Podcast - IAM Workforce Planning With Ken Myers

Podcast - IAM Workforce Planning With Ken Myers
Podcast-Visual-System-IAT-Landing-Page

Podcast-Visual-System-IATCSpotify-Icon

Subscribe to Identity at the Center

Identity at the Center is a weekly podcast all about identity security in the context of identity and access management (IAM). With a combined 30+ years of IAM experience, hosts Jim McDonald and Jeff Steadman bring you conversations with news, topics, and guests from the identity management industry.

Do you know who has access to what?

 

Subscribe


Protiviti Podcast Transcript Transcript
Male
You’re listening to the Identity at the Center podcast. This is a show that talks about identity and access management and making sure you know who has access to what. Let’s get started.
Jeff
Welcome to the Identity at the Center podcast. I’m Jeff, and that’s Jim. Why don’t we talk a little bit about Identity Management Day, because that’s coming up? By the time people listen to this, it’ll be next week. Identity Management Day is April 13. That is something that Jim and I fully support. It’s a great way to get recognition out there for people in the IAM space, and they’re doing a lot to drive awareness for it, which is fantastic. You can visit IdentityManagementDay.org for more information, and we’ve also got a handy little click button that I’ve put up on our website at IdentityattheCenter.com — so, lots of easy ways to get into that. Jim, what are you most excited for for Identity Management Day?
Jim
The podcast that we’re going to do the day before is one thing that is exciting, so if you tune in, download, on April 12, we’re going to have — I won’t reveal the identities yet of those folks — but we’re going to have some guests who are from the organization sponsoring Identity Management Day, and it’ll be an exciting listen.
Jeff
Yes, it’s pretty cool to get some folks who are tied into it and celebrate where things are at. So, that’s coming up in the future — you definitely want to keep an eye out for that, and mark your calendars, if that’s a thing that people still do. Why don’t we get into the topic for today, because this is really interesting. We’re going to have a good conversation, and it’s talking about workforce planning from an identity and access management perspective, and we’ve got as a guest today Ken Myers, who’s a doctoral student at Marymount University, and he’s focusing on IAM workforce planning, so why don’t we get into it with Ken? Ken, how are you doing?
Ken Myers
Good afternoon, guys. How are you doing today?
Jeff
Great. Thanks so much for joining us. We’ve got a lot to unpack today, but we have our traditional first question. Every time someone comes on the show, we’d like to know, how did you get into the IAM space? Is it something that chose you, or did you choose it?
Ken Myers

Honestly, I think it chose me. Actually, I joined the Marine Corps right out of high school, so I was an enlisted marine for almost a decade. I was in aviation communications. We were using military-specific equipment, which got replaced by Cisco Networking, so that was really how I got into IT. Then I was on a special security guard program doing physical security, and that is where I got introduced to identity-proofing. So, that was my entranceway into identity access management — it was badging, credentialing, identity-proofing.

And then, after the Marine Corps — I’m from the D.C. area, and the government has a large presence, obviously, in the D.C. area, and so I did, predominantly, a lot of government contracting and a lot of policy work around identity and access management for workforce identities with the government. Right now, I’m an IT specialist with the General Services Administration, and if you’re not familiar with the General Services Administration, it’s a U.S. federal government agency that manages and provides government-wide services predominantly to the U.S. federal government, but also to state and local agencies — public buildings, commodity services like IT services, but also a lot of coordination around the government. So, for example, if the Office of Management and Budget comes out with a policy, usually, GSA is the one that helps coordinate it, depending on what the scope of it is. That was my entry point into identity access management.

Jeff

So it sounds like you’re definitely coming at it more from the operation side of things. The GSA is pretty interesting. In my simple brain, I think of it as a shared service for the government. Would that be fair?

Ken Myers

Yes, that’s pretty close. It’s interesting that GSA is the only government agency that’s allowed to offer government-wide contracts. So, like the private sector, if you think about enterprise IT services, they’re usually run out of an IT shop, consolidating and saving money. That’s what the GSA is trying to do — save government money.

