Get Instant Access
to This Blueprint

Security icon

Assess and Govern Identity Security

Strong identity security and governance are the keys to the zero-trust future.

  • Many security leaders are struggling to meet the recommendations of internal and external parties when it comes to identity and access management.
  • A lot of identity and access management processes are known to be inefficient, and many known solutions are difficult to implement.

Our Advice

Critical Insight

  • Building an identity security architecture is a high-value initiative that will drive the modernization of identity security.

Impact and Result

  • Develop a common terminology and understanding of identity concepts.
  • Identify the roles and responsibilities within your organization for the governance of identity security.
  • Inventory your identity types, repositories, threats, and mitigations.
  • Develop an identity security architecture to understand and mitigate weaknesses.

Assess and Govern Identity Security Research & Tools

1. Assess and Govern Identity Security Deck – A step-by-step document that walks you through how to properly inventory your identity types, repositories, threats, and mitigations.

Use this storyboard to learn how to assign identity security roles and responsibilities, inventory your identity types and repositories, assess your identity security threats and mitigations, and build an identity security architecture.

2. Identity Security RACI Chart – A best-of-breed template to help you document roles and responsibilities related to identity security.

Use this tool to document your roles and responsibilities related to identity security.

3. Identity Security Architecture Tool – A structured tool to help you inventory identity types, threats, and mitigations using the MITRE ATT&CK® framework.

Use this tool to:

  • Inventory your identity types and repositories.
  • Assess your identity security threats and mitigations using the MITRE ATT&CK® framework.
  • Build an identity security architecture.

Assess and Govern Identity Security

Strong identity security and governance are the keys to the zero-trust future.

Analyst Perspective

Effectively securing all managed identities

To ensure a significant improvement in identity security, organizations must be willing to take a step back and understand where the vulnerabilities lie and identify the threats that may take advantage of them.

Every organization likely juggles many different identity types. This results in a complex system of identity storage, ownership, and security requirements. The first step to improving anything related to identity security will be to fully understand all the different identities that exist, where they exist, who owns related processes, and what threats exist that might take advantage of a managed identity.

Only when an organization has successfully catalogued the information necessary to secure all their identities can they build an identity security architecture that describes an approach to identity security befitting the modern era.

This is a picture of Ian Mulholland.

Ian Mulholland
Research Director, Security, Risk, and Compliance Info-Tech Research Group

Executive Summary

Your Challenge

  • Many security leaders are struggling to meet the recommendations of internal and external parties when it comes to identity and access management.
  • A lot of identity and access management processes are known to be inefficient, and many known solutions are difficult to implement.

Common Obstacles

Improving identity security can be challenging:

  • For most organizations, identity and access management has been allowed to grow organically, and it has become inflexible and difficult to control.
  • In most cases, the number of identities and the items they access has increased with each passing year, necessitating more scalable processes and technology.

Info-Tech's Approach

Info-Tech has developed an effective approach to building an identity security architecture.

This unique approach includes tools for:

  • Establishing governance for identity security.
  • Creating an identity inventory.
  • Modeling identity-based threats.
  • Building an identity security architecture.

Info-Tech Insight

Building an identity security architecture is a high-value initiative that will drive the modernization of identity security.

Identity management and proper credential management are critical security factors

Key Findings:

+450%
Increase in Username/Password Breaches

Breaches containing usernames and passwords increased by 450% in 2020, totally 1.48 billion breached records.

$8.64 Million
The Average Cost of a Breach in the US

The average cost of a breach in the US was the highest in the world at $8.64 million, up 5% from the previous year.

2X
The Amount of Time Spent Online

The amount of time people spent online more than doubled in 2020, totaling more than seven hours per person per day.Source: ForgeRock

In 2020 the world saw a massive digital migration. However, the migration has not come with a secure transition. For the third year in a row, identity security has been one of the weakest links in any security program. The move to remote work has significantly contributed to increases in stolen data.

Weak identity controls have continually given bad actors an easy path to gaining access to enterprise data. Identity and access management practices have been a weak point for many organizations. Find out how to best manage and govern your identities with an identity-centric approach to your security program.

