As a senior architect, sales engineer, and consultant out in the field working closely with senior IT security leaders and CISOs, I sometimes run into questions surrounding the Vormetric product line related to Identity Management. Having implemented identity management solutions for Fortune 500 companies around the world for a number of years, I truly appreciate when these questions arise, as it demonstrates some understanding that Data Security and Identity Management are essential first cousins in IT Security.
How are they first cousins within IT Security and why are they both so essential, vital, and important, you ask? At some point here, I’ll throw out at least a one-line history statement to show how and why they are related so we can subsequently understand their vitality and importance within enterprises in today’s world.
Data Security & Identity Management Go Hand In Hand
But first, when you think about it, at base and stripped all the way down, digital information is about digitized data on a storage medium of some sort. That’s it. Whether it’s raw data or data that is executed (ie. a program, a script, etc.), to the storage device and the operating system that manages both, it’s all just “data.” The data itself then is at the heart of what every computing system is about. And data security is all about securing that data wherever it lives for the enterprise.
Digitized data just sitting on a storage device however is meaningless. Access to that data and a frame of reference – “this data is a ‘program,’ this data is ‘system data,’ this data is ‘user data,’” etc. – is what gives data meaning and life. [1] For someone who sells and/or implements in either the Data Security or Identity Management space, it can be very easy to don horse blinders and insist to customers that their solution is the essential piece:
“No! It’s all about protecting the data and having data protect itself!”
“Au contraire! It’s all about identities and governing access to the data!”
Actually, Data Security and Identity Management are symbiont to one another and synergistically linked – chicken and egg, needle and thread, wall and head (for all of us cybersecurity professionals, I had to throw that one in there!), Batman and Robin, Oscar and Felix, Wallace and Gromit. (You get the picture… :-)) Ya gotta have both. Both are right and either by themselves aren’t the entire answer or solution to the problem of securing data. Data without access is dead. But access governance that doesn’t drive protection and controls all the way down to the data level is insufficient. Both are needed, necessary, and essential and must be combined to provide an effective and efficient solution to data security and identity and access management and governance. They go hand in hand.
In terms of implementation…, [Identity Management and Data Security] should be implemented top down and bottom up, and somewhat simultaneously, designed to meet in the middle.
The Birth of Identity Management, Data Security, Breaches, and the Cloud
As someone who has worked extensively in the Identity Management space, I can tell you that Identity Management itself is not easy exactly because it’s so across-the-board essential to proper and secured technology enablement. To really drive home the incredible breadth and involvement of Identity Management would involve more explanation than what we have time for here.
But if I had to provide a one-line statement as to how we arrived at today’s computing landscape it would be this: the chronology of taking systems that once operated and were essentially architected (really important to note!) as separate systems and entities and then interconnecting them all, first through private networks and then publicly on the internet, is the simplest statement I can provide as to why the computing landscape looks as it does today. That one fact alone is exactly the driving force behind breaches, the complexity behind IT Security, operational complexity, and the move to simplify and reduce operational risk and time to market through virtualization, consolidation (mainly through the cloud), abstraction, and containerization.
That one fact is also how Identity Management and Data Security came into being. For Identity Management, its bane is the sheer broadness and involvement of the task across the enterprise computing landscape due to the sheer number of systems we’ve interconnected. For present-day Data Security, its bane is that at that per system level, its basic implementation is a flawed philosophical, archaical, and architectural misfit for interconnected systems. Both together have given birth over time to Active Directory, LDAP, virtual directories, access control lists, encryption, abstraction layers, malware prevention, SIEM, the cloud, and a myriad of other technologies that flood the marketplace today to address the gaps these one-time standalone but now interconnected systems have created.
Data Security, Identity Management and “The 3 Gs”
If we were to try and break down all this complexity however and (over?!) simplify things, we could say in order to adequately address our need to protect data, it would come down to three essential elements. And surprisingly we’ll see that based on these three essential elements, no matter which way we approach them – top-down or bottom-up – they describe both the function and the hand-in-hand relationship Data Security and Identity Management have with one another.
For this article, we’ll describe them top-down, though in terms of implementation within the enterprise, they should be implemented top-down and bottom-up, and somewhat simultaneously (for reasons I will outline in another article), designed to meet in the middle. I’ll go ahead and provide one clue here and that is the need to implement them in unison is driven mainly by the complexity and therefore the usually slower pace of implementation from the Identity Management perspective (set in contrast to the rate of raw data proliferation within the enterprise – that’s a tension a lot of enterprises are presently feeling).
