As a senior architect, sales engineer, and consultant out in the field working closely with senior IT security leaders and CISOs, I sometimes run into questions surrounding the Vormetric product line related to identity management. Having implemented identity management solutions for Fortune 500 companies around the world for a number of years, I truly appreciate when these questions arise, as it demonstrates some understanding that "Data Security" and "Identity Management" are essential first cousins in IT Security.
Click to Tweet: The link between #DataSecurity and #IdentityManagement @ChrisEOlive bit.ly/29HQUUO pic.twitter.com/e8mVsHQi8h
How are they first cousins within IT Security and why are they both so essential, vital and important, you ask? At some point here, I’ll throw out at least a one-line history statement that illustrates how and why they are related so we can subsequently understand their vitality and importance within enterprises in today’s world.
Data Security & Identity Management Go Hand In Hand
But first, when you think about it, at base and stripped all the way down, digital information is about digitized data on a storage medium of some sort. That’s it. Whether it’s raw data or data that is executed (ie. a program, a script, etc.), to the storage device and the operating system that manages both, it’s all just “data.” The data itself then is at the heart of what every computing system is about. And data security is all about securing that data wherever it lives for the enterprise.
Why does an "Encrypt Everything" policy, linked directly to Identity Management, make real sense? Read the report from IANS Dave Shackelford about "Encryption as an Enterprise Strategy" here.
Digitized data just sitting on a storage device however is meaningless. Access to that data and a frame of reference – “this data is a ‘program,’ this data is ‘system data,’ this data is ‘user data,’” etc. – is what gives data meaning and life. [1] For someone who sells and/or implements in either the Data Security or Identity Management space, it can be very easy to don horse blinders and insist to customers that their solution is the essential piece:
“No! It’s all about protecting the data and having data protect itself!”
“Au contraire! It’s all about identities and governing access to the data!”
Actually, Data Security and Identity Management are symbiotic and synergistically linked – chicken and egg, needle and thread, wall and head (for all us cybersecurity professionals, I had to throw that one in there!), Batman and Robin, Oscar and Felix, Wallace and Gromit. (You get the picture… :-)) Ya gotta have both. Both are right and either by themselves aren’t the entire answer or solution to the problem of securing data. Data without access is dead. But access governance that doesn’t drive protection and controls all the way down to the data level is insufficient. Both are needed, necessary and essential and must be combined together to provide an effective and efficient solution to data security and identity and access management and governance. They go hand in hand.
“In terms of implementation…, [Identity Management and Data Security] should be implemented top down and bottom up, and somewhat simultaneously, designed to meet in the middle.”
The Birth of Identity Management, Data Security, Breaches and the Cloud
As someone who has worked extensively in the Identity Management space, I can tell you that Identity Management itself is not easy exactly because it’s so across-the-board essential to proper and secured technology enablement. To really drive home the incredible breadth and involvement of Identity Management would involve more explanation than we have time for here.
But if I had to provide a one-line statement as to how and why we arrived at today’s computing landscape it would be this:
We've taken systems that once operated, and were essentially architected (really important to note!), as separate systems and entities, then interconnected them initially through private networks and subsequently (and publicly) via the internet.
This one fact alone is the primary driving force behind breaches, the complexity behind IT Security and operational complexity, as well as the move to simplify and reduce operational risk and time to market through virtualization, consolidation (mainly through the cloud), abstraction and containerization.
This one fact is also how Identity Management and Data Security as disciplines are here today. For Identity Management, the core problem that results is sheer breadth and intricacy of the task of managing users and identities across enterprise computing landscapes due to the numbers and types of systems we’ve interconnected. For present day Data Security, its bane is that at that per system-level, its basic implementation is a flawed philosophical, archaical and architectural misfit for interconnected systems. Both together have given birth over time to Active Directory, LDAP, virtual directories, access control lists, encryption, abstraction layers, malware prevention, SIEM, the cloud and a myriad of other technologies that flood the marketplace today to address the gaps these one-time standalone but now interconnected systems have created.
Data Security, Identity Management and “The 3 Gs”
If we were to try and break down all this complexity however and (over?!) simplify things, we could say in order to adequately address our need to protect data, it would come down to three essential elements. And surprisingly we’ll see that based on these three essential elements, no matter which way we approach them – top down or bottom up – they describe both the function and the hand-in-hand relationship Data Security and Identity Management have with one another.
