I’ve been to dozens of conferences over the past decade, but this year’s Gartner IAM Summit was perhaps the most interesting and educational event I’ve been to. One of the things that makes the IAM Summit so great every year is its intense focus on a single subject; Identity & Access Management. While there are certainly many subtopics that make up the IAM arena like single sign-on, authentication, privileged account management (PIM), governance, and more, everything at the IAM summit is geared towards enriching an organization’s identity program and educating identity professionals on all the pieces they need to know about or should be considering to do things right.
Some of the key takeaways for me were the following:
- User Behavior Analysis (UBA) – I sat in on a great session about identity and security intelligence where Gartner analyst Oliver Rochford laid some knowledge down on the crowd about how to take their investment in SIEM (Security Information and Event Management) to the next level by adding identity and UBA data to the SIEM mix. I’m paraphrasing, but one comment made was “sure, you’d expect employees to be accessing sensitive data as part of their daily routine. If they have proper access and it’s part of their responsibilities, they should. But what if one of those employees is leaving the company in a couple weeks? Is it alright then?”. Without knowing who’s who, what each identity is doing in the environment, and whether or not it’s ok to be doing so, your SIEM is never going to flag that type of scenario as an offense. Back to straight UBA though, Oliver made sure to note that UBA is a complement to SIEM, not a replacement. UBA from his perspective is taking the place of what SIEM has traditionally done poorly, by adding context where it was previously unavailable or too difficult to obtain. The combination of SIEM, UBA, and Identity data will help to drastically improve any organization’s ability to address those insider threats that continue to elude even the most secure environments. SIEM’s great at detecting the external threats and if you can help it to better address the internal threats, you’ll really be cooking with fire.
- IAM is often being implemented in reverse – One of the first sessions I attended was about how to successfully select an IAM vendor. As a precursor to how to actually do so, Gartner Analyst Felix Gaehtgens explained the “foundation prerequisites” of any IAM program, starting with a vision, then a road map, and finally business cases. Felix talked about why many organizations fail to successfully implement an IAM program because they’re essentially doing it backwards. In essence, they jump directly into production mode thinking that the product they’ve selected and the people behind it are what makes it successful, and neglect to consider what he labeled as the “principles, policies, practices, and processes” that need to be well thought out and addressed before a vendor is even selected. I immediately thought about how easy it is to approach so many things in life in the same, backwards fashion. It’s like buying that new sectional sofa from Pottery Barn and forgetting or neglecting to determine whether or not it’s going to fit in your undersized apartment, if you’ve got the tools to assemble it properly, or if it’s even going to be practical considering you don’t even have a mattress to sleep on. Felix and his co-presenter, Neil Wynne, urged planning and pragmatism to be in the forefront of the identity professional’s mind, providing recommendations like front-loading the easy parts first (not the hardest) and putting a plan in place to provide and prove value every 3-6 months so they can be the hero, not the zero for their organizations.
- Patching is still a problem – This one struck a chord with me. Not because I think patching isn’t a problem…it definitely is. The thing that got me is why patching is still a problem – at least for some. What I learned is that many organizations have apparently been getting lackadaisical with their patching efforts, thinking their vulnerability monitoring programs and solutions will suffice or even replace patching altogether. I wouldn’t have believed it if I didn’t hear it with my own ears. Deliberately refusing to patch your systems and applications is like punching holes through your walls and thinking squirrels aren’t going to invade your house because the doors and windows are closed. Patching is part of the healthy breakfast that is Information Security. Without it, your organization is a sinking ship.
My final thought on the 2014 Gartner IAM Summit is that I’m definitely seeing a major uptick in the number of organizations that are finally recognizing the unstructured data problem as one they need to address and include in their IAM strategies in the immediate future. I spoke with dozens of companies in the STEALTHbits booth that are ready to begin tackling their File Shares and SharePoint sites as critical data repositories, not just that “other stuff” that exists outside of applications and databases. This is good news because this is where the bad guys are focusing their efforts.