Identity & Access Management Trends -- Insights from Mike Del Giudice, Crowe Horwath
Mike Del Giudice of Crowe Horwath LLP shares insights on:
Del Giudice is a Senior Security Manager with Crowe Horwath's (Crowe) Risk Consulting Group, specializing in Information Security and Security Strategy, including data privacy, network auditing, External and Internal Penetration Testing, and compliance related to governmental regulations. Mike also has an extensive knowledge of policy and procedure development and has implemented effective information security solutions for a variety of clients.
TOM FIELD: Hello. This is Tom Field, Editorial Director with Information Security Media Group. I'm talking today about the topic of identity and access management. With us is Mike Del Giudice of Crowe Horwath. Mike, thanks so much for joining me today.
MIKE DEL GIUDICE: No problem Tom. Thanks for having me.
FIELD: Mike, just to give our audience a bit of context here, tell us a little bit about yourself and your work for the firm.
DEL GIUDICE: I work with an organization called Crowe Horwath. I'm part of our security and privacy team. I've been dealing with security, specifically with Crowe, for a little over nine years now. I actually lead our security strategy offering, which, the real focus is to help organizations' identify security solutions that help align with the business more effectively. When you think about most organizations doing security assessments, they identify gaps, and the goal of the strategy offering is to figure out and look beyond the gaps, how do we fix those issues? What are the root causes. Really, that ties nicely into the identity and access management space, which I think is the objective of today's podcast.
FIELD: So, IAM. We hear an awful lot about it, especially in the last year, with all the mergers and acquisitions that have happened in financial services. What do you see as the latest trends that really are relevant to financial institutions?
DEL GIUDICE: The financial institution space is one of the most heavily regulated industries, and when I look at the industry as a whole, I call them ahead of the majority when it comes to security; maybe not out of want, but out of necessity, because of the regulations that are forced on them. When they see or hear identity and access management, or IAM, they see it as an opportunity to address those effectiveness concerns that they have around the controls while increasing operational efficiency.
When you hear IAM, you hear all the buzz words about how they can help the organization run more streamlined. For start purposes of the conversation, I want to set a baseline of what IAM is. When I define identity and access management on a broad scale, it's really the authentication and authorization of your users. It could be employees, it could be vendors, it could be consultants, etc. It could be your customers. Basically, how are you going to manage passwords, provisioning and deprovisioning access rights, etc., for those individuals across your organization? One of the big trends I'm seeing is historically, when organizations have heard or thought about the IAM buzzword, they traditionally thought there was benefit, but a very expensive solution, particularly due to tools and things that they would have to purchase and time they would have to spend to get things pulled together.
One of the things that I try to work with organizations on, where we see the industry start to take hold of a little bit, is when they look at a control environment and when they look at security, they look at it from two perspectives. One is the effectiveness of the control, which is what the regulators are looking for to make sure the control is operating effectively. Organizations are seeing the second component, which is more the efficiency of the control, or how are we operating as it relates to satisfying the business objectives that we have, and looking at security more strategically from that perspective.
When organizations start to look at the efficiency aspects of their control environment, getting beyond just the effectiveness, what they see is there are a couple of basic levels of efficiency or maturity levels with an organization, from a control standpoint. You have organizations that are at the basic level of control, where they are just enforcing control. When you think about a financial institution, you're going to have someone responsible for network security. Someone is going to be responsible for security around a core application. You're going to have groups, one-off groups that may be responsible for things like wires, ATH applications, imaging environments, things along those lines. When you think about a basic organization, or the low end of that maturity scale, they definitely look at compliance within those areas, but on a more granular basis. They're siloed. And that doesn't present a lot of efficiency to the organization.
They very well may be addressing their compliance needs, but they're doing it in a siloed and isolated fashion, and that really disconnects security from the overall business goals. As you move up that maturity chain a little bit, you're going to see those controls become more collaborative and more consistent across the organization, and really help, standardize and streamline the processes a little bit.
