The 10 Universal Truths

of Identity and Access

Management
What’s driving your IT initiatives?
 Introduction
The 10 Universal Truths of Identity and
Access Management
Most organizations implement technology to do things better, deliver
higher value, fulfill their mission and become more agile. After all,
technology should make things easier. But often it seems that many
IT initiatives slow operations and hamstring agility.

IAM is an ever-moving target that has become a large and integral

part of IT operations.

The following ten universal truths of IAM provide common-sense

guidance on how to evaluate your need, implement a solid IAM
solution and optimize its usage.

2
ONE
Security and compliance is a
journey, not a destination.
OK, I know this is kind
of obvious, but it doesn’t
make it any less true.
Often, security is addressed
on a point-by-point basis with
an “I need to secure system
X” or “I need to prevent threat
Y.” Anyone who has attempted
to deal with security in that
manner without an underlying
strategy will find themselves
in a losing battle constantly
running from one fire to the
next with no end in sight.
The same can be said for
compliance  needs.
I recommend approaching
compliance and security (and
IAM  is a major subset of
security) from a stance that
I call “get to one.” The closer
3
you can get to a single set of
controlling policies that apply
to all systems; a single user
identity that includes everything
necessary to appropriately
access systems and data; a
single set of parameters that
control access and define
users; and a single point of
management that places the
power in the hands of the
people who know why someone
should access something — not
simply how to manipulate the
system to grant that access
— the better off you’ll be. This
unified approach to security
means that you are never done,
but that whatever the future
holds, a foundation is in place
that will ensure that all threats
have the deck stacked against
them from the outset.
 TWO

You can’t fix

problems you
can’t even see.
A direct result of the
complexity inherent in
today’s IAM landscape
is the extremely broad
range of things that can
break or be exploited.
With any single user having
many dozens of individual
identities across just as many
systems, and with each system
requiring different attributes or
controls within those identities,
it quickly becomes obvious that
there are too many disparate
factors to deal with. Simply
understanding everything a
user can access, not to mention
what they do with that access,
becomes impossible.

4
THREE
Administrators are helpful people…
and that’s the problem.
We all have that guy in IT
that just gets things done.
When red tape stands in
the way of getting access to
something you need to do your
job, calling this IT superhero
can result in receiving exactly
what you need. After all,
he’s the one who manages
the system, and he knows
how it works. But there’s a
big problem associated with
relying on “super- helpful IT
guy.” Not every employee is as
trustworthy as you.
The correct way to deal with
access requests and fulfillment
(that’s really all super-helpful
IT guy is doing) is to remove
the barriers to requesting, and
automate the controls around
5
decision- making and ultimately
fulfillment (or provisioning).
Imagine an approach to IAM
that allows a user to quickly
and easily request access
to anything they want while
instantly and automatically
checking that request against
established (and unified)
security policy.
The user’s request is trafficked
through all necessary approvals,
followed immediately by
automated request fulfillment
when the parameters are met.
Imagine if that same system did
all of that without requiring IT
intervention while tracking the
entire transaction? Your users
get the access they need — and
should have – but in a way that
won’t cause trouble during audits.
 FOUR

Unlike you, the bad guys

have nothing better to do.
They want to get to your organization’s
crown jewels — the data that is the
life’s blood of everything you do.
They look to exploit weaknesses in your systems
and in your users’ behavior. They have lots of time
and lots of creativity and enjoy the hunt almost as
much as the kill. You, on the other hand, have a
job to do, and it probably doesn’t involve watching
every user and entry point for suspicious activity.
But the bad guys will always aim for the easiest
targets; if their efforts to breach your systems
are more difficult than it’s worth, they’re going to
move on to someone else.

6
FIVE

Users will write down

their passwords, but
will not remember
their passwords.
We all do it, even though most of us
won’t admit it.
We have lots of passwords to remember in spite
of our best efforts to use the same strong one
everywhere. So what do we do? We write them
all down and store them in a drawer, on a sticky
note under the keyboard or in a note called
“passwords” on our smartphones. The dangers
are obvious: Regardless of how appropriately
provisioned a user is, how thoroughly you monitor
it, and how unified and strong your security policy
is, if a password falls into the wrong hands… all
bets are off.

7
 SIX

If you measure the

risk of insider threats
with mood rings on IT
administrators, you
have a problem.
Many of the most damaging and high-
profile security breaches of recent
years were the result of insiders using
privileged access to do bad things.
Some steal and publicize critical data. Others
set time bombs to destroy systems. And others
undertake vindictive mischief in the name of
sticking it to the man. The common theme across
all of these incidents is that someone in a trusted
position was given privileged access and abused it.
The echoes of “I trust my staff, they would never
intentionally hurt the company” are still bouncing
off the walls of these organizations.

