What does this mean for organizational structures? Do organizations NOW need a ‘Head of Digital Identity’?
The US National Institute of Standards and Technology (NIST) has been publishing the “Digital Authentication Guidelines” since 2006. It contains both advisory and mandatory guidelines for US federal agencies, and serves as an important point of reference for all of us in the industry.
This week, NIST published an updated version now entitled “Digital Identity Guidelines” (PDF here).
The change in the title signals the crucial role of identity in IT security.
The guidelines are now focused on the lifecycle of an identity, rather than purely on authentication – from the acquisition of an identity by an applicant, through the authentication process, and on to the use of the so-obtained credentials in federated systems.
Recently we have been having more and more conversations with customers about a new position in the organizational chart: Head of Secure Identity, and it is gathering momentum.
At Oxford Computer Group we visualize these overlaps like this: Security, Operations and Governance all overlap with and interact with each other. What they all have in common is Identity.
In the past, organizational management of IT departments has often been split into various areas.
- The service desk drives operational management: creating accounts and granting access.
- The core infrastructure team runs basic services like file and print, along with core directory services like Active Directory and its various federation and integration endpoints.
- The networking group handles perimeter security (firewall/VPN/MFA systems), and manages the publication platforms (VDI, app publication).
- IT Operations run the infrastructure, both on the client- and server-side, which involves various aspects of identity – they will also influence policies and decisions made by development teams.
- The Governance/Audit team set and check policies in collaboration with the other areas, but usually without great involvement in the technical details.
This role distribution varies between organizations, but the pattern is very common. The heads of these functions clearly meet and talk, but the main thing is that it is not common for Secure Identity (or Digital Identity, if you prefer) to be called out as a central topic for discussion at that level.
THE BIRTH OF THE SECURE IDENTITY TEAM
Increasingly, organizations are seeing the need to focus more directly on the specifics of the management and technical security of identities, whether they are human or machine identities. The need for a core ‘Secure Identity’ team, where the various elements of identity are managed and directed is now being recognized. Such a team will consider: identity policies, management processes, central identity services (like account name generation, core directory services, federation services), and additional identity services, like certificate management, smartcard management, and multi-factor authentication.
A secure identity team bridges the divide between operations, governance and security, and aims to increase the overall trustworthiness of identities and their privileges, and improve overall security, while maintaining availability and usability. Progressive improvements in security require progressive technical measures – such as the banishment of insecure protocols (like LDAP, NTLM2) – but there are still legacy applications and platforms in enterprises which require such protocols.
A secure identity team can guide and approve procurement and development decisions to ensure that insecure or legacy approaches to identity and access are efficiently and effectively phased out.
The Head of Secure Identity can report to the CSO/CISO, reporting in to operations management, although the Operations/Security split means that the role can could sit as comfortably with Operations, reporting in to Security.
In summary, the role of Head of Secure Identity recognizes that identity is a core element in both operations and security. It helps with consistent decision-making in the continuous improvement of security and operational efficiency.
Secure identity is, and always has been, our core business. If your organization would value some guidance on how to unify identity and security, then consider an Oxford Computer Group Envisioning Workshop.