I think when organizations first think identity and access management, they think that we all of a sudden need to get to this level of automating controls with a tool. When you're thinking about the process, from a maturity standpoint, the first step is not going to that 'nth degree with the tool, but to standardize the processes across the organization. Let's streamline what we are doing and get those groups to work more collaboratively together, which allows us to leverage that staff more easily across business units, and makes it easier for management to oversee.
It may help cost, even from a third party consultant, or auditing firm standpoint, because now they are looking at one consistent control, as opposed to looking at eight disparate controls across the organization. Then you finalize move to that ultimate point within that maturity model when you start to automate those controls. Where are you using technology to implement and enforce the control environment, which minimizes manual intervention, which makes those processes work much more streamlined and efficiently, and minimizes the likelihood of manual mistakes? A lot of the organizations, when they see the gaps that they are struggling with, they are just symptoms of controls that should have a lot of manual intervention.
So, organizations are starting to look at identity and access management more in those tasks of maturity, and seeing where they want to be in that life cycle, and really focusing on that, as opposed to just looking at identity management as a cost, and thinking, "That's not something for us, because we just can't spend any money on anything right now."
FIELD: So, as they assess their own maturity and where they are and where they want to be, what do you find to, one, be some of the biggest challenges that financial institutions face, and two, how are they tackling those challenges?
DEL GIUDICE: The first objective that I alluded to a little earlier is just getting past the perceived cost, and to just focus. I think a lot of organizations hear identity management and say, "That's expensive, and it's not for us. And particularly in this economic climate, we just don't have the money to spend." I don't think they are looking at it from a maturity perspective. There is a lot of opportunity to increase organizational efficiency without going having to spend a lot on third party tools, or on new solutions.
It's really just getting the business aligned accordingly. And that really ties into the second biggest challenge, which is getting everyone on the same page, particularly in the economic climate we are in. I think what you are seeing, from the perspective of the individuals within these departments, is they are trying to justify their roles. They're trying to justify the responsibilities they have, justifying their jobs. And because of that, there is not as much collaboration because people want to keep as much responsibility as they can. I think that has definitely made a very significant challenge in the last twelve to eighteen months. We have seen these organizations try to operate more efficiently.
The third challenge that we see is what I call the "Shiny Object Syndrome." Organizations hear the buzz words, they get sold on the benefits of these things before they actually look at what values it's going to bring, and they jump into these things head-on without really considering what that overall cost is going to be. And whether it is time of money, these identity management solutions, when you think about automating controls, definitely have a lot of costs associated with them. Organizations may not be at the right point internally, and the collaboration may not be there. Some of these other challenges that we have just aren't there, or they are putting up so many hurdles that just jumping to the automation step doesn't make sense at that time. And because of that, the spending goes up significantly.
What we encourage a lot of organizations to do, and what we're seeing a lot more of is a lot of collaboration amongst teams. I'm calling it not necessarily forced collaboration but encouraged collaboration by management, making collaboration of the security teams an expectation of the job. We want security to be an aspect of the business; we don't want security to just be looked at as a cost center. By bringing these different security functions together and working collaboratively across the business, we could really start to streamline the effectiveness of the organization.
That collaboration is the key point towards all the challenges we talked about, whether it be getting over that initial hurdle of understanding and how this can bring value to the organization, or if it's just making sure we address this in a step-by-step, logical basis, in the most effective way possible for the organization. It helps us to avoid overextending ourselves early on in the process and increasing the costs, and helps us look at it more strategically from a business standpoint.
FIELD: Mike, you've got a lot of experience here. What are some of the "gotcha's" that an organization has to look out for when tackling IAM?
DEL GIUDICE: I think organizations look at this in too broad a perspective. It ties to the "shiny object." They see the numbers of what the ROI is for these solutions on what they can do, and they just bring in these solutions that may not necessarily tie to what they are trying to do overall, from a business standpoint, and don't necessarily tie to what their plans are long-term. And so, they sell this solution to management, based on all these big picture numbers, when realistically, they don't look at it and say, "You know what? We're not going to get there."