Jeff

I know that one of the things that comes up as part of the work you’re working on is the concept of ICAM, or identity credential and access management. Is that basically the same thing as IAM with a government spin on it, or is that something that’s different?

Ken Myers

That’s a good question. Something I’ve noticed in the government space is, they love sticking an F in front of acronyms, like ICAM or FICAM, “federal ICAM” or “federal something else,” but, yes, ICAM is just another way of saying IAM with the focus on the C part, which is the credential part. Within the government, they issue a PKI-based smart card called a personal identity verification card, the PIV card, and that’s been the scope of government identities for a long time. So, very little difference between ICAM and IAM, really.

Jeff
It still boils down to who has access to what, and make sure that’s appropriate.
Ken Myers
Yes.
Jim
Ken, I think it’s fascinating that you’re working on your doctorate. We’ve had past doctoral candidates — we had David Doret with the Open-Measure project, who’s working on his doctorate. He was back in episode 62, for those folks who want to go back and listen. We’ve had Dr. Chase Cunningham on, and it’s funny, because I always like to say kind of jokingly, this person’s a Ph.D. in access management or something like that, because I think that indicates expertise deeply focused on a specific area, and I’m wondering, what is it that you’re working on? What are you researching, specifically, within your doctorate? Then walk us through what that whole process looks like.
Ken Myers
The doctoral process of writing a dissertation is pretty similar to writing a white paper or any other kind of researched writing. You identify a gap, you look at existing work around it. Hopefully, you can find peer-reviewed sources, and usually, in those papers, it may list gaps in their own research, and then, from there, you can pretty much combine existing knowledge to create new knowledge. That’s really what it is: You’re creating new knowledge — you’re furthering the space. One of the interesting things I found when I was researching identity access management for peer-reviewed papers was that in the last decade, the majority of papers I found were all about federated identities using federation protocols, the security around using federation assertions, and then, more recently, decentralized identities. I thought that was interesting. I’m wondering, does that fall in line with your mind of where the latest identity and access management research should be?
Jim
I’m seeing a lot of new models around using artificial intelligence and tying new capabilities in that space back to IAM — looking at behavior, and how do you apply that to, say, somebody’s acting abnormally, and then kicking off the process. To me, that’s one of the areas that I find would be really interesting to research, but the use case that you’re talking about, that’s one that’s here and now, and almost everybody that we work with or talk to, they’re dealing with that on a day-to-day basis — dealing with the federated identity model. Jeff, what are your thoughts?
Jeff
The goal here is to have as few log-ons as possible — get the single sign-on — and federation definitely comes in on that. I think companies still struggle a little bit depending on where they’re at from the maturity standpoint of external federation, allowing external IDPs into their organization, which sounds very cool in theory, but there is a lot of angst and the desire to have control over some of these accounts and what they get access to. But I’m starting to see some inroads with that, and certainly, the decentralized identity, I think we’ve constantly talked about blockchain and identity, and I’ve yet to see a good enterprise use case. I definitely see more of a use case in the public sector, especially things around government, citizen-type functions, maybe academia or health — those types of areas — but we’re still searching for something on the enterprise side where a decentralized identity makes sense. Maybe that’s just not the right way to look at it.
Ken Myers

Two things that tripped me up while I was doing my research — one was using the right words. In the government space, they say, “ICAM.” Outside the government, they say, “IAM.” They say, “federated identity management,” or FIM. There are lots of different words, so that was the first thing. To your second point, part of the dissertation process is identifying gaps and then figuring out which one is the most interesting and most feasible to research from that perspective. If it checks both of those boxes, you know you might have a winner.

So, I came up with six topics. Decentral identities wasn’t one of them. One was looking at identity frameworks and models in other countries and seeing how effective they are. For example, in Canada, they have a pan-identity framework, which was interesting. Japan uses a bridge PKI model for national identities. You have the EID in Europe, you have Aadhaar in India, and each one has its own characteristics that fit within its culture. It’s almost like a cultural study of how identity is used in other parts of the world, which is interesting. That one was a little hard to research.

