This week I attended the Gartner conference on identity and access management (IAM) with a view to getting a clearer vision of this sector.
Last year, the Jericho Forum message was that IAM should be separated. That is not to say that IAM isn't a factor within security. As someone said to me on Twitter: "Surely IAM is an integral part of information security."
This year's IAM summit did go some way to addressing the security element in IAM. In his opening keynote, Gartner's Ant Allan said IAM can deliver business value, and giving people the right access at the right time can help them achieve outcomes.
“What is it we are managing, who is accessing what? Who is looking at what people are doing with their entitlements? You need processes, organisation and the right technologies to put IAM in place and lead you into a productive environment. Getting it right is key to effective execution of IAM,” he said.
He also claimed that within business, security has fallen off the priority list, while IAM is an enabler as it helps the CIO achieve business priorities.
“You have a rich set of details of what people do, and this is of rich value to the business. This drives business decisions and performance management,” he said.
“You need to know where and why things are going to deliver a strategic vision. What is value of IAM to this? It will not make everything successful, but where you can provide value and articulate to business leaders is important.”
In another presentation on ‘Security and IAM – more than just reporting', Gartner's Tom Scholtz highlighted the importance of IT governance and pointed to survey results that suggested this was lacking.
He said: “We may feel we are mature with governance, but we are not. IT governance is made up of processes, you set your own input and output and ownership. We have to agree on the decision rights, who does what, and understand the governance style – understand where the business is going and inform IT on how to satisfy demand.”
He suggested that IAM is about the governance of entitlements in the enterprise, how to create and remove access and how to ensure a sufficient segregation of duties. “That programme is efficient and effective, it provides reasonable controls and contributes to business value,” he said.
I later spoke with Chris Zannetos, president and CEO of Courion. He felt that security was maturing as boards become aware of what risk is, and where it is. He said we are in "a new dawn of security", as it is less about IAM and more about access risk and risk management.
He said: “As vendors, we have fomented this. As a result, customers have tools that are not feasible to use – a customer told me that to do a scan of all their file shares would take five years, and there is no way to do a scan of all vulnerable information. No one can eliminate all orphaned accounts.
“It is also about identity and access governance, about detecting a problem and preventing it. It is not just access, as security incident and event management (SIEM) is about what access is; bringing the two together is about determining risk.”
Earlier in the day, the audience were surveyed (via green and red cards) on various questions, one of which asked them how satisfied they were with their IAM technology. The majority were unhappy.
I asked Zannetos about this. He said it is the job of the vendor to meet the demands of the customer, and if 75 per cent of customers were unhappy, then vendors were not doing their job properly.
I also met with another IAM vendor, SailPoint, whose president and co-founder Kevin Cunningham said we were witnessing a sea-change from an IT-only domain to applications and cloud-based services.
“We see business-level decisions being driven through IT. This is very much a business-process-driven problem space,” he said. “It is a very data-rich problem space, as IAM may live in the application and manage how it gets configured.”
Jackie Gilbert, vice-president of marketing and co-founder of SailPoint, said IT has to be creative with IAM and look at how it provides security. She said policies such as bring your own device (BYOD) only make a lockdown harder to achieve.
She said: “There are lots of changes with mainframe applications that you have to support, but technology needs to be there for users. We are driving a cloud initiative as more businesses move to the public or private cloud. We see more businesses having issues with Software-as-a-Service (SaaS) applications as they do not have IT's involvement.”
Cunningham said: “In some instances, the CISO will find 20 or 30 SaaS apps with company information. IT has to be creative with it and look at how they provide security. SaaS makes it easier to sidestep IT, but it has to be more about the carrot than the stick.”
If the talk last year was on separating identity from access management, this year it could be on a greater marriage of the two, particularly with SIEM technology, in order to achieve governance, risk and compliance (GRC). Or is that too many abbreviations?
Another thing that struck me was users' level of disappointment with their existing solutions. There are likely many reasons for this, and for those who voted negatively at the event, it would be good to know why. Is it time for an IAM revolution, or just for things to be more bespoke to individual needs?