We are currently looking to build out an Identity Management team in the CISO org covering IGA, IAM and PAM. IGA is a net new function within our company however IAM and PAM currently sit within the IT Operations group. For those that have gone through this type of transition before I would appreciate insights into the following: - what industry are you in? - what challenges did you face and how did you overcome them - did you transition existing staff from the IAM and PAM teams over to the CISO - did IAM fully move over or was there a hybrid approach where human accounts were managed by the Identity team and service accounts / technical accounts continued to be managed by IT Operations or another group?
Sort By:
Oldest
VP of IT in Manufacturing5 months ago
Experiences from a global manufacturing company.We established our centralized IAM function as part of the security team about 5 years back. They are responsible for all the IAM processes and all type of accounts from human, external to technical and certificates. They handle everything from manual requests to the underlaying technology including AD, AAD/Entra ID, PAM, IGA, Azure PIM and various application directories.
We consolidated current employees from different teams and added additional capacity and skills over the years.
Clear interfaces towards Infrastructure teams, Application teams and HR are critical.
I recommend to use the Gartner IT Score for IAM to align on the maturity and identify gaps.
We see the identity as one of the most important elements in securing the company, and continue to harvest benefit of having IAM as part of the security organization because of clear priorities and focus.
CISO5 months ago
I've led both the security team and IT team recently at a healthcare startup. There needs to be a strong partnership between these two teams and a good integration (technically and non-technically) with HR since that is "upstream" for all identity management. One of the challenges was to "home" the user management function for IAM and PAM and we decided to make IT the owner of the systems, taking in mover, joiner and leaver activities and have infosec perform the configuration recommendation, policy and audit role. So think of infosec as guiding the implementation that IT manages/maintains. That way the CISO org researches the options for the IAM/IGA/PAM solutions, writes the polices but the "hands on" work is provided by the IT team. This was true for human secrets management as well as machine secrets management. We felt that this was the most auditable arrangement so that privileged access to IAM/IGA/PAM tools was reserved for IT, but the configuration settings and deciding which features to enable or disable was the domain of infosec. Ideally you want all of the access rights management to take place in scripts and have IaC (Infrastructure as Code) so that adding users to groups or providing access to a password vault is scripted and automated. But that's a "next level" kind of posture in terms of systems integrations and using APIs to manage such access in a GitHub or other software repository.
This is driven from two areas of consideration:
HR Master: The Identity “engine” (IDAM/IGA) works best when it is sufficiently plugged into the HR Master, which for most organisations is the critical application where joiners, movers and leavers come through. It is important to have a strong relationship with the HR department, which is a great opportunity for Cyber and Identity function.
Directory Services: The downstream directory services plug into the Identity engine, mostly because some fine-grained security permissions are so tightly bound into the operating system, that they have for many years sat within their most technical domain – infrastructure teams. For the foreseeable future it appears this will continue, as an example with teams that manage Microsoft Azure Active Directory or on-premise Active Directory.
I work predominantly in the retail type space, for large national or multi-national organisations and I can say that where you have the support to centralise the Identity function, that you should endeavour to pull together any and all staff that are responsible for:
Planning and delivering business applications into an Identity Fabric.
Break/fix provisioning or de-provisioning issues to business applications.
Responding to identity issues such as changes of access, disabling of accounts or users often in emergency situations.
Developing integrations to HR or Directory Services systems.
Creating User or System Attestation processes within IGA.
Reporting on orphan accounts, service accounts, privileged user access etc.
Where it has worked well, is when identity projects and teams have been as centralised as they possibly can, with strong engagement and demarcation points between teams responsible for the HR System, and also Directory Services. This included moving the staff responsible for user-lifecycle management processes and access issues into the same team, as much as is possible. We had manual access request changes managed through the service desk via an Identity Support Engineer, whilst at the same time using Identity Architects and Identity Engineers to build automation processes.
I would say given that access control issues are such a reportable area for CISOs and often feature in board reports at Audit Risk Committee levels, that given it is an accountability for most CISOs, that it IAM, IGA and PAM should all sit within the CISO practice. Things such as service accounts can continue to be managed by Infrastructure, however it is important for Identity teams to manage high risk outliers – so they should continue to drive remediation advice. Such as service accounts which are overly shared and used, haven’t had their password rotated in years, etc. This happens more often than you’d like, and the fear of disruption of services if these service accounts are changed, needs to be worked through and communicated through change management.
Where it has not worked well, when this is loosely defined, Infrastructure competes for funding and resources attempting to be duplicative or competitive (or worse, protective) of the identity space. It is unfortunate that some Infrastructure or IT Operations teams feel that an Identity function is “taking over their patch” , particularly if they are wedded strongly to a particular operating system vendor. You’ll need to work hard to convey a culture and value of close collaboration, to wear down these potential walls. To overcome this, what has worked for me in the past is being very clear about accountabilities – and often once this is fully determined and supported by the Executives, I have found other teams to be very supportive. In Hybrid arrangements, if too much of the responsibilities and duties sit outside the Identity team you can have a blurry sense of ownership and accountability, the net result is that poor identity and access hygiene practices of yesteryear simply continue… until of course, an incident occurs.
I would also say that alongside the determination of where resources sit, is something possibly even more important. Your leadership team (ie. CIO) needs to be fully supportive of the Identity Roadmap. Where things have not worked well for me is when the CIO does not understand the value of identity and does not adequately support the funding of long-term investment in IAM, PAM or IGA solutions. This can have the impact of seriously restricting the necessary human resources into the Identity team and restrict your options of tooling. Identity is now commonly becoming such a core part of an information security or cyber strategy, that provided you are clear that you have a plan or sub-strategy around Identity – it should be easier to rally your executive leadership to support the funding. Core to this plan, is ensuring that both Productivity and Security feature as benefits of your Identity strategy or roadmap. With a strong plan, it can give confidence to your management Identity should as much as possible sit as its own function rather than as a hybrid.
Identity is so important, so my summary recommendation is that the more this can be collected into an Identity team the better – to make meaningful change that protects your organisation.