One topic, and the topic that I picked, which was close to home — which I find as a major challenge as an identity professional — is finding good identity and access management people to join my team. A classic example is an entry-level cyber analyst with 10 years of experience in the CISSP. Have you guys seen that, too?

Jim

Yes, exactly.

Ken Myers
One of the areas that I actually worked in heavily was public key infrastructure, and it was always a challenge finding a public key infrastructure person, because it seemed like public key infrastructure experience always came after 20 years of something else. So, my research topic is developing an identity and access management competency model that’s focused on the U.S. federal government to hire, train and retain identity access management professionals. Even though I’m tailoring it to the U.S. federal government, there’s very little difference in how the government implements identity compared with the private sector. The minor differences might be which security framework or which methodology is implemented, but still, you need to verify your identity, they need to access something, they need to be authorized to access it. The principles are pretty much the same across the board.
Jim

I think it’s a really interesting topic, because on one hand, the federal government of the U.S. seems to be one of the richest targets for hackers. So, you have the highest need for cybersecurity and IAM professionals, and on the other hand, government has a reputation for paying the lowest. Maybe that’s not the way it is anymore, but more that you have lifelong security and you have a fantastic pension plan, great benefits, but that the pay is less than what you get in the corporate environment.

I’ve always wondered how the government goes about attracting, retaining, that talent, and in my mind, the life cycle has been, you bring in people early, and people who are smart people, have some base level of skills, and build them up. And you’re hoping that they get locked into that big picture of “I’ve got a great pension program here — it’s a really good life that I’ve built,” and now you have somebody who’s got that experience and is going to stick with your organization over the long term. I don’t know if what I said there is totally false, but at least, that’s the impression that I’ve gotten.

Ken Myers

Yes, I would say the reason why I decided to focus specifically on the federal government is, one, another aspect of finishing a dissertation is having it scoped in a way that you can’t finish it. You usually pick your scoping on available resources. Luckily, with the U.S. government, all of their workforce planning documentation is publicly available, so that makes it easy to see how one industry, one sector, looks at cyber workforce planning. Outside of the government, you may find guidance for specific industries, but it’s not as readily available as going to the Office of Personnel Management searching for a cybersecurity workforce and seeing that they have a strategy right there. In my research, I had difficulty finding a similar strategy tailored to an industry in the same manner.

Jim

What does the decision process look like in terms of when you want to build a team with employees versus using a contractor?

Ken Myers

I would say in general, not government-specific, but also in the private sector, looking at what knowledge you want retained within the organization — usually, your hire, your enterprise architects, your program managers, they may be employees of the company or the agency because they have the knowledge and the vision to implement what the executives want to do, and then it could just be based on price or talent, right? What is the most optimal path to implementing that executive’s goal, that corporate mission that you’re trying to achieve? Is it paying a little bit more and getting short-term resources to achieve it faster, or is it more of a long-term — we’re going to hire some full-time employees to be able to maintain it?

Jim

Right. That sounds very similar to how corporations approach that same problem.

Jeff

Yes, sometimes it’s by necessity. If you can’t find employees, then either the work doesn’t get done and you just don’t have it taken care of, or you look into the nonemployee market, whatever that looks like — contractors, vendors, etc. — to bring in those types of resources to help get things going, rather than waiting around. It’s an interesting topic because workforce planning, when it comes to the IAM side of things, can mean so much, and it’s a lot of work.

I know you’re doing it for the dissertation. What is the other effort that puts this in front of it as well? I think of things like organizations that have a challenge with trying to find those resources. How do they articulate? What are they looking for? You can say PKI, and then some HR person is going to have to do the first pass in screening, and somewhere, there’s going to be a disconnect. Helping write job descriptions that make sense, for example, might help with the effort. Are there other things that could be playing a part for that?

Ken Myers

Yes, definitely. Within the United States, there’s a public-private partnership through the National Institute for Science and Technology, or NIST, called the National Initiative for Cyber Education, or NICE. NIST/NICE is the acronym there, and that came out a couple years ago, and their mission was to create a workforce plan that identified specific work roles —identified task, knowledge and abilities — and what I found was, within NIST/NICE, it called out specific identity and access management tasks, but they were spread out across multiple work roles– and to take a step back, when you look at it, that’s really how the industry views identity and access management. They see it as an important piece to security, but it’s just a part of everything. Have you noticed that as well?

