- Identity Jedi Newsletter
- Posts
- Why You Should Stop Wasting Money on Identity Assessments
Why You Should Stop Wasting Money on Identity Assessments
Don't read unless you like the truth
Want SOC 2 compliance without the Security Theater?
Get the all-in-one platform for SOC 2
Build real-world security đź’Ş
Penetration testing, compliance software, 3rd party audit, & vCISO
Identity assessments are often touted as the first step toward improving your organization’s identity and access management (IAM). But here’s the truth: they’re mostly a waste of time and money. The answers you are looking for are already within your organization—you just need to ask the right questions. And it doesn’t take hours of meetings, even more hours of writing some 100 page document that you aren’t going to read anyway. You can get the majority of what you need with just six questions.
So get ready. I’m about to save you money.
Let’s go.
Here are the rules. I will list the six questions you must ask yourself and your organization. Then I’ll list the followup questions and actions you should take based on the answers. At the end of the exercise you’ll know what you need to do to take the next step with your IAM program.
Do you have an IAM program and strategy?
Do you have defined outcomes for the areas of IAM we want to improve?
Can you say what user has access to what in our environment?
Do we know where our privileged accounts are?
Have you identified which IAM components carry the most significant risk?
Do you have an organizational owner of identity and operations?
The answers to these questions are the building blocks of your IAM strategy. For each question, provide an honest answer. If the answer is “no,” dig deeper and ask yourself why. When you get that answer, ask “why” again. Repeat this process again, and you’ll uncover the real issues that need addressing.
Let’s dive deeper shall we?
Do you have an IAM program and strategy?
This one is pretty simple. If you are considering getting an assessment, the answer is most likely no. So now we get to play the question game and uncover why you don’t.
Ask yourself: “ Why don’t we have a program and strategy?” If you don’t know the answer, then ask a friend, colleague, boss. Someone in your organization has an answer. Once you get that answer, congrats! You’ve completed the first step, two more to go. Whatever the answer is for your organization, you need to ask why again, and then again after that. ( I know, I know this means you’re going to have to talk a lot to people you work with) .
Asking these questions at this level will uncover the concrete needs your organization has in order you build an IAM program and strategy. Let’s play out an example so you have something to reference.
Let’s role-play for a second here. We’ve got you, your boss Jerry, who’s in charge of “identity,” and his boss Alicia, who’s the organization's CISO. Let’s play the question game and see what we come up with.
You: Morning, Jerry!
Jerry: Morning <insert your name here>
You: Hey so I was wondering do we have an IAM program or a strategy around identity?
Jerry: Nope
You: Yeah, I kind of figured that since we were looking at playing <insert any consulting company> 1 gajillion dollars to do an assessment. But I’m curious, why don’t we have one?
Jerry:…….thinking…
You: ……sipping coffee….
Jerry: …..thinking….
You…sipping….
Jerry: Well, I just don’t think it’s been a priority here.
You: Hmm..ok…that makes sense I guess…But why?
Jerry: Good question; let’s ask Alicia.
You and Jerry walk over to Alicia’s office. ( Yes, you're in an office)
You and Jerry: Hey Alicia!
(If your name is Tom and you’re reading this…..Bless you)
Alicia:…uggghh Good morning Jerry, and <insert your name here>
Jerry: We were wondering..why don’t we have an IAM program here?
Alicia: Just hasn’t been on my radar lately, but given the state of things now I think it’s important we address this. That’s why I want you to run it Jerry.
And scene.
Ok, now the conversation won’t go exactly that way, but the point here is that you want to understand the reason behind why your IAM program and strategy are non-existent and to do that, you have to have multiple conversations and dig beyond the superficial answers. Is it resource constraints or budget constraints, or does your organization not care? Finding out these answers will help you create your strategy.
Do you have defined outcomes for the areas of IAM you want to improve?
Ok so you want an assessment, so something is driving you to want that assessment. ( I hope, if not…do you just like spending money for no reason?) What is that? Do you have questions about your SSO implementation? Are you looking at moving to passwordless? Don’t understand your PAM coverage? Whatever it is, do you have a defined outcome for what you want? If not, then create it! Make it specific and measurable. If you need some examples, check out these. You can use those as an example or steal the ones that IDSA has already assembled. Just remember to make them measurable.
For instance, you want to have all privileged accounts discovered and included in your PAM solution. Ok, so that means you need 100% coverage for privileged accounts. So, let’s break that into four percentage goals. Quick class, what’s 100 divided by 4?
……….(bueller)…..
….(bueller)…….
That’s right! 25. You now have four milestones that you can track to complete your outcome.
You can apply this to ANY IAM area you are looking to improve. I believe in you!
Can you definitively say what user has access to what in our environment?
This is the whole point of IAM. You want to be able to know without a shadow of a doubt, who has access to what. If the answer to this is no, see number one above. TIP: Think about ALL YOUR USERS. Third parties, suppliers, customers, etc.
Do we know where your privileged accounts are?
These are the kings of the kingdom. You need to know how many you have, where they are, and how they are created, updated, deleted, and rotated. Anyone breathing near a privileged account, you need to know about it and have it tracked.
Talk to your admins. ALL OF THEM. Understand how the create and use privileged accounts. Talk to your developers. ALL OF THEM. Understand how they use things like SSH keys, API Keys, and admin accounts.
Ok, now you know you landscape, next step is you need to manage the lifecycle of all of them. Create some outcomes, make them measurable, sounds familiar right?
Have you identified which IAM components carry the greatest risk?
This is a conversation with your CISO. What risks are they tracking? What problems are they looking to solve this year and next year within the organization? ( Don’t ask past two years, cuz…ya know…CISO’s don’t last that long)
Of those risks, how many are identity-related, either directly or indirectly? Next ask your CISO what’s their priority ( remember if everything is important, than nothing is important). Now, class…what are we going to do next?
Ask questions and create defined outcomes.
Do you have an organizational owner of identity and operations?
Simple yes or no here. And we already know what we do if it’s no, so I won’t repeat my self here. But someone has to own Identity. Both the operations and development ( ideally). So if you don’t have an owner, then get your peers ready for the greatest game of “NOT IT” ever played.
Joking….( kind of). Someone has to own this, it’s too big and too important to be handled haphazardly. Now, depending on the size of your org, this is a collection of different organizations working together and communicating ( yeah, cuz that happens), Or it’s centralized to a specific team, or it’s managed by a committee with representation from each part of the business. The bottom line is someone needs to own it.
Ladies and gentlemen, the 88th Hunger Games….
So there ya go, answer those questions and have those discussions within your organization, and you don’t need an Identity Assessment. Unless, of course, you just like spending money on useless things. Instead of engaging with your consulting company to do assessment work, bring the results of these questions to your consulting company and then ask them to help you figure out how they can help you implement your outcomes. What tools do they recommend to implement those outcomes? ( News flash: Consulting companies have favorites, so just keep that in mind. They may tell you they don’t, but…let’s just say this..follow the money)
Now the consulting company will fight, and say oh we need to do our assessment because there’s an “i” that wasn’t dotted and a “t” that wasn’t crossed, or they have low utilization rates so they need to sell you a collection of hours. But they are going to tell you what you already know. Use them and your money efficiently and focus on them helping you with the how.
You got this.
Reply