The average cost and frequency of malicious data breaches by root-cause vector

This image contains a graph that shows the total cost of a number of different types of data breaches.

Compromised credentials is an expensive and common threat vector

Of the ten initial threat vectors in malicious breaches represented in a report by IBM, compromised credentials was the most frequently reoccurring attack vector, accounting for 20% of all malicious breaches.

Proper inventory of identities and their respective repositories is critical to ensuring the security of credentials and any of the access they may pertain to.

Preparing yourself properly can save you costs and headaches

Stolen or compromised credentials was one of the most expensive causes of malicious data breaches, according to a 2021 report conducted by IBM.

Unified endpoint management (UEM) and identity and access management (IAM) products and services can give security teams an edge by providing insight and deeper visibility into the internal network and potential suspicious activity.

20%
Of all breaches are through compromised credentials.

$5.33 million
Was the average total cost of a breach at enterprises of more than 25,000 employees, compared to $2.98 million for organizations with under 500 employees.

Identity Security & Governance Framework for Security Leaders

Security leaders view modernizing identity security as too big of a challenge and prefer to focus on narrower challenges that seem easily solvable using tools such as SSO/MFA/PAM. However, this limited focus is reactive rather than proactive and may end up being more expensive in the long run. Building an identity security architecture is a high-value initiative that will drive the modernization of identity security.

This picture contains the eight step identity security and governance framework for security leaders.

Info-Tech’s methodology to Assess and Govern Identity Security

1. Establish Identity Security Governance 2. Assess and Mitigate Identity Threats
Phase Steps
  1. Adopt a Standard Identity Taxonomy
  2. Establish Roles and Responsibilities Over Identity Security
  1. Create an Identity Inventory
  2. Assess Identity-Based Threats and Mitigations
  3. Build the Identity Security Architecture
Phase Outcomes
  • Identity Security RACI Chart
    • Identity Inventory
    • Assessment of Identity-Based Threats and Mitigations
    • Identity Security Architecture

    Insight summary

    Overarching insight

    Security leaders view modernizing identity security as too big of a challenge and prefer to focus on narrower challenges that seem easily solvable using tools such as single sign-on, multifactor authentication, or privileged access management. However, this limited focus is reactive rather than proactive, and it may end up being more expensive in the long run. Building an identity security architecture is a high-value initiative that will drive the modernization of identity security.

    Phase 1 Insights

    • People using different taxonomies can create conflicts. Use any existing conflicts in understanding as an education opportunity once standard definitions are set.
    • Work with other identity owners to ensure governance is clearly defined before making any large changes.

    Tactical insight

    To some extent, your identity processes are working, or else the business would not be able to function – your processes may just have more risk or cause more disruption than you would like. Use what exists today as a starting point instead of starting from scratch.

    Phase 2 insight

    Understanding the current and future threats to your identity program will be critical to modernizing your identity security. Use a structured approach to ensure you identify all identity-based threats that pose a risk for your organization.

    Tactical insight

    Modernization starts with understanding legacy components.

    Use Info-Tech’s blueprint to know how prepared you are for every threat vector

    IT Benefits

    • IT can determine the capabilities of its current security structure to deal with various attack vectors.
    • IT will no longer have to disallow certain applications and services because they are cloud based.
    • Analyzing and threat modeling are no longer simply guessing what the most pressing concerns are. Know your vulnerabilities and remediate and plan proactively instead of reactively.

    Business Benefits

    • Line-of-business managers can understand which areas need improvement and which can be deprioritized.
    • Gain an in-depth understanding of the management aspects of security and threat vectors and techniques.
    • Know which mitigative and detective measures should be implemented to best protect your environment without additional guesswork.

    Use Info-Tech’s blueprint to improve enterprise security posture

    Threat preparedness can be used to effectively evaluate:

    Organizational preparedness
    Expose operational weak points and transition teams from a reactive approach to a more proactive security program.

    Enhanced threat detection, prevention, analysis, and response
    Enhance the collaboration and use of your security investments through the simulated evaluation of your threat collaboration environment.

    Improve return on security investment
    Evaluate core staff on their use of process and technology to defend the organization.