Jeff

Yes, it’s so important, we don’t dedicate anyone to it. You wear multiple hats. It’s a foundational part of security, but this is something that we’re starting to see experts and specialists in the IAM field, and usually, they’re part of an infosec group or at least have an infosec background to some degree. It’s always a challenge of — trying to justify headcount is always an issue, especially in the times that we’re in now. It is a reality of the situation, where a lot of organizations have contracted over the last year due to the pandemic, and budgets are tight. Trying to unwind that will be relatively slow. I don’t see this massive “The pandemic’s over, and now everyone’s back to work.” Organizations have now lived with it for a year, and it probably does mean people wearing multiple hats, and that sometimes includes identity and access management work. It may be split between a bunch of different groups. Is it ideal? No, but this is the world we live in, and it’s never ideal, so I think it’s just a reality of how IAM staffing works.

Ken Myers

Yes, and that was pretty apparent from some of the peer-reviewed papers that I’ve looked at and some of the challenges that I identified. Verizon’s 2020 Data Breach Investigations Report — two out of the three breaches were credential theft and phishing. In my mind, both of those are related to identity access management. The way you usually mitigate those is through multifactor authentication, or MFA. Now, who is implementing that MFA? Is it an identity access management person, or is it a developer — the developer maintains the platform, and then you just load a module on there?

That’s one of the research questions I’m looking at: What is the chicken, and what is the egg? Are the vulnerabilities due to people not trained on identity and access management, or is it that we don’t have identity and access management professionals doing identity and access management work? Something else recently — zero trust is real big. You see a lot of companies and vendors specifically talking about zero trust, talking about identity as the new perimeter, identity governance as mentioned in the NIST 800-207 as an approach to zero trust. Have you all heard of this new phrase: “Identity is the new perimeter?”

Jeff

I’ve heard this new phrase: “Identity at the center.” I don’t know if that makes sense.

Ken Myers

Yes.

Jim

Or at the center and the perimeter.

Jeff

That’s the only thing really that’s constant. People shift locations all the time. But that’s where we see a lot of structure and guidance now around how do you protect the person and the resource? That’s where zero trust comes in very well: You can’t always assume that people on your network are good, and that’s where you want to make sure you’ve got the right access controls in place, and so forth.

Jim

Two of the things that we like to say all the time are, one, hackers don’t break in, they log in, and when you’re talking about that zero trust, “Identity is the new perimeter,” what that’s all about is that just because somebody’s on the inside of the firewall doesn’t mean they’re safe. I think it was a Verizon data breach report where we got the stat that in roughly a third of all breaches, the main actors were internal actors. That doesn’t even get to the idea that the external actor eventually gets into the network, so, identity is at the center. It really is the perimeter, because the perimeter breaks down, and it certainly is so important, but it can’t be relied on as the main or the only control.

Ken Myers

Yes, and to Jeff’s point earlier, this squarely falls in the human resources area, so that’s definitely one of the main stakeholder groups that I’m looking at. The three angles I’m taking with my research include looking at peer-reviewed papers specifically on cyber workforce planning. It’s interesting to point out that a couple that I found highlight the difference between an academic-trained cybersecurity person and the needs of an organization, and there’s usually a disconnect.

If you’ve looked at job openings or job postings for identity and access management or even cybersecurity people, you might see a certification line in there. They’re looking for CISSP, a CISM or a CEH, a Certified Ethical Hacker. If you’re familiar with all three of those, they are very different. So, it’s like, “I’m just going to throw some acronyms out there, and I’m going to see what I can get.” Same thing from the degree side. At least now it seems like companies are recognizing experience without a degree, and there’s a variety of degrees that would fall within that, right? Some of the ones I’ve seen, cybersecurity, which is relatively new, but if you remember information assurance, information security, IT management or even business management, such a wide variety of knowledge and between those, it’s kind of interesting. From your experience, have you noticed the same? Have you noticed a difference between certifications that you’re asking for, or even academic education?

