Why Is Identity & Access Management Hard?

By Katherine Teitler

“Identity and access management is the most fun and fulfilling part of my job,” are words unlikely to be spoken by many security practitioners. At the same time, in this day and age of endless apps and accounts, disciplined identity management is a critical security control.

As evidenced by the many high profile breaches allowed through the pilfering of legitimate user credentials, organizations need to take identity seriously, placing it higher up on prioritization list despite its lack of technological intrigue or challenge.

Still, as the breaches continue and the list of other security to-dos grows larger, security teams let identity and access management slip, says Jonathan Sander, VP of Product Strategy at Lieberman Software. The truth is, identity should be one of the easier tasks to manage, but even with current capabilities, identity management suffers…until stale user credentials cause a disaster and the board starts asking how in the world a latent administrative account’s credentials could have been used by an attacker to access and leak the entire customer database.

One of the issues with identity, said Sander during a recent interview with Infosec Insider, is that identity is a constantly evolving process. The way we’ve managed our businesses over the years has changed, from single platform to hybrid systems including off-premises SaaS and cloud, causing different “waves of identity” that require continual upkeep. “We’re never going to be done with identity,” warned Sanders; managing the “joining, moving, leaving” accounts should be the easy part, accomplished with automation or federation. Yet organizations continue to falter.

Where does Sander feel identity is headed? “A lot of places it has already been,” he says.

In this full interview with Infosec Insider, Sanders shares three things that will improve identity: An application-focused mentality, identity portability, and a growing “realistic view about identity,” driven oftentimes by the attacker community itself. 

To learn how your organization can test for security vulnerabilities like weak identity management, attend InfoSec World 2017 in Orlando from April 3-5 where Raef Meeuwisse will help you answer the question. "Do You Have a Mega Breach Brewing?"

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.