objects are related across your company. In the realm of security and beyond, this map means your teams are no longer flying blind when it comes to identity.
Trying to architect an IAM system that is both practical and “tough” enough can be tricky. How can an organization “thread the needle” (see what I did there?) between what’s really doable, and what is best practice? On the one hand, if privileges are too broad or accrue over time and are not revoked as necessary, they may enable unintended access and capabilities–leaving the organization more open to risk of breach. But on the other hand, what are the resources available for setting up and administering a very fine-grained entitlement management system? And on your third hand, how can you even begin setting up that comprehensive program in the face of siloed identity data? …and now you’re way out of hands.
As discussed in this report, entire segments have grown around handling this particular problem—Privileged Access Management (PAM), Cloud Identity Entitlement Management (CIEM), and Identity Governance and Administration (IGA) all play an important role in curtailing unnecessary access, efficiently. The problem that all these systems run into is the data issue–you have to have access to normalized, reliable identity data to feed these tools and drive good decision making. When identity data is sprawled all over the place, in different formats, possibly even inconsistent, you’re going to hit roadblocks over and over when you try to roll out these initiatives. And you’ll never guess what I’m about to say, but RadiantOne accelerates the deployment of and boosts the efficiency of those systems because we unify identity data from all sources, and provide a dynamic stream of up-to-date information to whatever application or tool needs it, in whatever format is required.
The other thing that really caught my eye in 451’s report was what they have to say about graphs and how attackers are already exploiting graph analytics to infiltrate their targets. “There are few more powerful ways that organizations can visualize identity, access and privilege relationships in an environment that expose risk.” They quote Microsoft’s John Lambert, “Defenders think in lists. Attackers think in graphs. As long as this is true, attackers win.” A little melodramatic, but accurate. How can the good guys stay ahead?
A system for detecting security anomalies within identity begins with your own identity knowledge graph. As written in the report, “the ability to make connections between identities, groups, access rights, and privileges” is critical for security. They make the case that “defenders” need to do so FIRST, to make the attack paths visible. So if you start with your own internal identity graph, you are in a good position to make a defensive game plan.
Our suggestions for implementing the techniques recommended in 451’s report:
- Don’t reinvent the wheel—re-use the sources you already have and harness the value of the existing identity data through virtualization (aka using RadiantOne)
- More closely define and easily manage identity and entitlements by starting with an identity graph
- Implement fine grained authorization much more easily with automated groups. Segment groups and memberships to better insulate assets from potential exploitation
- Add stronger controls on access like Multi Factor Authentication (MFA) to all applications– including legacy applications
All of these initiatives will be accelerated when you’ve unified identity data into a renewable, enterprise-wide resource. Identity is the common thread that crosses so many (all?) of the critical systems for any digital organization. As I mentioned earlier, we are seeing a sea change in the way identity is understood by businesses and beyond, with much more awareness of the exponential impact data can have when it’s brought together centrally to power multiple identity services. In fact, in a recent RFI issued by the USCIS Office of Information Technology to maintain their Identity, Credential and Access Management (ICAM) program recognizes the power of unified identity: “Traditionally segregated functional areas, such as: Identity, Credential, Access and Federation, when managed collectively, provide security, privacy and process efficiency benefits that would not be achieved if managed individually.”
Building better systems for security, user experience, and operational efficiency based on that common thread of identity is what we deliver with the RadiantOne Intelligent Identity Data Platform. Connecting the bits and pieces of data, making sense of it all, is made possible by extracting the relationships binding those data points. The Identity Data Fabric concept is useful for understanding what we do in an intuitive, visual way—we’re weaving together data to make something functional out of elements that have historically been done separately. Maybe we should have called it an identity data quilt? Brb, pitching that internally.
Anyhoo, catch us discussing modern security strategies with one of the authors of this report, Garrett Bekker, in conversation with our Director of Product Management, Lisa Grady, on April 6!
Subscribe to receive blog updates
Don’t miss the latest conversations and innovations from Radiant Logic, delivered straight to your in-box every week.