enterprisesecuritymag

Establishing an Agile IAM Framework

By Justin Allen, Director Information Security, BBVA in the USA

Justin Allen, Director Information Security, BBVA in the USA

Identity and Access Management (IAM) is typically thought of as an operational function encompassing the granting, removal, transfer and certification of logical access to technology resources. While not untrue, it certainly isn’t all encompassing of what IAM is evolving into in the ever-changing business landscape. An example of that is the migration to an Agile model. The challenge this brings about is in creating a flexible IAM program to keep up with Agile organizations.

"To establish an agile IAM program, we need to begin with establishing agile roles within the organization. Those roles need to be high level enough to be flexible: developer, tester, PM, etc."

At its core, IAM is a control function grounded in adherence to user access policies, principles of least privilege, and segregation of duties matrices. In days past, the IAM department would onboard a new employee with the same access that everyone else in the new employee’s department / job function had. The employee would maintain that access until changing jobs or leaving the organization, necessitating a transfer or termination of access, respectively. The IAM department, in this case, is analogous to a helpdesk which takes inbound tickets, works them (with proper approvals), documents the work and closes the tickets in an operational fashion. On a periodic basis, IAM would certify that the access granted is still in alignment with the employee’s job duties. Voila! A control function which manages what employees get access to and makes sure they need to keep it.

Check Out: Top Agile Companies

So the question remaining is how do we alter that methodology and our processes to meet the organizational shift to Agile? I think the answer is that we have to become more agile along with the organization. In order to establish an agile IAM program, we need to begin with establishing agile roles within the organization. Those roles need to be high level enough to be flexible: developer, tester, PM, etc. Once you have an agreed upon set of agile roles for all projects, you can begin to have your IAM program integrated into the project pipeline. Each project should have dependencies assigned to the IAM department for assigning the specific project roles to the specific resources needed for said project. Aligning with the project roadmap and associating resources for each project helps to assign the role only for the allotted time the project is active. Diligence for removal of project associated roles is critical to maintain the principle of least privilege within the organization. Adhering to project timelines is paramount for the IAM team as assigning roles and terminating roles will become paramount to the success of each project as well as to maintaining the threat landscape of the organization.

The tricky part comes with performance of access certifications which will also need an overhaul with a shift to Agile. Essentially, the Sr. Management team will need to be dedicated to establishing and maintaining roles for all Agile projects. Once the roles are agreed upon, Sr. Management will need to periodically (read: frequently) certify the roles and the users in said role. Add a privileged access management tool to the efficient management of roles and your organization is ready for an agile transition.

Weekly Brief

Read Also

Automate, Orchestrate, and Delegate

Automate, Orchestrate, and Delegate

Ian Hill, Global Director of Cyber Security, BAM
Becoming a Leader in Enterprise Security

Becoming a Leader in Enterprise Security

RANDY RAW, VP of Information Security, Veterans United Home Loans
How Blockchain can Support Future Industrial Evolution

How Blockchain can Support Future Industrial Evolution

Odile PANCIATICI, Blockchain Project VP, Groupe Renault
How Modernized Encryption Standards and TLS 1.3May Impact Your Security Strategy

How Modernized Encryption Standards and TLS 1.3May Impact Your...

Ben Schoenecker, CISSP, Director of Information Security, Hendrick Automotive Group
IT Security: A Practical Approach

IT Security: A Practical Approach

Christopher McCarey, Director of IT Security for Gila River Hotels & Casinos – Wild Horse Pass, Lone Butte and Vee Quiva

"Keeping it REAL with your Security Vendors"

Robert Pace - VP/CISO, Invitation Homes