Jim

I have some personal history with this, because I went to college for a liberal arts degree, and when I was in my third year of college, I realized I wanted to get into computers. Well, it was a little too late to start over, so I finished out my liberal arts degree, and then I went and got a job where I was working on computers, and I worked and got my Microsoft certification. This was before the days of Active Directory, to date myself here, but I remember talking to my mother-in-law, who said, “You need to go back and get a computer science degree.” She was an HR professional, but the reality of it was that there’s a shift taking place, and you could learn just as much going through the certification program about a specific technology, which is usually what organizations are looking for — people who really know something specific — and certification is a great way to go about doing that.

Universities are so expensive. To go back and redo my degree in computer science would’ve been such a major effort, such a major expense. I was able to get into an enterprise IT environment doing the Microsoft networking stuff — it was hot at the time — and it let me learn how enterprise computing took place. Then, you move laterally or move up, you take different opportunities and then you build a career that way.

You need to arm yourself with whatever makes sense. I’m not saying a degree isn’t valuable. Certainly, if you’re starting college right now and you’re interested in computers, I would recommend computer science or information technology or even something more specific, but if you didn’t go that route, I wouldn’t say it’s too late. Get your foot in the door, find opportunities, manage projects, learn whatever technologies you can to position yourself so that then you can continue to gather certifications, continue to build your résumé and become that valuable resource.

Jeff

Jim and I are an odd couple. We come from different backgrounds, and we’ve talked about this before on the show, but I started off in restaurants. I was a busboy, a server, a bartender, bar manager — did all that stuff — and I did that for a long time before I really got into IT. I started off on a help desk, and that was my first taste of IT, and I moved up and over into information security and then moved into, specifically, IAM as part of that role, but I went to college for a total of maybe 30 days before I decided it wasn’t for me. I think I aced an economics test and then stopped going, and I ended up with one college credit for economics, just passing that one, and that was it. But I knew very early on that formal training and education really wasn’t where I was going to be the most successful. It’s not that I’m a bad student or anything like that. I did fine in high school on the good stuff, but the college life wasn’t for me.

I entered the workforce right away, and I learned everything that I know on the job and self-study and tinkering, and I’ve always been the guy building the computers on their own. I remember my dad — he was like, “Well, you bought Wing Commander.” This was back in the early ‘90s. We’re on floppy disk at this point, and if I wanted to play it, I had to figure out how to make it work, which meant building a computer, installing VESA drivers and figuring out the difference between the different types of x86 processors and whether I had the DX with the math coprocessor, which was awesome and meant I could have better frame rates.

I remember I spent eight hours installing Wing Commander on that machine. It was so slow and I was so excited, and that was what hooked me. I had that background — I just didn’t have the formal education. My personal philosophy and mission has been “Well, let’s see how far I can get without needing a college degree” or, in some cases, some specific certifications. I do have Security+. My good friend Burt Carroll made me get that at one of my previous roles, but it’s definitely been an interesting ride.

And I have definitely seen, over the course of my lifetime and my career, people shifting away and organizations shifting away from the “must have the college degree and can’t have the job otherwise” too. I’m seeing way more job descriptions that are “college degree or equivalent experience.” I think that’s heartening for a lot of people who are looking to get in this space: Yes, you can definitely start somewhere, and my philosophy for hiring is, I can train a lot of knowledge. What I can’t train is attitude. It’s a lot easier to bring in people who have the right attitude — willing to learn, willing to be part of a team — than someone who might be a rock star and a genius but is difficult to work with. There’s that balance that you have to strike there, so Jim and I are very much the odd couple — for more reasons than one, but definitely the educational background. What about yourself, Ken? What are you seeing?

Ken Myers

It’s pretty typical with what you said — people with no academic education with lots of experience, great people with certifications to back it up. I have a combination of both, and when I was in high school, I studied auto mechanics. I wanted to be a Formula One engineer. My first job out of high school, I changed oil and washed cars at a car dealership here, and I went to a community college for a mechanical engineering degree, and my first math class, I failed it.

