The biggest IAM struggles today are strategic. Organizations routinely skip and step and fail to think through all of the implications of an IAM strategy. This was made clear in many sessions at the recent Gartner Identity & Access Management Summit.
The Summit, arguably the most comprehensive IAM gathering in the U.S., involves more than 50,000 CISOs, CIOs, senior IT and business executives from every continent. Edgile Managing Partner Lawrence Wolf presented at the event and he argued that IT and security leaders need to think far more practically and comprehensively about IAM as enterprises migrate to the cloud.
Many enterprise CISOs, for example, have extensive strategies. But when questioned about the particulars, it becomes clear that while some of it is written down, a lot of it only exists in the minds of key executives. The lack of complete documentation often leaves companies in a poor position to sufficiently automate cloud operations.
Maintaining cloud compliance forces executives to deal with product selections. But the on-premises approach to product choice—looking primarily at features and functionality—doesn't work as well in the cloud, which requires a focus on the proper skills and training of personnel, as well as an understanding of the different ways products function in a hybrid cloud environment.
The fact that cloud environments are actively managed by cloud providers means that the environments are constantly changing. resulting in many enterprises having far more cloud apps than they realize. Cloud apps are routinely activating new products making it difficult for CISOs to know what all these products are supposed to do. The question is, how are these multiplying apps being kept compliant?
From an IT and security perspective, enterprises today are getting increasingly complex. Compliance demands and requirements are also expanding and changing with every vertical or geographic move the company makes. This forces some critical triage decisions, as few companies can cost-justify focusing on every single security area.
The result is companies tend to be very security- and compliance-mature in some areas, while weaker in others. That's perfectly OK, as long as a company is strong in the areas most critical to its business values.