For this article, we’ll describe them top down, through in terms of implementation within the enterprise, they should be implemented top down and bottom up, and somewhat simultaneously (for reasons I will outline in another article), designed to meet in the middle. I’ll go ahead and provide one clue here and that is the need to implement them in unison is driven mainly by the complexity and therefore the usually slower pace of implementation from the Identity Management perspective (set in contrast to the rate of raw data proliferation within the enterprise – that’s a tension a lot of enterprises are presently feeling).
But if we discuss these three essential elements solely from a top down perspective, we will conceptualize with things first from an Identity Management perspective and then from a Data Security perspective, some this concluding in a subsequent article. So, access first, then data security and protection last.
So here they are, these essential elements that I call “The 3 Gs”.
To truly get our arms around access in the enterprise, we have to know what and where that access is in the enterprise. That alone is not an easy task, but let’s not get into the complexity around that task here (ie. access to servers on-prem; in the cloud; shadow IT contained in various XaaS's; remote offices; shared hosting; application-level only access; agent, vendor and customer access; etc. – see what I mean?!) and simply state that the task must be done. This is what I call Gathering. We have to Gather that access from all of our essential systems no matter where they sit. [2] So the first “G” is Gather.
Once we’ve gathered that access then we have to provide meaning and context to the information about access that we’ve gathered. The meaning and context we want to provide is generally termed Governance because now that we know what access we have within the enterprise, we intend to do something with that information about access to that access based on business constraints. We want to make determinations about that access, whether that access is proper and right, whether that access needs to be revoked, whether and how it needs to be granted, reviewed and approved when requested, how it would be requested, what can be requested (in terms of a request catalog), what needs to be granted to provide just the right access, additional metadata around that access in the form of establishing roles and entitlements, governing those roles and entitlements, etc.
The list around Governance is long and it’s a big, big job. And in Identity Management, the jobs of both Gathering & Governing are never done. That’s why enterprises must have Identity Management systems in place that provide coverage to all essential systems, whether on-prem or in the cloud, and establish business rules around that access based on policies, roles and entitlements, establishment of a request catalog, how and when access can be requested and granted, etc. Read the [3] footnote for some context as to why the job of Identity Management is never done if you are interested in just a little more here. But the second “G” is Govern.
So Gathering and Governing of access is Identity Management’s job. And often in enterprises, that exercise is carried out based on now established “identity management wisdom” such that enterprises can often lose sight of why they’re going through this incredibly painful and somewhat expensive exercise to begin with: to guard the data! Remember what the heart of all systems is – it’s the data! That’s what it’s all about. And if we simply “govern access” and we don’t drive that governance all the way down to the data layer, then we haven’t completed the job.
I will tell you that (1) this isn’t easy to do within Identity Management and (2) that it drove me and my teams nuts that we pretty much couldn’t implement data security to the level we often really wanted to (not to mention just completing the first two “G”s – gathering and governing are and were more than a full time job!). Driving protection and controls based on access down to the unstructured data-level was really hard – almost impossible to do without a lot of work. [4] Most Identity Management systems are graded on how well they gather and govern access both in function and in ease of implementation and on-going operation. [5] There are a lot of use cases to cover just between those two functions.
Data Security and Identity Management are symbiotic and synergistically linked.
That last mile of actually protecting the data itself however is where Data Security picks up. And I’ve already given you a clue above – we want data to be Guarded. This is the third and last “G” in “The 3 Gs.” And you should definitely know: an enterprise can do an excellent job of gathering intelligence around access and governing that access. But in the event of a breach, access governance (IAG), privileged access management (PAM), and a host of other related technologies begin to fall on their faces a little bit (or in some cases, a good bit) if the data itself isn’t and hasn’t been guarded.
Yet for those with day-to-day business need to know (BNTK), granted, governed and secured access – Identity Management functions – is still absolutely essential, even to guarded data. BNTK only makes sense when we combine data that only those individuals should have with their permitted (and everyone else’s denied!) access. Hence the reason why Data Security and Identity Management are essential first cousins in IT Security. Again, and hopefully you will by now agree, they go hand in hand.
Guarding Data Just as Essential As Governing Access
So now we know about “The 3 Gs”: Gather, Govern and Guard.
The job of Identity Management is to address and solve the first two “G”s, Gather and Govern, and to do that on a continual basis, because businesses are continually undergoing change. (That’s why one essential part of the Governance function within Identity Management is called “Lifecycle Management” – businesses are constantly moving and changing, sometimes hourly, with regard to access across the enterprise – again, check out the [3] footnote for more on this.)