I was like, “Yes, maybe engineering isn’t the best for me,” and then I joined the Marine Corps, and I ended up getting a bachelor’s and a master’s while I was in the Marine Corps, more from peer pressure with the other people I lived with. They were all getting their degrees, and the Marine Corps was paying for it, so I was like, “Why not?” Actually, that was one of the main things. My parents say, “I don’t care what you’re going to do with your life, but at least have a college degree so you can fall back on it,” so that was my upbringing.

But it’s interesting to see the research done in cybersecurity academics, in that if you want to think about a pipeline perspective where you’re training the future workforce from an academic perspective, the majority of cybersecurity programs start off as master’s, and then they slowly funnel down into bachelor’s programs. But there’s a cybersecurity curriculum from a consortium of ACM and IEEE that covers pretty much the same domains of the CISSP. And again, another interesting point is that identity and access management seems to be always included somewhere in some type of cybersecurity training, but it’s never at the forefront.

In my mind – and you guys can tell me if you feel the same way — today, it seems more important than everything not just in companies, but if you think about a customer experience perspective, if you’re thinking user experience, as a consumer myself, when I’m going to go buy something, if I have a horrible experience logging in, if I have a horrible experience trying to get information, that’s an identity and access management challenge. I notice that as a consumer. Seeing how companies implement MFA and how some may do SMS, some may do an app, a lot now seem to be adopting web authen, but it definitely seems like it’s a growing user experience issue also. Have you all seen the same thing?

Jeff

It’s something that has changed over the course of our own lives as we’ve gone through this. I probably would’ve stuck with school if there had been the cybersecurity-first approach that was out there. I had some IT classes, and I was frankly over those IT classes already, but I wasn’t allowed to test out, and that was disheartening. I was like, “Well, I’ve already built a computer when I was eight years old. I don’t need to know how to run DOS — I’m already running programs,” and things like that, but if there had been something that was more specific to information security, that probably would’ve helped me out and stick with the college side of things. And every once in a while, I get the itch, and I’ll look on the subreddit for hacking or whatever it is — there’s a lot of good information out there — and watch videos and things like that just see how things are done to understand it. And I’ve taken the role more on the strategy side of things — less fingers on keyboards — but you do have to know that kind of thing.

However you get that exposure is good, and there are certainly different ways that you can prove that for people who are prospective employers. I think of things like certifications from — on the identity management side, there’s the Identity Management Institute. They have several that are out there, and we’ve had Henry Bagdasarian on this show before, and there’s a lot of work they’re doing on that. I know that the IDPro organization is working on one right now, and that’ll be something to look forward to — hopefully, later this year — as something that people can take back. But, yes, I think there has been a shift toward more information security focus.

I don’t know if I’ve seen specific identity focus at the academic level. It’s usually a component somewhere of information security, and, frankly, I think some people, they get away with just being dangerous enough. They just know enough to be dangerous and kind of understand it, and unless you’re truly specializing in identity and access management, there are so many more other ways that you could take an information security approach, and I think that’s where some of these other certifications and other training programs are helpful to demonstrate that. Frankly, a lot of it comes with experience too — just understanding what works in the real world and going from there. Jim, what are your thoughts?

Jim

What Ken was saying about identity often being your first touchpoint with an organization is right on. It led me to thinking about this whole topic of workforce planning, which is that you need folks at different levels, right? You need that strategy view, but a lot of times, when you get to that level within your organization or that level within your career, you lose touch with how to get it onto the screen and actually make things happen.

So, when I think about workforce planning, it’s, what are all the layers? What are all the specialties that I need to put together? It’s probably not that much different with IAM than it is with any other discipline within the organization, but with that context, or with that mind, Ken, how should organizations be approaching the workforce planning? Is it only something that big organizations need to do? Then, specifically within that, how should they go about approaching workforce planning?

