Identity Is a Co-owned Problem Between Security and IT

Hannah Young
Hannah Young
.
March 31, 2023
5 min
 read

Who owns identity at your organization?

Identity is currently seen as an IT problem in most organizations. IT owns most of the identity stack (e.g., Okta, Sailpoint, etc.), and security usually has a subteam that interfaces with IT, which can lead to a disjointed identity management process. For example, security can get hit with compliance needs about identity (user access reviews, access/privacy controls, separation of duties, etc.). However, because IT usually owns the tooling, security often gets insufficient access — and sometimes only gets the logs that are shipped to their SIEM tools (e.g., Okta system logs are shipped to Splunk and then security has to make sense of them) — making it difficult to approach identity compliance in a cohesive and effective matter.

Security’s main way of addressing identity today is essentially asking IT for help: “can you grant me this access for compliance,” “can you implement this type of policy (e.g. only SWEs get GitHub),” “can you help rollout this tech (e.g. SSO, 2FA)?”

So who should own ‘the identity problem?’

Identity is (and should be treated as) a co-owned problem between security and IT because both departments have a vested interest in ensuring that user identities are effectively managed and secured. They are both crucial members of the identity team, and any identity management solutions must involve both as equal members lest they be incomplete and shortsighted.

ChatGPT screenshot. I say “which department is responsible for identity management, IT or security?” ChatGPT says “Identity management typically falls under the purview of both IT and security departments, as it involves ensuring that the right people have access to the right resources at the right time.”
Even purveyor of truth, ChatGPT, knows!

This is easier said than done because, oftentimes, security and IT have other interests that are at odds. While IT typically owns the tools and processes for managing user identities, security is responsible for ensuring that those identities are properly secured and that, ideally, access is only granted on a need-to-know basis.

For example, IT typically wants to give as many people access as possible to reduce ticket load. In contrast, security wants to limit access in order to keep their organization as secure as possible. While, theoretically, your organization is at its safest when users only have as much access as they need and nothing more (a concept we expand on here), that can be a logistical nightmare for IT, who has to keep granting that access.

Image by xkcd

In order for both departments to work effectively together, they need to collaborate closely and communicate their priorities. This might involve setting up regular meetings or working groups to help IT better understand security’s concerns or vice versa.

For instance, many IT folks want to be more security-aware and knowledgeable. Still, they may find it unapproachable, so security could set up meetings, workshops, or coaching to help IT develop a security lens. Conversely, a lot of security folks want to empower the business while doing their jobs, so it could be helpful for them to gain empathy and understanding of what the IT workload at their company looks like — through something like rotational programs, a fresh perspective could help them collaborate with IT to build a system that meets both of their needs.

I say “can you show me a funny comic about identity.” ChatGPT says “I can describe a funny scenario related to identity: Two people meet at a party and strike up a convo. One person asks, “So, what do you do?” The other person responds, “Well, I’m a software engineer by day, but at night I’m a pro wrestler.” The first person looks surprised, “Really? How do you keep your identities separate?” The wrestler responds with a grin, “Simple. By wearing a mask during the day and a hoodie at night!”
Writing articles about identity with humor is hard!

Ultimately, the goal should be to create a shared understanding of what “identity” means within their organization’s context and to work together to create a system that meets both departments’ needs. One place to start is with an agreement between IT and security on what they care about and what certain terms mean (e.g., Are someone’s SSH keys part of Problem A? Is HR the complete source of truth, or is some information in HR and some in your IdP?).

The trickiest term here is “identity” itself. You can use it to mean machine or human identity; identity can mean the way that you authenticate and sign on to SaaS, or it can mean the email and profile data (job title, manager, location, etc) that constitutes a person or the credentials you use for getting access to infra.

DALL-E 2 screenshot. Me asking it to show me a funny comic about identity in cybersecurity. It shows me a nonsensical conglomeration of comics with fake words slike “Iste motelty.”
Not exactly the solution I was looking for, but if I was a Sim, I just know that I would find this comic HILARIOUS

Identity information is often fragmented: across different SaaS apps (like Notion vs. Slack), across infra (e.g., SSH keys), across IdP (which you may have multiple of), and across HR (e.g., your BambooHR profile). As a result, it’s hard to say what’s “true” if any of those sources of identity conflict, and it can get weirder if certain pieces of information are true in one place, and others are true in another. For instance, your legal first name in HR might differ from your preferred first name in Slack, and your job title might be different in Okta (e.g., Software Engineer II) than in Google (e.g., Software Engineer).

Because there’s likely no single place this information lives, one way to mend this fragmentation is through products that not only manage access but also combine IT and security interests in regard to identity. Identity and access management (IAM) solutions do exactly what they sound like they do: they help you manage user identities and who has access to what resources in your organization (AKA security authorization as opposed to authentication). Where many IAM products are more IT-focused or more security-focused, modern identity solutions like Crosswire recognize that identity is a co-owned problem and approach it as such.

For example, Crosswire gathers permissions across different enterprise applications to implement rule-based access without human intervention. It automatically provisions access and identifies anomalies, providing the IT infrastructure to manage authorization at scale. On the other hand, Crosswire also uses GPT-4 to analyze access to high-risk apps in Okta, matching app assignments to employee job responsibilities and then applying auto-remediation from step-up 2FA to manager approval at SAML sign-in time, neutralizing pass-the-cookie attacks for security.

To stay up to date with Crosswire on all things identity and infosec — trainings, webinars, blog posts, and more — come see us at Booth 21 at RSAC 2023 and sign up to receive our updates below!

