Brush-your-teeth Hygiene for Identity and Access Management

A few years ago, a dear colleague and I were talking about how many identity and access management (IAM) challenges are tied to basic hygiene, when our conversation evolved into an analogy about the importance of brushing your teeth. 

Now, neither of us are dentists, so don’t take this as oral hygiene advice, but hear me out.

Maybe you already know that your oral health can offer clues about your overall health; or that problems in your mouth can affect the rest of your body. Let’s say you don’t brush your teeth for a day or two. While we certainly wouldn’t recommend this, it might just result in some bad breath and a general feeling of yuckiness in your mouth. 

Now, what happens when you don’t brush your teeth for a week? Accumulation of plaque becomes thicker and your mouth starts to smell. Don’t brush your teeth for a month? Serious changes will start taking shape. Think, gingivitis, sensitivity, and redness. A whole year without brushing your teeth? Oh my! Severe damage ensues. As a gateway into the body, poor oral hygiene can leave you at risk for much bigger concerns like heart disease, dementia, diabetes, pregnancy complications, or oral cancer. Yikes!  

Brushing your teeth twice daily is ongoing, proactive maintenance that can keep you looking and feeling your best — from mouth, to body, to mind.

So let’s compare this with the basic hygiene aspects of IAM. Do you know your source identity data? Are you validating that data quality is adhered to from upstream systems? If not, perhaps you have bad breath, but a quick swig of mouthwash will take care of that! Cue the massaging of data in downstream systems. Maybe you’re short-staffed or don’t have enough influence to make changes upstream. Another month of mouthwash can’t hurt, right? Well, if you have bad data coming in and teams manually fixing that data rather than disallowing unclean data, you’re leaving yourself prone to errors and a poor end user experience. 

A year of this, with teams doing manual workarounds for what should be automated and the basics of data quality being overlooked, and you’ll likely end up with issues that permeate throughout your organization. Just like ignoring oral hygiene can lead to full-body deterioration, you might see multiple data systems infected with bad data, and it will be tough to pass audits without burdensome manual work. 

What can we do to correct these habits? Unfortunately, reversing the effects of poor hygiene — whether dental or data — isn’t as simple as picking up a toothbrush. Perhaps if it’s only been a few days of bad breath, but months of gingivitis? A year of not brushing your teeth? If you don’t already have an excellent immune system, you’re likely facing tooth and jaw loss, which can mean major surgery. Can you untangle multiple data systems and identify IAM attributes and workflows that need to be corrected? Sure, but you will need executive support to prioritize this, while keeping the company running and the people productive and able to log in and access resources. This too is like major surgery for the identity data systems. 

This brings us back to the need to be proactive. Instead of putting it off and reaching for the mouthwash, some simple IAM best practices can help prevent downstream buildup of bad data and manual workarounds. Don’t feel daunted by the basics, nail the basics! Make them a non-negotiable part of any IAM implementation or improvement, just like brushing your teeth. 

It’s paramount to always trace things back to a single source of truth, to disallow back-door and side-door data modifications, to establish proper data governance and stewardship, to ensure organizational processes are biased towards clean data, to prevent privileges from piling up, to perform regular reviews of policies and permissions so that data hygiene is maintained; all these are instrumental in mastering the foundations, nailing the basics.  The bar keeps getting raised in cyber security, and the basics must keep up.

In particular, pay close attention to overall process maturity at the organizational level with an eye towards proper data ownership and custodianship. Do all enterprise identity processes (from HR to IAM data aggregators, to enterprise data hubs, to target endpoints) have owners defined, with clear owner roles and responsibilities articulated and well understood? Does all identity data have a single source with no conflicts with other enrichment data sources? Are applications making local copies of identity repositories that could get out-of-date, cause compliance issues or create vulnerabilities?

Just like excellent oral hygiene helps in overall body health, identity records help keep us secure. We must do all we can to maintain a level of data integrity and assurance, so that we can rely on it for attestations, identity-proofing, knowing our customer. Things like phishing-resistant multi-factor authentication to access your data, automated on- and off-boarding processes, least-privilege, proper governance and a Zero Trust approach to security will go a long way to keeping your data looking and feeling its best!