Ken Myers

Workforce planning is definitely a challenge. Resources available — specifically in cybersecurity, I mentioned the NIST/NICE framework. It’s the go-to resource within the federal government, but again, it’s a public-private project. If you go to the NIST/NICE website — and I can share the link with you — you can see information tailored for private organizations, for companies, you’ll see tailored information for educators: How can you build cybersecurity education programs around NIST/NICE? If you’re a company, how can you write job descriptions where you have a fairly high degree of certainty you’ll find who you’re looking for?

Actually, NIST/NICE just published a new version that’s more flexible than the first version. I had mentioned NIST/NICE had defined work roles. The second version now is more flexible in that you can build your own roles based on common skills, so it’s like a plug-and-play-type thing. I think that was one of the challenges with the first version. For example, there’re seven categories that aligned with the Cybersecurity Framework — if you’re familiar with the Cybersecurity Framework — so that you could build your team based on the security methodology you’re trying to implement. I think that’s a great idea.

I’m someone that likes seeing alignment. It makes sense, definitely from a workforce planning perspective: Don’t only work with your executives, but also work with your architects and your engineers who are actually implementing it. I think it’s fairly common that you pass your requirements along to an HR person, and then they put them up. It’s not an HR person’s fault — they’re doing their job fantastically — but sometimes you submit for something, submit for a specific skill that you need, and sometimes you don’t get it. I think it’s a collaboration within your organization to make sure that you’re hiring the people and the skills that you need.

Jeff, you had mentioned some of the workforce models and architectures also. IDPro and their body of knowledge is a fantastic starting point for anyone who wants to learn more about identity access management. Specifically, again, why I scoped my research to the U.S. federal government: The Obama administration wrote a federal cybersecurity workforce strategy in 2016. They have four initiatives in it, and one of them was to implement NIST/NICE.

That’s clear public information — I can see direction of an organization — and if we’re talking reference architectures to implement identity and access management, you have the Federal Identity Credential and Access Management architecture. Within that, there’re five identity service areas, and what I plan to do with my research is map work roles back to the reference architecture — pretty much the same alignment that you would have if you implemented the Cybersecurity Framework and the NIST/NICE roles. You could have the same thing in that you’re trying to implement the specific identity architecture and you’re looking for specific skill sets to implement it. From looking around and my personal knowledge, I haven’t found any public-available identity reference architectures, and it’s possible I’m just not looking in the right places. Can you all think of any, or have you used, identity reference architectures in the past that you could recommend?

Jeff

I think of something that is almost too generic for some organizations because it’s who has access to what and it’s “Here are your actors, here are the data points and the systems that they’re going to get access to,” and what are the workflows between them, and then you try to layer on top of it, what are the technologies that assist with whatever it may be. I don’t know if there is necessarily a reference architecture that is handy, for lack of a better word. They’re all pretty much the same thing.

I know that for some of the work that Jim and I do, we have some of those details as we go into it, but usually, when we work in an organization, the reference architecture is really only the first part of it. It’s “How do we make this specific to our organization?” Because every organization is different. You may have Active Directory, you may not. We’ve worked with organizations that don’t have AD. Somehow, they get along, they all adapt and they have other ways to get around having that common directory, and they may have hundreds of applications or only a few, or be on the cloud, or be on-prem only. The concept probably makes sense, but I don’t know beyond that how helpful it truly is in the real world, but again, that’s just my opinion. Jim, do you have any thoughts on it?

Jim

They’ve got some documents over at the Identity Defined Security Alliance. They’ve defined a framework, but I don’t know that it necessarily would qualify as a reference architecture. But I think it’s a great starting point for anybody who’s doing research, especially in the corporate environment, in terms of best practices and a framework for managing identity. Whenever we’re talking about a reference architecture, my mind goes to vendor-specific, because I think a lot of vendors want to put out that picture of how an architecture can be built around their technology. It’s proprietary in that way, and I think there still can be a lot of great information gleaned from that, and then to go from the nonvendor look, organizations like IDSA, IDPro — I think those are really good starting points.

Jeff

You’ve got a lot of work in front of you, Ken. Is there anything that our listening audience can do to help or contribute to the work that you’re doing?