More from our blog

Identity Governance Best Practices for Security Leaders

Explore essential identity governance best practices for security leaders, ensuring robust security frameworks and compliance adherence. Learn more today.

Johnny Wang
.
4 min
 read
UPDATE: Customer Impact in the Okta Salesforce Breach

An update on Crosswire and the September 2023 breach of Okta’s Salesforce instance.

Crosswire Security Team
.
1 min
 read
Breaking Down the October 2023 Okta Breach

A comprehensive timeline and breakdown of the October 2023 Okta Support Case Management System breach.

Hannah Young
.
7 min
 read
October 2023 Okta Compromise Guidance

In light of October 2023 Okta support compromise, Crosswire sent the following message to its customers.

Crosswire Security Team
.
5 min
 read
What is ITDR?

The term Identity Threat Detection and Response (ITDR) has gained significant popularity this year, but what is ITDR, actually?

Hannah Young
.
5 min
 read
CISOs on Identity Security Maturity in the Enterprise

CISOs Chris Castaldo and Tanner Randolph share insights on security maturity and identity in the enterprise.

Hannah Young
.
5 min
 read
Black Hat Guide for Conference Veterans

Whether this is your 1st or 21st time at Black Hat, these tips can help you weather a jam-packed and intense week.

Hannah Young
.
10 min
 read
You Should Feel ‘Positively’ About Your Security Tools: How We’re Mitigating False Positives in Identity Security

False positives are a huge problem in security: see what Crosswire is doing to prevent them and mitigate their effects.

Hannah Young
.
5 min
 read
Decoding the (Broken) Modern Identity Stack

We've made the modern identity stack entirely too convoluted and broken, but not for the reasons you think.

Hannah Young
.
10 min
 read
The Secret Third Step to Threat Detection and Response: Protection

How are you protecting your accounts before an incident can occur (or slowing an incident down before it really ramps up)?

Hannah Young
.
6 min
 read
How to Detect and Remediate Identity Threats; Solution 2: Remediate

This is Solution 2: Remediate of a two-part series on how to detect and remediate evolving identity threats.

Hannah Young
.
5 min
 read
How to Detect and Remediate Identity Threats; Solution 1: Detect

This is Solution 1: Detect of a two-part series on how to detect and remediate evolving identity threats.

Hannah Young
.
5 min
 read
AI D&R: AI (in Security) is Dead; Long Live AI (in Security)

Explore the historical use, modern approaches, and future applications of AI in detection and response (D&R).

Hannah Young
.
8 min
 read
Quick RSAC 2023 Recap: We’re Back (and Stronger Together)

From Armisen to AI/ML, catch up on what you missed from RSA Conference 2023 with Crosswire!

Hannah Young
.
4 min
 read
Defending Against Threats in Identity Security; Part 2: Remediate

This is Part 2: Remediate of a two-part series setting up emerging problems in identity security.

Hannah Young
.
6 min
 read
Why Now’s the Perfect Time to Join an Early-Stage Startup

If you’re looking for the right time to join a high-risk, high-reward venture, we’d argue that there’s never been a better opportunity.

Hannah Young
.
3 min
 read
It’s Not Just You: IT Security Audits are Stressful

IT security audits can be a pain for everyone involved: check out our solutions to make this auditing season just a little bit easier.

Hannah Young
.
5 min
 read
Why RBAC is obsolete

RBAC lacks sophistication and flexibility, failing to address the access needs of the modern company.

Hannah Young
.
3 min
 read
Defending Against Threats in Identity Security; Part 1: Detect

This is Part 1: Detect of a two-part series setting up emerging problems in identity security.

Hannah Young
.
5 min
 read
Your Okta Groups Should Be (Mostly) Empty

Yep, you heard that right; we at Crosswire believe that your Okta groups should be as empty as possible.

Hannah Young
.
2 min
 read
The Founding of Crosswire as Told by Its Values

Crosswire, and its co-founders Johnny and Nick, are building the future of enterprise identity in new and exciting ways.

Hannah Young
.
7 min
 read
RSA Conference™ 2023: Stronger Together

The theme for 2023’s RSA Conference™ is “Stronger Together.” When info security is more important than ever, so is collaboration.

Hannah Young
.
6 min
 read
6 Early Warning Signs of an Under-Resourced IT Organization

It’s no secret that your IT organization is crucial to your company. But are they getting all of the resources they need?

Hannah Young
.
5 min
 read
Cybersecurity Is More Critical Than Ever, and You (Yes, You) Can Do Something About It Now

Why cybersecurity is more crucial than ever and what you can do to make your organization more secure, no matter your role.

Hannah Young
.
7 min
 read
Understanding Automation: How To Do More Than You Have the Resources For

Five significant ways to improve your workflows with automation and get more results than your resources permit.

Hannah Young
.
5 min
 read
Google Workplace Organizational Units (OUs) according to Parks and Rec

What are Google Workplace Organizational Units, and how do they work (according to Parks and Rec)?

Hannah Young
.
5 min
 read
Practical Survival Guide to Okta Lifecycle Management

Crosswire’s technical usability guide to Okta Lifecycle Management (LCM), from onboarding to offboarding.

Hannah Young
.
6 min
 read
Authorization (AuthZ) and Authentication (AuthN): A Brief History

Authentication is who you are, and authorization is what you can do. Here, we dive into the history of these terms.

Hannah Young
.
5 min
 read