How standards-based identity policy management can streamline and improve security

Standards-based identity policy

Overseeing enterprise identities has become an increasingly daunting task. A vast array of legacy systems combined with sprawling multi-cloud environments make it extraordinarily difficult to apply policies uniformly, correctly, and consistently.

Yet the problem isn’t limited to IT complexity. There’s also significant security risk associated with running numerous identity and access management (IAM) systems. Frequently, CISOs must cope with a helter-skelter array of policy management and enforcement tools. While many of these applications work well on their own, they don’t necessarily play nicely together.

The result? Without a central way to address and manage policies across various systems, compliance violations, overprivileged access, underprivileged access, and unauthorized access become the norm rather than the exception. At the same time, IT and security teams may face obstacles associated with scaling and changing policies and ensuring they propagate correctly across systems.

The answer lies in a more sophisticated and open policy orchestration framework that standardizes identity management. By residing outside of any given system, but bridging all the systems in an enterprise, it’s possible to approach IAM in a more uniform and secure way. This framework also makes it easier to improve governance and boost resilience.

Mind the gaps

It isn’t unusual for discussions about enterprise policies and authorizations to devolve into fiery debates about which approach works best: role-based, policy-based, attribute-based, or some other method.

Each approach has its advantages and disadvantages. Regardless of the specific approach, it’s extremely difficult to accurately translate all identity and policy protocols across various legacy systems and cloud environments. Even widely-adopted standards such as SAML and OIDC aren’t equipped for this task. They’re excellent for handling authentication, but they don’t address policy management tasks.

It has resulted in a governance framework that can teeter on the edge of chaos. Poor interoperability across a variety of policy formats and access systems creates security gaps. This problem gets magnified because most businesses aren’t dealing only with the Big Three (Amazon Web Services, Google, and Microsoft) cloud providers. Numerous secondary and tertiary cloud vendors are part of an IT ecosystem. Connecting all the dots takes money – and it’s time-consuming.

What’s more, because policy management always changes, any such change can lead to misconfigurations and outright errors across a vast collection of hybrid- and multi-cloud systems. As businesses update and populate policies at scale, the work can get out of sync very quickly. Ultimately, many CISOs lack full visibility and transparency into their access systems. There’s simply no way to know whether the enterprise manages and controls policies at a highly granular and secure level.

Closing gaps, eliminating glitches, and taming workarounds are vital. Yet, the way most organizations manage identities and oversee policy controls today has become unsustainable. Instead, it’s wise to consider adopting a framework that abstracts identity and policy data from specific systems and offers an automated way to apply rules and policy controls. By removing manual tasks, it’s also possible to stamp out errors associated with settings and software coding.

This approach, which embraces identity policy interoperability, can transform organizations. Suddenly, developers, security teams, and IT system administrators can focus on what they do best — without having to check whether there’s  consistent policy enforcement across the technology stack. These groups no longer burn time and money addressing policy inconsistencies.

A sense of security

An open industry framework that relies on Identity Query Language (IDQL) establishes a single, manageable standards-based approach for policy orchestration. Enterprises that adopt this approach can enforce policies across otherwise incompatible identity systems. They’re fully equipped to construct a policy management framework that’s designed for the modern enterprise.

This level of identity interoperability delivers clear and measurable benefits. Beyond the fact that an enterprise can rein in nagging problems such as compliance violations, and unnecessary/excessive access rights and privileges, they boost flexibility and resilience in other ways. For instance, it’s possible to deploy a set of policies on two different identity systems so that users can continue to access apps in the event that one system goes down.

Other gains also accrue. With policy data residing on two or more identity systems, a company can take advantage of different features and advanced capabilities that one or the other system may offer or lack. This includes various legacy on-premises identity provider (IDP) stores, cloud-based IDPs, and complex multi-vendor environments.

As companies come to grips with the steep challenges related to managing policies—including finding personnel who can handle complex identity and policy management tasks, a standards-based identity policy management architecture offers a viable and practical solution. It’s a way to modernize policy management while streamlining and improving security.

Gerry Gebel, head of standards, Strata Identity

Gerry Gebel

Gerry is a recognized leader in the identity management space. His accomplished career spans over two decades in which he has been instrumental in providing requirements definition, architecture development, and strategic planning for identity management projects with Fortune 500 corporations. In his current role as Head of Standards for Strata Identity, Gerry promotes standards-based approaches for addressing the challenges of managing distributed multi-cloud and hybrid cloud/on-premises identity systems.

Prior to joining Strata, Gerry managed business development for Axiomatics, a global provider of access control solutions. Previously, he was Vice President & Service Director with identity-focused research firm Burton Group for nearly 10 years, covering authentication, biometrics, federated identity, PKI architecture, identity management, authorization, user provisioning, privacy, directory services, and security architecture. He authored research reports on identity standards such as SAML, WS-Federation, XACML, and Liberty Alliance.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.