Let's talk about Identity Security

The 88th Edition of the Identity Jedi Newsletter

Author

David Lee
October 10, 2024

Hey Jedi welcome to the 88th edition of the Identity Jedi Newsletter! This week, we will dive deep into what it means to say Identity Security. As we continue with Cybersecurity Awareness Month, let’s explore what it means for identity to be a part of security. We’re going to look at this from three perspectives:

  1. Identity Security Products

  2. Identity Security Personnel

  3. Identity’s place in security.

There’s SOO much more to this topic but I’ll leave you some reading in the Good Reads section, and will follow-up with a blog or two in the community blogs section of the website.

Let’s get to the Good Stuff!

This week's edition

Identity Security Products

Ok, so before we jump to the products, let’s first start by defining Identity Security. And for our purposes, here we are going to use OUR definition:

Identity Security combines the administrative functions of IAM with the tactical and response functions of traditional cybersecurity.

Now, let’s give an example of what this means. A typical administrative function of IAM is the detection of SOD policies. This usually takes place in your IGA system. An Identity administrator or manager is notified when a user’s account violates that policy. A workflow is created, emails are sent, approvals are solicited, and all are audited in the IGA system.

Awesome.

Except one thing. All of that is trapped within the IGA system. No other systems or business functions are aware of the user’s state. So, it begs the question if the policy was important enough to track and have administrative responses, it’s important enough to track and have security responses. So, in the new world of Identity Security, a policy violation tracked in the IGA system would trigger actions and responses across IAM and security platforms. For instance, increasing the user’s risk factors ( due to the violation) triggers advanced authentication flows. Additionally, any privileged access the user has is temporarily revoked.

Identity security also means managing identities from a security perspective and not just an IT function. This means tracking things like the amount of risk each identity has based on its current level of access and activity. It also means identity teams having active conversations with the business to understand how users operate and how policies need to be configured to enable them to act efficiently and securely.

Alright sooooo, based on that what products are we seeing out there in the market that allow customers to do this.

CAVEAT: Identity security is 90% discipline and process, and 10% product. There is NO magic bullet product that will give you “identity security”. Let’s not do the Zero Trust thing all over again. ( Although companies will market it that way. I see YOU Product Marketers….STOP IT).

Some quick hitters on products I’ve seen that are building to address this. A full review of the Identity 50 List will come soon.

I expect more vendors to fill up this category over the next year. The “Platform Wars” outcome makes this the main goal for all the acquisitions over the last two years.

Final thoughts on this: Identity security is about taking IAM from a reactive control to a proactive one. It’s about changing the perspective of identity teams from IT administrative tasks, to security tasks.

What skills Does it take to create an Identity Security Practitioner?

Here’s my take a the skills needed for this “new paradigm” of Identity Security

1. Strong Knowledge of Identity and Access Management (IAM):

To be effective in identity security, it’s crucial to grasp core IAM concepts like authentication, authorization, and account lifecycle management. Understanding the principle of least privilege and how to enforce it is key to maintaining secure access. You also need to know how role-based access control (RBAC), attribute-based access control (ABAC), and entitlement management govern access decisions. It’s not just about managing identities, but about aligning access policies with security needs to minimize risk.

2. Security Expertise:

Identity pros don’t just manage access—they’re a key part of the security ecosystem. You need to understand threat models, Zero Trust frameworks, and how weak identities can be exploited by bad actors. Identity has become the new perimeter, so knowing how to secure it is critical.

3. Cloud Knowledge:

Most modern organizations are hybrid or cloud-first, which means you’ll need to know how identity works in environments like AWS, Azure, and GCP. This includes managing non-human identities like bots, services, and APIs, which access sensitive data and systems.

4. Governance and Compliance:

Identity practitioners often play a key role in ensuring compliance with regulatory standards like GDPR, HIPAA, or SOX. This requires skills in access governance, audit trails, and understanding identity security posture management (ISPM) to help companies stay compliant.

5. Analytical Thinking:

This is a data-driven role. Identity security practitioners need to spot anomalies in access patterns, understand user behavior, and act quickly on suspicious activity. You’ll also be reviewing logs and SIEM data, so analytical skills are a must.

6. Collaboration & Communication:

Finally, this role requires working with cross-functional teams. From developers to legal teams, identity pros need to translate technical access controls into business language. Your ability to educate others and explain the “why” behind your decisions is just as critical as the technical chops.

Did I miss anything? Have a different list? Drop your list in the comments!

How do you build and Identity Security Organization

Building an Identity Security Organization (ISO) is about more than just assembling a team—it’s about creating a structure that integrates seamlessly into your larger security framework. Here’s a roadmap:

1. Define Core Functions: Start by identifying the key pillars—identity governance, privileged access management (PAM), and user lifecycle management. These functions ensure the organization covers the full identity spectrum, from provisioning to deprovisioning and access monitoring.

2. Establish Leadership: Appoint a Chief Identity Officer (CIO) or Head of Identity Security to lead the organization. This role should align closely with security leadership, ensuring that identity remains central to your overall cybersecurity strategy. Leadership must set clear governance models for managing both human and non-human identities.

3. Create Specialized Teams:

Access Management: Handles provisioning, access requests, and enforcing the principle of least privilege.