    Identify blind spots and opportunities for continuous improvement
    Provide increased visibility into current performance levels, and accurately identify opportunities for continuous improvement with a holistic measurement program.

    Iterative benefit

    Over time, experience incremental value from knowing the attack vectors through which you can be attacked. Through continual updates your security protocols will evolve with less associated effort, time, and costs.

    Short-term benefits

    • Ensure organizational preparedness.
    • Identify effectiveness of the overall security program.
    • Streamline the security management program.
    • Identify people, process, and technology gaps.

    Long-term benefits

    • Reduce incident costs and remediation time.
    • Increase operational collaboration between prevention, detection, analysis, and response efforts.
    • Enhance security pressure posture.
    • Improve communication with executives about relevant security risks to the business.
    • Preserve reputation and brand equity.

    Info-Tech offers various levels of support to best suit your needs

    DIY Toolkit

    Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful.

    Guided Implementation

    Our team knows that we need to fix a process, but we need assistance to determine where to focus. some check-ins along the way would help keep us on track

    Workshop

    We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place

    Consulting

    Our team does not have the time or the knowledge to take this project on. we need assistance through the entirety of this project.

    Diagnostics and consistent frameworks are used throughout all four options

    Guided Implementation

    What does a typical GI on this topic look like?

    Phase 1:
    Establish Identity Governance

    Call #1: Scope requirements, objectives, and your specific challenges.

    Call #2: Build an identity security RACI chart.

    Phase 2:
    Assess and Mitigate Identity Threats

    Call #3: Identify and record existing identity types.

    Call #4: Assess identity-based threats and mitigations.

    Call #5: Create the identity security architecture.

    A Guided Implementation (GI) is series of calls with an Info-Tech analyst to help implement our best practices in your organization.
    A typical GI is between 1 to 5 calls over the course of 1 to 5 months.

    Workshop Overview

    This is a picture of Ian Mulholland.

    Contact your account representative for more information. workshops@infotech.com 1-888-670-8889

    Day 1 Day 2 Day 3
    Establish Identity Governance Assess and Mitigate Identity Threats Assess and Mitigate Identity Threats
    Activities 1.1 Adopt a standard identity taxonomy.
    1.2 Identify the tasks for your identity security project.
    1.3 Allocate responsibility and ownership for each task in a RACI chart.
    1.4 Analyze your RACI chart.
    2.1 Document identity repositories.
    2.2 Inventory your identity types.
    2.3 Review and assess identity-based MITRE ATT&CK® threats.
    2.4 Review and assess identity-based MITRE ATT&CK® mitigations.
    3.1 Complete in-progress deliverables from previous two days.
    3.2 Set up review time for workshop deliverables and to discuss next steps.
    Deliverables
    1. Identity taxonomy
    2. Identity security RACI chart
    1. Identity inventory
    2. Identity-based threat and mitigation assessment using the MITRE ATT&CK® framework
    3. Identity security architecture with prioritized controls

    Executive Brief Case Study

    Industry: Advisory Services

    Source: Cloud Security Alliance

    Deloitte

    Deloitte experienced a major data breach on September 25, 2017, in part due to weak identity, credential, and access management. The breach was a direct result of a poorly secured administrative email account the attacker used to achieve privileged unrestricted access to all areas of the company.
    The account only had a single password, with no multifactor or additional verification processes. Even more concerning was that the attacker had access to the account for over a year without being detected, allowing them to store and monitor all emails that moved in and out of the company. Sensitive information, personally identifying information (PII), usernames, passwords, IP addresses, and architectural diagrams were all accessed, including the personal data of blue-chip clients.

    Key Takeaways

    1. Secure accounts, including two-factor authentication and limiting the use of root accounts.
    2. Practice the strictest identity and access controls for cloud users and identities.
    3. Segregate and segment accounts, virtual private cloud (VPCs), and identity groups based on business needs and the principles of least privilege.
    4. Rotate keys, remove unused credentials or access privileges, and employ central, programmatic key management.