But if we discuss these three essential elements solely from a top-down perspective, we will conceptualize things first from an Identity Management perspective and then from a Data Security perspective, some of this concluding in a subsequent article. So, access first, then data security and protection last.
So here they are, these essential elements that I call “The 3 Gs”.
The First G
To truly get our arms around access in the enterprise, we have to know what and where that access is in the enterprise. That alone is not an easy task, but let’s not get into the complexity around that task here (ie. access to servers on-prem; in the cloud; shadow IT contained in various XaaSes; remote offices; shared hosting; application-level only access; agent, vendor and customer access; etc. – see what I mean?!) and simply state that the task must be done. This is what I call Gathering. We have to Gather that access from all of our essential systems no matter where they sit. [2] So the first “G” is Gather.
The Second G
Once we’ve gathered that access then we have to provide meaning and context to the information about access that we’ve gathered. The meaning and context we want to provide is generally termed Governance because now that we know what access we have within the enterprise, we intend to do something with that information about access to that access based on business constraints. We want to make determinations about that access, whether that access is proper and right, whether that access needs to be revoked, whether and how it needs to be granted, reviewed and approved when requested, how it would be requested, what can be requested (in terms of a request catalog), what needs to be granted to provide just the right access, additional metadata around that access in the form of establishing roles and entitlements, governing those roles and entitlements, etc.
The list around Governance is long and it’s a big, big job. And in Identity Management, the jobs of both Gathering & Governing are never done. That’s why enterprises must have Identity Management systems in place that provide coverage to all essential systems, whether on-prem or in the cloud, and establish business rules around that access based on policies, roles and entitlements, establish a request catalog, how and when access can be requested and granted, etc. Read the [3] footnote for some context as to why the job of Identity Management is never done if you are interested in just a little more here. But the second “G” is Govern.
The Third G
So Gathering and Governing of access is Identity Management’s job. And often in enterprises, that exercise is carried out based on now-established “identity management wisdom” such that enterprises can often lose sight of why they’re going through this incredibly painful and somewhat expensive exercise to begin with: to guard the data! Remember what the heart of all systems is – it’s the data! That’s what it’s all about. And if we simply “govern access” and we don’t drive that governance all the way down to the data layer, then we haven’t completed the job.
I will tell you that (1) this isn’t easy to do within Identity Management and (2) that it drove me and my teams nuts that we pretty much couldn’t implement data security to the level we often really wanted to (not to mention just completing the first two “G”s – gathering and governing are and were more than a full-time job!). Driving protection and controls based on access down to the unstructured data level was really hard – almost impossible to do without a lot of work. [4] Most Identity Management systems are graded on how well they gather and govern access both in function and in ease of implementation and ongoing operation. [5] There are a lot of use cases to cover just between those two functions.
Data Security and Identity Management are symbiont to one another and synergistically linked.
That last mile of actually protecting the data itself however is where Data Security picks up. And I’ve already given you a clue above – we want data to be Guarded. This is the third and last “G” in “The 3 Gs.” And you should definitely know: an enterprise can do an excellent job of gathering intelligence around access and governing that access. But in the event of a breach, access governance (IAG), privileged access management (PAM), and a host of other related technologies begin to fall on their faces a little bit (or in some cases, a good bit) if the data itself isn’t and hasn’t been guarded.
Yet for those with day-to-day business need to know (BNTK), granted, governed, and secured access – Identity Management functions – is still absolutely essential, even to guarded data. BNTK only makes sense when we combine data that only those individuals should have with their permitted (and everyone else’s denied!) access. Hence the reason why Data Security and Identity Management are essential first cousins in IT Security. Again, and hopefully, you will by now agree, they go hand in hand.
Guarding Data Just as Essential As Governing Access
So now we know about “The 3 Gs”: Gather, Govern and Guard.
The job of Identity Management is to address and solve the first two “G”s, Gather and Govern, and to do that on a continual basis because businesses are continually undergoing change. (That’s why one essential part of the Governance function within Identity Management is called “Lifecycle Management” – businesses are constantly moving and changing, sometimes hourly, with regard to access across the enterprise – again, check out the [3] footnote for more on this.)