Identity Governance & Compliance: Focuses on maintaining audit trails, access reviews, and ensuring compliance with regulations like GDPR and SOX.

Identity Security Posture Management (ISPM): Monitors identity behavior, identifies risky patterns, and works to mitigate vulnerabilities through real-time analytics.

4. Develop a Unified Technology Stack: Leverage centralized IAM platforms to manage access across hybrid and cloud environments. This stack should be flexible enough to handle cloud-native workloads, non-human identities, and multi-cloud integrations. Identity orchestration platforms are especially useful for creating seamless identity governance across diverse systems.

5. Implement Continuous Training and Cross-Functional Collaboration: Since identity security is tied to every department, it’s vital to cross-train employees and promote collaboration between identity teams, cybersecurity teams, and business units. Regular security workshops and knowledge-sharing sessions ensure that identity security becomes part of the organization’s DNA.

6. Monitor and Optimize: Finally, establish metrics to measure access controls, privileged account usage, and incident response times. Use automated tools to ensure continuous monitoring of identity security posture and run simulated breaches to test your defenses.

Saviynt’s Quest for Innovation

Savyint has been an interesting player in the Identity market the past couple of years. Well, really they’ve been an interesting player since they were founded, but that’s a different story.

This story is about their thier quest to innovate and change the identity market. I’ve said before that I believe they are the best positioned company to to win the Platform Wars. They have the advantage of having the market come to them ( I’ll get to that in a second) AND not having to deal with a number of acquisitions to make the platform dream a reality. As everything else in life it all comes down to execution, and time will tell if they can do that.

Recently Saviynt announced their rollout of Saviynt Intelligence. In thier words: “ Groundbreaking Artificial Intellignece/Machine Learning Capabilities for Cutting-edge Identity Security”

But this just wasn’t about announcing an AI feature, it was announcing a strategy and direction that they want to take their platform. I had the chance to sit down with Vibhuti Sinha, Chief Product Officer at Saviynt and talk about their strategy and the journey that’s lead them here.

We talked about the vision that Savyint has for the Identity market, a vision they’ve had since 2015 of not just a governance product but an integrated platform truly enabling customers to manage every aspect of identity. Now they didn’t know this wave of AI would take over, but as the great Marshawn Lynch says: If you stay ready, you ain’t got to get ready.

And that I think will be Saviynt’s biggest advantage here. It was very clear from my conversation with Vibhuti that this wasn’t just something they had planned overnight. No this was something that they were striving tirelessly for, and just needed the right techonolgoy, the right time, for the seeds of their vision to take root.

Enter 2024

Of all the announcment’s they made with their Intellegince Suite ( My words not theirs) the one I was most intriqued with was their Identity Security Posture Management platform. THIS, was the eye-brow raiser to me. Why? Because it showed their vision of and Identity Security future. Utilizing identity access data across their platform to not just create alerts, but give REAL INSIGHTS into access is doing acorss the organization and what it MEANS to the organization. THIS is the next level innovation we need to see from vendors.

When I askes Vibhuti about their ISPM module he talked about building the foundation within the platform to make this happen. Building a data lake, rolling out features like intelligent access request, and access review recommendations, in order to generate the data needed to power a truly intelligne ISPM product. He also talked about the future and where they want to take it. I won’t spoil anything, but let’s just say that same visonary fire from 2015 is still there. They’ve got some big things planned, and I’m interested to see the results.

The biggest takeway I got from sitting down with Vibhuti was that this isn’t just a feature grab, this wasn’t something to grab attention. This has beena journey over a decade of seeing the future and pushing forward to make it a reality. That’s something you always want to see in your vendor, and Saviynt definietely has that. Now however, can they execute and deliver.

Time will tell

Ok..trying to find good content around Identity Security/Identity Security Posture management was…interesting. A lot of vendor backed blogs, which had an obvious bias. So I went a different route and found some good whitepapers on different aspects of identity security. Enjoy

IDSA_Guide-to-Identity-Defined-Security-2021.pdf1.02 MB • PDF File
cyberark-blueprint-for-identity-security-success-whitepaper.pdf1.32 MB • PDF File
identity-security-outlook-report-2024.pdf4.41 MB • PDF File

#21 Graph DB: A must have for intelligent IAM systems

The Identity Navigator · Episode

open.spotify.com/episode/3cvHtb2g4LBDZD9IAgfhCr?si=4a170f25592d4215

#310 - Personhood Credentials with Eve Maler

Identity at the Center · Episode

open.spotify.com/episode/44dFB7Zg6qbBVM60sR66zB?si=cd14be8796414123

Rami El Outa of Luminor talks banking cybersecurity, his tech journey, and the human firewall

CISOs in Cars · Episode

open.spotify.com/episode/7DPLzXrglT5b6yEPCdZX2h?si=7c05611cecb64a8a

Identity Jedi Show Podcast

The Last Word

Identity security is a path, dare I say…..it’s a way

Staring Star Wars GIF by Disney+

Gif by disneyplus on Giphy

A movement forward as identity becomes a part of security. Although there are products that help, and we’ll see products transform, this is more about changing the narrative and building a culture of security that includes identity

Be Good to each other, Be Kind to each other, Love each other

-Identity Jedi

What did you think of this weeks newsletter?

Login or Subscribe to participate in polls.

Reply

or to participate.