While identity to many is just a username and password or an authentication/authorization event, identity’s real enterprise value is as a foundational element for all types of security controls, said Ian Glazer, a research vice president on the identity team at Gartner.
Speaking Tuesday at the Catalyst Conference, Glazer detailed how identity aligns with other enterprise work, specifically in access risk assessment and information protection.
“As you add identity to these things you set yourself up to build meaningful policy to control things,” said Glazer.
He says the reality is that identity data, the characteristics about a user, provides contextual aspects for information protection: who is accessing what, from where, and with what kind of credential.
Identity is part of every single business transaction in the enterprise, said Glazer, and many corporate identity proponents are just waking up to the possibilities of building on top of identity infrastructure.
“We should not be thinking solely about automating access for people, that is not the goal,” said Glazer. “As identity pros we need to learn really fast how to have high-value conversations with security teams. We should look at access risk and information protection as the stories.”
He said current identity capabilities, including authentication, will eventually be side benefits, not the focal point of identity work.
“We say 'ID is important! ID is important!' But right now in the enterprise there is this maturation period. It’s down to show me a direct tie to things like information protection. That is stuff that happens on top of the identity foundation.”
Identity and security teams are not talking enough, Glazer says, with security leaving out identity and access management groups when the discussion turns to topics like information protection strategies.
"[They’ll say the snub] was quote, 'a security matter,' " Glazer said. "There is a misnomer that information protection is about confidentiality and that simply is not true."
Glazer says a lot of the identity pieces are here now, but are not hooked up well.
Needed advancements include building an "entitlement catalog" that at its most basic incorporates identity, and describe data and resources.
To go from a “basic” to a “better” catalog would include recognizing the sensitivity of the system being accessed; such as it houses data subject to regulatory requirements. To move up another access-risk-assessment notch would include data classification.
Entitlement catalogs can get quiet specific and sophisticated and can be used to craft provisioning policies, roles, certifications and self-service interfaces.
Glazer says an entitlement catalog helps business users and others understand what access they are approving and how the resource applies to the person requesting the access.
Some larger enterprises are at this stage, but their use is restricted to high value, high volume systems, he says.
“There are some things like authorization policies around entitlement catalogs but they are so advanced. We just need to start with the fundamentals,” he said.
Enterprise IAM pros should be talking with security teams about access related risk, but are struggling to do so because they can't always explain the value they can bring, and often can't provide a holistic view of the benefits.
“This is a maturity thing for the industry, it’s not a technology discussion,” said Glazer.