The last “G”, Guard, is handled by Data Security. At this point in today’s world, one of the best ways to protect data or have data protect itself is to implement strong access controls directly around that data – our relationship to Identity Management, which will dynamically govern that access – with one of those controls being encryption of that data using industrial strength, standards-based encryption (and then coupled with strong key management that has limited access and strong separation of duties – we keep running across that symbiont relationship to Identity Management, right?!)
Stay tuned for my next article, where I reveal why on a per system-level, present-day, out-of-the-box (OOTB) controls are a philosophical, archaical and architectural misfit for interconnected systems within large enterprises with a large number of actors against data, and why data security – the last “G”, Guarding – is absolutely essential to finishing the job of protecting data and not just access governance alone.
The data itself then is at the heart of what every computing system is about.
I’ll also discuss why data security from the bottom up needs to be implemented in parallel with top-down Identity Management and continually tied into Identity Management in order to be operationally effective and yet strong and secure within the enterprise.
And finally, I’ll speak a little bit about how the Vormetric product line, and in particular our Transparent Encryption solution with industry-standard AES-256 encryption and policy-based access to data that supersedes antiquated and architecturally insufficient OOTB data controls, ties transparently and seamlessly into almost any Identity Management solution. So you can understand how our platform approach can couple with and leverage your existing Identity Management solution to help you finish the job and not just “govern access” as some hamster wheel exercise, but to drive that governance, dynamically, all the way down to the actual data, wherever it may exist for your enterprise.
As always you can leave comments below or engage with me online via Twitter @ChrisEOlive.
____________________
Footnotes
[1] This is also, at base, the function of operating systems, to provide meaning and context as well as a human interface to data. And operating systems with their closely coupled file systems are the usual base means for providing access to data, although not strictly so as virtual access methods also exist tied to layers built on top of the operating system such as applications; databases; directories; groups, roles, and entitlements within those directories; etc.
[2] Another part of the complexity of Identity Management? Determining what “all of our essential systems” means, both in terms of risk, operational efficiency, what constitutes “essential,” etc. Not to mention knowing about and connecting to all of these systems in the first place – knowledge and topography, essentiality, and connectivity.
[3] To give you an example of the complexity and pace of change just around maintaining basic access in a large enterprise… I was privileged in the early 2000s with designing and developing (from scratch!) one of the first large-scale Identity Management systems for GE Aircraft Engines (now GE Aviation). GEAE had at that time over 50,000 active employees on six continents in their AD and Exchange address book. If you opened the GEAE address book in Exchange then, the distribution of names would look about the same as that of a mid-sized American or UK town of 50,000 people – a lot of Smiths and Joneses, one or two Olives, some Olivers, some Hansens, Goldbergs, and Stewarts, etc.
And the frequency with which these identities came into, moved around, and left this “city” of GEAE was about the same. On any given week, dozens and dozens of individuals could be coming into, leaving, or changing roles in the organization. Even if we just considered what are called “birthright systems” that provide basic access in an organization (which is all that we automated at that time), manual fulfillment of that many changes by hands-on administrators, as was taking place previously, was time and cost prohibitive.
That was the rate of change in a decent-sized organization in 2001. None of this addresses or addressed the full gamut of Identity Governance one would need to have in organizations today; that was just basic provisioning and deprovisioning of basic access for active employees. Today’s problem of identity management and identity governance is literally magnified one hundredfold.
[4] This is exactly why at least one leading/bleeding edge Identity Management company, SailPoint, recently purchased WhiteBox Security and turned it into a co-offering product, now called SecurityIQ, to run in conjunction with their identity management offering, IdentityIQ. They did it because they understand that gathering access and providing governance around that access is really and essentially about actually protecting your data. Without actually protecting the data itself, the job falls short.
[5] (a) Can it address my identity management use cases? (b) How easy is it to implement my use cases (which can lead to a very desired and much-needed speed of accurate implementation)? And (c) how flexible is the solution to meet anticipated and even unknown use cases in the future and still perform with operational efficiency and accuracy, given the disruptive changes in IT? All of these as a seamless solution anywhere I have data and access for the enterprise.
Notice also I never say “in the enterprise” but “for the enterprise” – because your perimeter is no longer determined by your network but by where your data lives — any place that it lives and governing your organization’s access to it. That is your new “perimeter,” and precisely why both Data Security and Identity Management are the definitive IT Security cornerstones for the foreseeable future.