A Call to Arms - The Future of IAM
Ten years ago, CISOs saw a need to improve information security but couldn’t get it funded. They figured out they could automate access administration and make the organization more efficient all around. This was “provisioning.” We’ll call it IAM 1.0. It isn’t perfect but it works. The cost/benefits don’t scale down to the SMB market, but Software as a Service (SaaS) as a service delivery mechanism is starting to solve that.
Five years ago, under a crushing surge of regulatory requirements to review access (and, oh, by the way, the desire to have some idea of what you were actually reviewing), Identity and Access Governance (IAG) expanded to include roles, (if you hadn't already implemented roles to streamline provisioning) and re-certification/attestation. At the time (and not surprisingly) the IAG-only vendors were dissing provisioning as a waste of time. Oddly, they’re all selling provisioning solutions now. Truth is, provisioning was necessary, though not sufficient, to address organizations’ emerging regulatory requirements., So the IAM market changed once again. We’ll call this IAM 2.0.
Fast forward to the present. Check out the Verizon data breach report for 2012. Data breaches have gone up exponentially over the last three years, but companies are finding out about their own breaches through IAG (access reviews) less than one percent of the time. Less than one percent! Companies spend millions of dollars doing access reviews (which they are legally bound to do, while at the mercy of auditors who can influence their share prices) and they still catch less than one percent of the breaches!
The game has changed again, folks. It's no longer the disgruntled employee stealing proprietary information you have to worry about. These breaches are well-funded industrial espionage that are extremely sophisticated. Regardless, IAM is not dead. The idea of securing the enterprise is dead. CISOs are coming to the realization that bad guys are not only going to get in – they’re already in, and lying in wait.
Do you know about the largest non-nuclear explosion in human history that happened in 1982? What about Russia's 2008 cyber attack on Georgia that started weeks before the conventional invasion, Stuxnet in 2010 and the RSA breach in 2011.The pace is quickening.
Earlier this year, US Department of Homeland Security announced that "Hackers had successfully penetrated the networks of several natural gas pipeline operators." This went undetected for months...Did you read about the largest non-nuclear event?”
Forward thinking folks like John Sanio, Director, Security Architecture, Canadian Division IS Risk Management at Manulife Financial, are moving ahead with "proactive attestation” because it's ridiculous to wait 3-12 months just to start looking for bad stuff that you know is already there. And there's so much more to do in real time. Provisioning and attestations aren’t going away, but the attack vectors have changed and so have the stakes. We, as an industry, need to up our game dramatically.
Welcome to the third wave. This one is really important – it’s a national security issue. We better get it right.