The IT Manager's Declaration for IAM

Community
Industry

The IT Manager's Declaration for IAM

Kevin Eberman
Kevin Eberman
Sr. Director, Information Security at MineralTree, Inc. (a Global Payments company)
Oct 19, 2021

The following is a guest blog post from the IAM Pulse Community.

-----

Not so long ago, any business trying to get a competitive edge with technology could not do without dedicated help, whether it was contracted, or an on-staff IT Manager.  But, IT was often poorly understood, and often badly managed--and stereotypically derided as aloof, incomprehensible, and yes, incompetent. And for decades, as the cost of technology has fallen, IT Managers have been asked to do more with less. Now, DevOps and other trends in automation are really putting the squeeze on the IT Manager.

These days businesses can get by without dedicated IT Management. But advances in DevOps, the ubiquity of SaaS offerings and ever increasing advances in automation have not eliminated the need for IT Management. In the absence of dedicated resources, IT Management (including IAM) is a second job for someone in the company: the CFO, the HR Manager, a Principal Engineer, or that entrepreneur building their startup. They have insufficient time and resources to be an “expert” in IAM. Lacking the time and expertise, they struggle to build a safe and manageable IAM system for their business. They struggle to control who has access to their information--they struggle to keep their arms around their own intellectual property.

Identity Access Management (IAM) is such a part of our everyday lives, we seldom give it much thought. It is just a part of the wires, fiber optic cable, and software that are the backbone of the Internet. It is like the roads we drive--there all the time, but generally experienced unconsciously. And like those roads, even with safety measures like traffic lanes, street signs and signals, it can be dangerous.

We know not all drivers obey the rules of the road. Generally, drivers do, but sometimes when they are in a hurry, they run a red light. Sometimes drivers are on unfamiliar roads with unfamiliar rules. And sometimes drivers just make mistakes; they veer left, when they should have veered right. We all make mistakes. For all of these reasons we witness daily pile-ups on our roads.

Like roads without traffic lanes and street signs, the Internet without IAM would be chaos.

Even with IAM the Internet is dangerous! Shortcuts, lack of concern and mistakes lead to some nasty security breaches, not to mention the routine aggravation when users have difficulty getting access to their systems and data.

Learning and implementing IAM is doable, but hard. Tools for IAM are available for larger businesses. When those tools fall short, these businesses can compensate with dedicated technical resources to fill gaps. For your everyday IT Manager, IAM is chock full of technical jargon, complicated certificate management, careful copying and pasting incomprehensible access URLs, and faulty integrations that often fall short of the promise of SSO, and require some manual user provisioning on either the identity provider and service provider side or both

THEREFORE, WE, THE IT MANAGERS, DECLARE:

We want a standard IAM model that is reliable, easy to use and secure. The standard IAM model will be:

STANDARD

If you’re thinking this declaration is unnecessary because we have SAML or some other existing service or protocol, you’ve missed the point. If so, consider electronic payments for a comparison. You don’t need to understand how the Automated Clearing House (ACH) system works to make an electronic payment. You don’t even need to know there is an ACH system. All you need to do is tell your bank where you want your money to go. Your bank does the work of getting your payment there. In the same manner, we want a standard IAM model that just works.

UBIQUITOUS

A standard IAM model will only be a “standard” when it is implemented widely. Wide adoption of the standard IAM model amongst the applications services we typically use or an ability to overlay the standard IAM model over existing IAM systems is necessary to achieve its benefits.

EASY TO IMPLEMENT along the standard IAM model:

  • Adding applications, services and user assignments is as easy as select, commit and go.
  • When integrating identity and service providers systems will provide. comprehensible error messages when configurations do not work.
  • User management (provisioning and deprovisioning) will incorporate role, individual and group provisioning over all systems. Today’s integration gaps need to go away.

DEVOID OF JARGON

Please, no tech-speak. If you want an IT Manager to, “to access an API endpoint, to download a metafile and inspect a system’s SAML attributes,” you’ve fallen off the path. We want a standard IAM model that incorporates relatable metaphors, in the same way as our computers have “desktops” and “files.”

UNENCUMBERED by complicated certificate or encryption key management

Certificate management and encryption keys are complex and confusing even for seasoned IT people. Any system that explicitly requires the generation of certificates or encryption keys is fundamentally hard to use. The standard IAM model we want obfuscates the heavy lifting of certificate management.

EXTENSIBLE

The goal of a small business is to become a big business. When business outgrows the standard IAM model, stepping up to an “advanced IAM model” should be an evolution, not a rip and replace nightmare.

AUDITABLE

Any system that is responsible for controlling access to our applications and data needs to be auditable. The standard IAM model we want will maintain an audit log of provisioning activities, configuration changes, and other important events, like failed logins. This audit log needs to be readily accessible (and read-only) to the IT Manager.

SECURE

Let’s not forget why we are doing all of this. We want to keep our applications and data secure. Identity and access management is meant to improve security by making access to our applications and data easier to manage. Ease of use cannot come at the expense of security. We want a reliable, easy to use and secure standard IAM model.

Cover photo by Brett Jordan on Unpslash.

Get the IAM Pulse Check Newsletter

We send out a periodic newsletter full of tips & tricks, contributions from the community, commentary on the industry, relevant social posts, and more.

Checkout past issues for a sampling of the goods.