cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Highlighted

IAM and why it's so hard to maintain in large organisations.

Hi,

 

I am currently completing a masters in cyber security and my final work is on IAM and why it seems to continue to be a problem despite being a longstanding security fundamental and many organisations investing significant funds into the problem...

 

I have worked at a few places where sustainability of good IAM seems to be a challenge.

 

My own working theory is that it is seen as a technology problem when in fact it is a business process which needs technology support and that controls degrade after investment due to poor connection with wider corporate governance.

 

If anyone has any thoughts and views they would be very welcome.

 

Best,

Gareth

10 Replies
Viewer II

Re: IAM and why it's so hard to maintain in large organisations.

I guess large organisations have very complex processes and IAM works extremely well in a standardized environment. The real challenge is achieving the level of flexibility and complexity in the system and yet get it working.

Highlighted
Newcomer I

Re: IAM and why it's so hard to maintain in large organisations.

Gareth,

You hit the nail on the head; the biggest hurdle to IA is people by far. Too many environments see a fall in security because of ill-advised or purposefully ignorant leadership. There isn't enough emphasis by organizations on IA and, as a result, a failure of placing adequate controls in place and maintenance of those that already exist. A good example is the organization my dad works for. They had to shutdown an entire building's network (about 2k endpoints) due to a malware infection about two weeks ago. They have a boundary firewall and upper-deck thought that was enough. So when a user pulled some malware down via a macro-enabled Word document in an email, there was nothing they could so but segregate the network and re-image every...single...workstation. There we're multiple points of failure in this incident and they all stemmed from a lack of leadership buy-in.

Ryan
Have: CISSP, CASP, CCNA: Security, CCNA: Routing and Switching, ITIL Foundations, Palo Alto ACE7

Pursuing: CCNP: Routing and Switching
Highlighted
Newcomer II

Re: IAM and why it's so hard to maintain in large organisations.

It is a business relationship issue. If your business is able to define it's capabilities and business processes you can then develop a security model that can be maintained. Most businesses can't describe their processes and what it take to operate.

Most IAM system end up with a mix of what they think is RBAC and then a pile of direct assignments. This amounts to a lack of rules and application of rules.

The key is to first understand actions, actors, relationships (including customers/personas), and the resources that are acted upon. (also remembering that processes and data are resources)

You are correct that it is not a technical issue at first. Although you can make a bad situation worse with IAM technology.

--SCMunk

Highlighted
Newcomer II

Re: IAM and why it's so hard to maintain in large organisations.

Okay, so here are a few points.

 

Larger organisations are more likely to have heterogenous environments (particularly if they have grown by merger) and, especially, legacy systems. IAM solutions (process and technical) deal less well where you have to control numerous different scopes.

 

Movers & leavers. In a small organisation, you know about people leaving or changing roles. In larger organisations, it may take IT ages to find out (and HR may deliberately hide the fact that some people have left.)

 

Greater granularity. The more you split up your IAM roles, the harder it is to keep up to date. Larger organisations will (usually) have different privileged roles for different areas - a small company might have a few people who are admins for everything. 

 

Edge cases - the more complex your organisation, the more people you will have who don't fit in a nice neat IAM role. And will require exceptions.