Because, typically, most organizations don't. To use a specific example, in provisioning, as it relate to identity and access management, organizations look at the numbers of automating the user onboarding process and the termination process, removing access from systems across their environment. Realistically, if you can get an identity management provisioning solution implemented on a handful of systems, you are doing much better than the typical firm or the typical organization. But, these organizations sell these numbers, looking at it as, "Hey, we're going to do this across the organization," not realizing the cost to get there is too expensive, particularly for when you are automating these controls.
On the opposite end of the spectrum, I've seen a lot of organizations look at it too narrowly, meaning they look at what they want to accomplish and what they want to accomplish this year, but not what their plans are two, three or four years from now. An example I have, very specifically, is an organization looked at a password management solution. Basically, password management helped automate employee password change requests, doing some type of self-service password resets and minimizing the burden that the help desk had to face with that.
They also wanted to leverage it, potentially, to use it as a single sign-on solution. Well, they went out and did a lot of research, and came up with the solution that was the best fit, and went out and started the implementation process. About eighteen months later, they decided, "Hey, we want to look at provisioning." As they started looking at it, they found a provisioning solution that they liked, and then realized that it didn't collaborate very well with the password management solution they had selected just twelve months earlier. All of a sudden, they started realizing, "Well, hey, if we would have looked at this on a bigger picture basis, on what our long term plans are, the solution we would have picked would have been a lot different twelve months ago." So, it is important to understand where you are and to make the right decisions around that. One of the other "got ya's" I see a lot of organizations struggle with is role management, and I have seen a lot of organizations talk about role management and the Utopian idea that it really is.
When you think about it on paper, it makes perfect sense, define specific roles for your users and make sure that everyone falls into one of those roles. Then you can just manage your identity and access management security around those roles for specific users, specific vendors or specific customers. Again, in a Utopian environment, it sounds great. But with the actual execution of that role and management process, we typically see organizations take on too much, and what they find is that there are more roles than they have employees.
They have a lot of one-off roles. They've got a night operator that, while they are just a basic operator, they have some special privileges and coverage for people that aren't there in the evenings. And they find that there are many unique roles out there within the organization that it is a process that looks like it would be easy to accomplish, but it becomes very burdensome and costly to implement and develop. Those are some of the things that we have seen a lot of organizations look back on and say, "If I could do this differently, I would approach this much differently than what we did."
FIELD: If you could offer just a single piece of advice to institutions that are tackling their identity and access management challenges, what would that advice be?
DEL GIUDICE: To be realistic with where you are at. If I look at that maturity lifecycle, you are going to fall, as an organization, somewhere along that. Just be realistic with where you're at. And once you know where you're at, determine where you want to be. I'll be honest; automation is not for every organization.
Especially when you're looking at a majority of financial institutions out there, they're not the Citibanks; they're not the Bank of America. This automation-type approach may not make the most sense. But, maybe meeting somewhere in the middle, in the more collaborative area, is really where you want to be as an organization. Be realistic with where you are at and where you want to be, then determine your path for getting there.
Is it just collaboration amongst the group and encouraging more of that collaboration and really focusing on what is important to you as an organization? You're not going to be implementing an identity management automation solution organization-wide. It's just not realistically going to happen. Focus on what is most important to you and be realistic with where you are at. By doing this, you are going to be more successful in the long-term. You're going to be much more effective and efficient as an organization, and I think you'll just be much happier from a security organization as a whole.
FIELD: Mike, that's really helpful. I appreciate your time and insight today.
DEL GIUDICE: Thank you. I appreciate your time Tom.
FIELD: We've been talking to Mike Del Giudice with Crowe Horwath. For Information Security Media Group, I'm Tom Field. Thank you very much.