The 59th Edition of the Identity Jedi Newsletter

eBook: How to minimize third-party risk with vendor management

A robust vendor management program isn’t just required by compliance frameworks like SOC 2 and ISO 27001. It’s also a critical part of a holistic trust management strategy.

Implementing a vendor management program, however, has become more complex and challenging with the proliferation of SaaS tools and shadow IT. And many overstretched security teams are being asked to do more with less.

To stay compliant and secure — and deepen trust with customers and partners — security teams need a way to proactively manage vendor risk.

This guide from Vanta, the leading trust management platform, brings together perspectives from the frontlines of vendor security management. Get insights and best practices from security and compliance leaders. 

CISO Survival Guide

Came across this gem when scouring Al Gore’s internet for interesting tidbits about identity.

Cisco, Nightdragon, ForgePoint Capital, and Team8 all walk into a bar…

And at the end of the night produce a report that looks to guide CISO’s down the treacherous path of leading a security team in today’s world. I haven’t looked at the report itself, as of course it’s gated behind a marketing capture page, and I just didn’t want to submit my work email to their combined marketing campaign. (Seriously, marketing folks, there’s got to be a better way)

However, the article broke down the major components, and I like the areas of coverage:

• Identity

• Data

• Code

• Infrastructure

I would add one more to this: Culture. I think more than anything else a CISO’s job is to build a security-centric culture. Until an organization values security and puts it top of mind, it’s a tough uphill climb to accomplish anything else. Security tools, assessments, reports, those things are all good at the tactical. Solving the immediate need, but the bigger need. The bigger problem is that this is a never-ending fight. This isn’t something that you just check off and it’s done, it’s a lifestyle. Delivering security to your co-workers and customers is a choice. A choice you make every day. A choice you need the rest of your team, and organization to make as well. Don’t think we talk enough about that.

Identity Data Fabric

A new term I’ve been seeing floating around.

Identity Data Fabric

It’s all the rage, I get it in all my custom suits and blazers; it’s breathable, soft, and really turns heads at meetings.

But it’s also something that lives at the heart of every identity implementation. Putting it simply:

It’s the collection of all the pieces of data that make an organization’s digital identity.

But I’m a big example person, so let’s break that down using one.

Ok let’s keep this simple: You’re an organization with 2 authoritative HR sources, 1 Active Directory Domain, and a SAP System. You have employee number set in HR system 1. You drive application access based off attributes in SAP, both HR systems, and SAP, and currently none of the applications are synced.

You need to build rules and policies from this collection of resources and pull this data together in order to have a unified view of a digital identity in your organization.

THAT is your identity data fabric.

And THAT Jedi, will be worth it’s weight in gold over the next 5 years. Because that will be the key to truly managing identities and access at a dynamic level. The ability to curate and analyze this data will drive automation, policy creation and the realization of a truly elastic identity platform that can respond to events in near real-time. And I don’t think it’s very far off..scratch that, I KNOW it’s not that far off.

However, one KEYpiece that is missing from this seemingly mythical silver bullet that will not only slay werewolves but cure all IAM ailments.

1) Process

The fabric is nothing without the process that manages that fabric. Think of this as more “data flows” than anything else. The ability to setup and manage the data flows on your identity fabric are crucial, because you need to understand and control how the data is compiled.

Identity Question of the Week

A new segment I’m introducing. A burning question around identity everyweek to get the juices flowing and conversation going.

This week’s question: How do we jumpstart identity?

If you’re an organization that has yet to start down the path of developing an identity program. How do you get started quickly? What are the secrets? Shortcuts? What are some things we can do from a technogoy standpoint to make this easier? What tools haven’t we built yet?

Food for thought.

Hey Jedi, I’m hanging out tomorrow with the wonderful folks at Strata to talk identity, AND try to pick some locks. Come hang out and join the fun!