8
SEVEN
Sending workflow to the cloud
doesn’t magically make it easier to
define or understand.
The cloud is awesome!
It makes business so much more
agile — enabling much quicker
rollout of technology while
moving many IT spends out of
the world of capital expenditures
into operational expenses. But
just because something is in
the cloud, doesn’t lessen the
need for the same security
concerns that are the bedrock
of on-premises IAM. In fact,
many of the critical aspects of
good IAM — specifically unified,
business-driven and policy-based
workflows — become even more
critical when they move out of
your direct control.
9
The cloud is another area where
the “get to one” approach can
eliminate many of the most
common pitfalls. When those
controlling aspects of IAM can be
unified, automated and controlled
by the business rather than IT,
the specifics of deployment —
whether on premises or in the
cloud — become much more
manageable. I would advise that
any future IAM plans take into
consideration the readiness of
the solution to address data and
applications in the cloud. Why
duplicate efforts just because
something is in the cloud?
 EIGHT

If you defined your IAM

project more than six
months ago, it’s probably
out of date.
As mentioned earlier IAM is a
moving target.
I can’t count the number of times I’ve heard an
organization talk about how they are on the fifth
year of their three- year IAM plan and are nowhere
close to achieving their original objectives. For
years IAM was the world of highly customized
solutions purpose-built for the specific makeup
of an organization, its specific technologies and
its specific user base. The problem is when those
things are defined in year zero, the solution
planned for year three and delivered (sort
of) in year five is nowhere close to the actual
requirements of year five.

10
NINE

If you can’t get

executives to use one
tool for X, how are you
going to get them to
use five?
Let’s face it, the success (or lack thereof) of any
IAM project is totally tied to the enthusiasm of the
executives that are paying for it and must use only
a small portion of it.

They want what they want, when they want it,

and they want it in a way that is difficult for them
to explain, but they’ll know it when they see it.
Earlier we talked about the problems of complexity
when duplicate activities must be performed on
different systems, using different tools, and often
with heavy IT involvement. That’s the legacy of
traditional IAM platforms and platform — or task-
specific tools.

11
 TEN

It is very difficult to
satisfy both efficiency
and security, and that
difficulty is directly
proportional to the
complexity of your
environment.
It’s the constant battle. “Do you want
me to be secure or do you want me
to be efficient?”
Of course the unfortunate answer is “both!” But as
discussed throughout this paper, complexity, which
is par for the course these days, puts security and
efficiency at odds. You can either invest in security
or invest in operational efficiency, but you can’t
have both.

Or can you?

12
Conclusion
• Reduce complexity

• Put the power of access control in the hands of the right people

• Unify the important aspects of IAM that control everything

• Automate everything you can

For more information visit oneidentity.com

About One Identity
The One Identity family of identity and access management (IAM)
solutions offers IAM for the real world, including business-centric,
modular and integrated, and future-ready solutions for identity
governance, access management and privileged management.
If you have any questions regarding your potential
use of this material, contact:
Quest Software Inc.
Attn: LEGAL Dept
4 Polaris Way
Aliso Viejo, CA 92656
Refer to our Web site (www.quest.com) for regional
and international office information.
Ebook-IAM-10UniversalTruths-US-KJ-28018
14
© 2017 Quest Software Inc. ALL RIGHTS RESERVED. This guide
contains proprietary information protected by copyright. The
software described in this guide is furnished under a software license
or nondisclosure agreement. This software may be used or copied
only in accordance with the terms of the applicable agreement. No
part of this guide may be reproduced or transmitted in any form or
by any means, electronic or mechanical, including photocopying and
recording for any purpose other than the purchaser’s personal use
without the written permission of Quest Software Inc.
The information in this document is provided in connection with
Quest Software products. No license, express or implied, by
estoppel or otherwise, to any intellectual property right is granted
by this document or in connection with the sale of Quest Software
products. EXCEPT AS SET FORTH IN THE TERMS AND CONDITIONS
AS SPECIFIED IN THE LICENSE AGREEMENT FOR THIS PRODUCT,
QUEST SOFTWARE ASSUMES NO LIABILITY WHATSOEVER AND
DISCLAIMS ANY EXPRESS, IMPLIED OR STATUTORY WARRANTY
RELATING TO ITS PRODUCTS INCLUDING, BUT NOT LIMITED
TO, THE IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS
FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT. IN NO
EVENT SHALL QUEST SOFTWARE BE LIABLE FOR ANY DIRECT,
INDIRECT, CONSEQUENTIAL, PUNITIVE, SPECIAL OR INCIDENTAL
DAMAGES (INCLUDING, WITHOUT LIMITATION, DAMAGES FOR
LOSS OF PROFITS, BUSINESS INTERRUPTION OR LOSS OF
INFORMATION) ARISING OUT OF THE USE OR INABILITY TO USE
THIS DOCUMENT, EVEN IF QUEST SOFTWARE HAS BEEN ADVISED
OF THE POSSIBILITY OF SUCH DAMAGES. Quest Software makes
no representations or warranties with respect to the accuracy or
completeness of the contents of this document and reserves the
right to make changes to specifications and product descriptions
at any time without notice. Quest Software does not make any
commitment to update the information contained in this document.