    Impact Statement for Deloitte

    Security incidents and data breaches can occur due to the following:

    • Inadequate protection of credentials
    • Lack of regular, automated rotation of cryptographic keys, passwords, and certificates
    • Lack of scalable identity, credentials, and access management systems
    • Failure to use multifactor authentication
    • Failure to use strong passwords
    Malicious actors masquerading as legitimate users, operators, or developers can:
    • Read, exfiltrate, modify, or delete data
    • Issue control plan and management functions
    • Snoop on data in transit
    • Release malicious software that appears to originate from a legitimate source

    Phase 1

    Establish Identity Governance

    Phase 1 Phase 2
    1.1 Adopt a Standard Identity Taxonomy
    1.2 Establish Roles and Responsibilities for Identity Security
    2.1 Create an Identity Inventory
    2.2 Assess Identity-Based Threats and Mitigations
    2.3 Build the Identity Security Architecture

    This phase will walk you through the following activities:

    • Adopting a standard taxonomy to understand and discuss identity-related security risks.
    • Establishing roles and responsibilities for identity governance and security.

    This phase involves the following participants:

    • Security team
    • IT leadership
    • Business stakeholders
    • Legal
    • Human resources

    Assess and Govern Identity Security

    1.1 Adopt a standard identity taxonomy

    Estimated Time: 30 minutes

    1.1.1 Review Info-Tech identity taxonomy: Review the terms and definitions related to identity security on the following slide.
    1.1.2 Customize as required: As a group, discuss each term and its related definition. Modify the definitions as required to fit within your organization. The goal should be to arrive at a common taxonomy for identity security.

    Input

    • Current taxonomies
    • Identity architecture material

    Output

    • Common, shared understanding of identity security terms and definitions

    Materials

    • Taxonomy slide

    Participants

    • Security team
    • IT leadership
    • Business stakeholders
    • Legal
    • Human resources

    1.1 Identity concepts and definitions

    A common identity taxonomy can foster mutual understanding

    This image contains definitions for common identity terms and how they relate to each other. The terms included are: Natural Person; Personal Identity; Persona; Digital Persona; Digital Identity; Identity Proofing; Account; Identity Mapping; Authentication; Authorization; and Machine.

    1.2 Establish roles and responsibilities for identity security

    Estimated Time: 1-2 hours

    1.2.1 List the tasks for your project: Begin building the RACI chart by defining a list of project tasks. Organize tasks into the following four categories: plan, execute, monitor, and measure. List tasks along the side of your RACI chart as row headers.

    1.2.2 Allocate responsibility and ownership for each task: For each task in your RACI chart, determine which stakeholder groups are accountable (A), responsible (R), consulted (C), and/or informed (I). Stakeholder groups should be listed along the top of your RACI chart as column headers.

    1.2.3 Analyze your RACI chart: To ensure you have a strong allocation of roles, watch out for common errors and red flags when building the RACI chart. These can include having too many people responsible for a task or not having assigned an accountable person/group. These are defined in more detail in a later slide.

    Download the Identity Security RACI Chart Tool

    Input

    • List of tasks that must be completed as part of the identity security project
    • List of stakeholder groups that will be involved in some capacity with the identity security project

    Output

    • A RACI chart that defines roles for stakeholder groups executing tasks for the identity security project

    Materials

    • Laptop
    • Identity Security RACI Chart Tool

    Participants

    • Security team
    • IT leadership
    • Business stakeholders
    • Legal
    • Human resources

    1.2.1 List the tasks for your project

    To begin building the RACI chart for your identity security project, list out the project’s required tasks. Organize these tasks into four categories: plan, execute, monitor, and measure. To assist with the development of this task list, consider the sample tasks listed below:

    PLAN

    • Adopt a common identity security taxonomy.
    • Build an identity and access management policy.
    • Establish identity governance objectives.
    • Inventory identities and assign data owners.
    • Model identity-based threats.
    • Identify identity security control requirements.
    • Develop the identity security architecture.
    • Define separation-of-duties constraints.
    • Define authorization requirements and ensure systems support those requirements.

    EXECUTE

    • Create accounts with access that follows the principle of least privilege.
    • Deprovision accounts.
    • Track policy exceptions when assigning access.

