Jeff Bezos Found Success with API Calls
In 2002, Amazon founder Jeff Bezos issued a mandate that communication between systems needed to occur via API. This was a significant factor in Amazon’s rapid growth over the past two decades.
This mandate is similar to standardizing how internet communication happens over HTTP. By creating a standardized framework, each endpoint knows how to enter themselves into the field in a manner that is easily adaptable. This same type of standardization looks to be one of the next big things in information technology, Gartner refers to it as Cybersecurity Mesh Architecture.
The History of IAM & Disparate Systems
The cybersecurity space has classically been implemented with disparate systems and teams, particularly in large enterprises. Often, the identity management team would be separate from the access management team which is separate from the security information event monitoring team. These groups and many others would have their own vendor software and security practices. The operation of these teams was independent and disparate, despite some overlap.
Identity management software solutions really didn’t come on to the scenes until the early 2000s. And like any new industry, companies will take different approaches and build their products in the manner they think will best fit the market. For example, MicroFocus Identity Management, one of the first to the market, was built on something called DirXML, whereas SailPoint is built on Java.
As time passes the organizational demands have grown for intercommunication between technologies and this is driving Cybersecurity Mesh Architecture.
Standardizing People & Processes
As major players in the identity space work to standardize the communication of their technology across the disciplines like IDM, AM, and PAM, organizations should also begin this approach with their people and processes.
What this means is organizations should create frameworks of how technology will interact with the network.
EXAMPLE:
Let's say your organization just purchased new software from Acme Corp. Ideally, there should be a framework in place with documented steps for how this new application is onboarded into the environment, factoring in demands from each identity discipline:
Privileged Access Management – Can a password be hardcoded or configured in the app? How frequently will passwords change? Who can access the application’s privileged accounts?
Access Management – Does this application have a large volume where it should only be accessed via SSO? Does the app have SAML integration available? Can this application be accessed during off-hours? Should traffic be blocked from certain regions around the globe?
Data Governance – What type of sensitive data can be accessed in this application? Can it be exported? Who needs access to the sensitive data and how is this managed and monitored?
SIEM – What logging capabilities are available for the application and how can it be integrated with the SIEM solution? What types of events should trigger alerts?