The last “G”, Guard, is handled by Data Security. At this point in today’s world, one of the best ways to protect data or have data protect itself is to implement strong access controls directly around that data – our relationship to Identity Management, which will dynamically govern that access – with one of those controls being encryption of that data using industrial strength, standards-based encryption (and then coupled with strong key management that has limited access and strong separation of duties – we keep running across that symbiont relationship to Identity Management, right?!)
Stay tuned for my next article, where I reveal why on a per system-level, present day, out-of-the box (OOTB) controls are a philosophical, archaeal and architectural misfit for interconnected systems within large enterprises with a large number of actors against data, and why data security – the last “G”, Guarding – is absolutely essential to finishing the job of protecting data and not just access governance alone.
“The data itself then is at the heart of what every computing system is about.”
I’ll also discuss why data security from the bottom up needs to be implemented in parallel with top down Identity Management and continually tied into Identity Management in order to be operationally effective and yet strong and secure within the enterprise.
And finally I’ll speak a little bit about how the Vormetric product line, and in particular our Transparent Encryption solution with industry standard AES-256 encryption and policy based access to data that supercedes antiquated and architecturally insufficient OOTB data controls, ties transparently and seamlessly into almost any Identity Management solution. So you can understand how our platform approach can couple with and leverage your existing Identity Management solution to help you finish the job and not just “govern access” as some hamster wheel exercise, but to drive that governance, dynamically, all the way down to the actual data, wherever it may exist for your enterprise.
As always you can leave comments below or engage with me online via Twitter @ChrisEOlive.
Chris Olive is a seasoned, impassioned and intuitive cybersecurity professional with over 25 years in the field of IT Security. Chris has extensive experience and domain expertise in application security, penetration testing and ethical hacking, identity management and data security working domestically through major consultancies for the Fortune 500 as well as internationally. Chris is currently a Senior Sales Engineer for Vormetric, a Thales company -- the world-wide leader in data security, hardware and software encryption.
Footnotes
[1] This is also, at base, the function of operating systems, to provide meaning and context as well as a human interface to data. And operating systems with their closely coupled file systems are the usual base means for providing access to data, although not strictly so as virtual access methods also exist tied to layers built on top of the operating system such as applications; databases; directories; groups, roles and entitlements within those directories; etc.
[2] Another part of the complexity of Identity Management? Determining what “all of our essential systems” means, both in terms of risk, operational efficiency, what constitutes “essential,” etc. Not to mention knowing about and connecting to all of these systems in the first place – knowledge and topography, essentiality, and connectivity.
[3] To give you an example of the complexity and pace of change just around maintaining basic access in a large enterprise… I was privileged in the early 2000’s with designing and developing (from scratch!) one of the first large-scale Identity Management systems for GE Aircraft Engines (now GE Aviation). GEAE had at that time over 50,000 active employees on six continents in their AD and Exchange address book. If you opened the GEAE address book in Exchange then, the distribution of names would look about the same as that of a mid-sized American or UK town of 50,000 people – a lot of Smithes and Joneses, one or two Olives, some Olivers, some Hansens, Goldbergs, and Stewarts, etc. And the frequency with which these identities came into, moved around and left this “city” of GEAE was about the same. On any given week, several dozens of individuals could be coming into, leaving or changing roles in the organization. Even if we just considered what are called “birthright systems” that provide basic access in an organization (which is all that we automated at that time), manual fulfillment of that many changes by hands-on administrators, as was taking place previously, was time and cost prohibitive. That was the rate of change in a decent sized organization in 2001. None of this addresses or addressed the full gamut of Identity Governance one would need to have in organizations today; that was just basic provisioning and deprovisioning of basic access for active employees. Today’s problem of identity management and identity governance is literally magnified one hundred fold.
[4] This is exactly why at least one leading/bleeding edge Identity Management company, SailPoint, recently purchased WhiteBox Security and turned it into a co-offering product, now called SecurityIQ, to run in conjunction with their identity management offering, IdentityIQ. They did it because they understand that gathering access and providing governance around that access is really and essentially about actually protecting your data. Without actually protecting the data itself, the job falls short.
[5] (a) Can it address my identity management use cases? (b) How easy is it to implement my use cases (which can lead to a very desired and much needed speed of accurate implementation)? And (c) how flexible is the solution to meet anticipated and even unknown use cases in the future and still perform with operational efficiency and accuracy, given the disruptive changes in IT? All of these as a seamless solution anywhere I have data and access for the enterprise. Notice also I never say “in the enterprise” but “for the enterprise” – because your perimeter is no longer determined by your network but by where your data lives, any place that it lives and governing your organization’s access to it. That is your new “perimeter,” and precisely why both Data Security and Identity Management are the definitive IT Security cornerstones for the foreseeable future.