    MONITOR

    • Monitor access requests (cloud access security broker/security information and event management).
    • Report violations of policy or process.
    • Review/audit access privileges to prevent privilege creep.

    MEASURE

    • Build a business case for architecture technology components.
    • Measure efficiency and effectiveness of identity security processes.

    If you are using Info-Tech’s Identity Security RACI Chart tool, enter your list of tasks into Column B of tab 2, Smart RACI Chart.

    1.2.2 Allocate responsibility and ownership for each task

    For each task in your RACI chart, determine which stakeholder groups are accountable, responsible, consulted, and/or informed. Each task should have one and only one person/group held accountable and at least one person/group given responsibility. The number of consulted and informed people/groups will differ for each organization.

    Responsible (R): The person(s) who does the work to accomplish the activity; they have been tasked with completing the activity and/or getting a decision made.

    Accountable (A): The person(s) who is accountable for the completion of the activity. Ideally, this is a single person and is often an executive or program sponsor.

    Consulted (C): The person(s) who provides information. This is usually several people, typically called subject matter experts (SMEs).

    Informed (I): The person(s) who is updated on progress. These are resources who are affected by the outcome of the activities and need to be kept up to date.

    Senior Management Security and IAM The Business
    Board of Directors CIO CISO or Director of Security Security/IAM Systems Architect Security/IAM Engineer Security/IAM Analyst Security/IAM Administrator Privacy Personnel Identity Owners Finance Human Resources Legal
    Plan
    Adopt a common taxonomy for securing identities at the organization I A R C R C - - I - I -
    Build and maintain an identity and access management policy I I A C C R R - I - I I
    Establish Identity Governance Objectives A R R R R R R - I - I -
    Inventory identities and assign data owners I C R/A R R R C - C - C -

    If you are using Info-Tech’s Identity Security RACI Chart tool, complete the table on tab 2, Smart RACI Chart.

    Strong identity security and governance are the keys to the zero-trust future.

    About Info-Tech

    Info-Tech Research Group is the world’s fastest-growing information technology research and advisory company, proudly serving over 30,000 IT professionals.

    We produce unbiased and highly relevant research to help CIOs and IT leaders make strategic, timely, and well-informed decisions. We partner closely with IT teams to provide everything they need, from actionable tools to analyst guidance, ensuring they deliver measurable results for their organizations.

    What Is a Blueprint?

    A blueprint is designed to be a roadmap, containing a methodology and the tools and templates you need to solve your IT problems.

    Each blueprint can be accompanied by a Guided Implementation that provides you access to our world-class analysts to help you get through the project.

    Need Extra Help?
    Speak With An Analyst

    Get the help you need in this 2-phase advisory process. You'll receive 5 touchpoints with our researchers, all included in your membership.

    Guided Implementation 1: Establish identity governance
    • Call 1: Scope requirements, objectives, and your specific challenges.
    • Call 2: Build an identity security RACI chart.

    Guided Implementation 2: Assess and mitigate identity threats
    • Call 1: Identify and record existing identity types.
    • Call 2: Assess identity-based threats and mitigations.
    • Call 3: Create the identity security architecture.

    Authors

    Kate Wood

    Ian Mulholland

    Contributors

    • Brian Michell, Chief Information Officer, Effort Trust
    • Marc Mazur, Senior Consultant, KPMG
    • Mark Galloway, Associate Partner, IAMConcepts Security Solutions Inc.
    • Fabrizio Ienna, IAM Solutioning Project Manager, IAMConcepts Security Solutions Inc.
    • Don Davidson, Enterprise Security Architect, Canada Life
    • Luc Gagne, Senior Vice President, IAMConcepts Security Solutions Inc.
    • Eric Galis, VP Compliance and Security, Cengage
    • Keith Scarbeau, Cyber Security Architect, St. Luke's Health System Ltd.
    • Ron Pirau, Chief Information Officer, Archdiocese of Indianapolis
    • Sumit Jain, Chief Information Security Officer, Louisiana State University
    • Raj Sookha, Manager IT Architecture, Toronto Community Housing
    Visit our Exponential IT Research Center
    Over 100 analysts waiting to take your call right now: 1-519-432-3550 x2019