Ken Myers

Yes. The best contribution would be — I plan to post my research as I get it done on my GitHub site, so if you’re interested in seeing how my research is going, if you want to offer comments, if you want to offer ideas and point me in directions, provide other resources, that’s great. I’m a lifelong learner myself, and I feel like you have to be that in cybersecurity, and identity and access management, specifically. It’s interesting that that specific gap, the evolving environment, is also identified in a couple of peer-reviewed studies in that there’s this duality of being an accredited program — meaning, you take that point in time of what your program is to get accredited, but between that point in time and the ongoing, how much can change?

If we think back in the past year of what happened in cybersecurity, the thing right now in my mind that stands out the most is SolarWinds, and how that led to the Golden SAML attacks and the misunderstanding of how federated trust works — not just to your point of accepting external identities, but also within your own organization architecture of how Windows force trust works traversing the domains. How can you pack that up in a class and teach undergrads, or even graduate students, in the time that it happened?

Jim

The SolarWinds attack, or what we’ve been calling Solorigate, seems like it’s a little bit foreseeable. You have a third party that pushes software to a platform where you create a service account. I’m not saying that I foresaw it coming, but it doesn’t seem like that kind of method of attack would be so unforeseen that maybe we haven’t already been talking about it, but I think that’s human nature, right? Sometimes, you actually have to face a crisis in order to say, “A crisis exists.”

Jeff

Yes. Ken, if you’ve got that GitHub link, I’ll put that into the show notes so people can get to it. I think it’ll be interesting at some point, once you’re done, to circle back and see where you end up with this, because this is an area that I find interesting for my own personal journey and the crossroads and decisions that I’ve had to make to get to where I am. I know we’ve been running a little bit longer than we normally do, so we’ll go ahead and start to close things up for this week. But before we do that, Ken, any final thoughts that you want to throw out there for the folks who are listening?

Ken Myers

Yes. With dissertations, it’s great to see them actually being used. That’s my intent — that I will come up with this amazing identity and access management workforce planning, and then everyone implements it. It’s best to see your research in practice. Not everything can be a Google, but seeing if it can help someone, that helps me sleep at night. I appreciate it, and I thank you, everyone listening, to see who’s interested in helping.

Jeff

Another contribution to the overall IAM body of knowledge, so, hopefully we’ll make it into the IDPro one as well. Jim, how about yourself? Any final thoughts?

Jim

The big takeaway for me, or what I want to make sure that people hear, I think our podcast is listened to by IAM practitioners across the spectrum, and even people who are interested in getting into this field. You look at the three of us and how we all got into IAM, and it’s different, and every week, we have a different guest on, and it seems like they’ve got a different story about how they got into IAM.

Some of us went through a certain college path, others started on the help desk, others joined the military and found their way into this field. There’s no one right way to do it, but if you want to get into this field, it’s very possible. There are some things like certifications and education, things like that, but what really will set you apart in your career is real-world opportunity or real-world experience. So, get those opportunities to get your foot in the door and working on identity management projects, and then go that extra mile, work those extra hours or whatever it takes to show that you actually care, because I think what Jeff said is spot-on in IAM and everything else, which is, you can’t teach attitude. Go in there with the right attitude, set yourself apart, be willing to go the extra mile, work the extra hours, whatever it takes, and you’ll build a career in this industry.

Jeff

I think that’s a good spot that we can close out for this week, and I think we’ve beaten this one pretty good, so we’ll go ahead and call it. Don’t forget, Identity Management Day, April 13, IdentityManagementDay.org. There’ll be a bunch of links in the show notes for this episode — Ken’s GitHub, we’ll have LinkedIn connections for Ken, Jim and me, I’ll have some things around ICAM and NIST/NICE to make it easy for people to find. With that, don’t forget, you can visit us on the web at IdentityattheCenter.com. We’re on Twitter @IDACPodcast. Thanks for listening, and we’ll talk with you all in the next one.

Male

Thanks for listening to the Identity at the Center podcast. If you liked what you heard, don’t forget to subscribe, and visit us on the web at IdentityattheCenter.com.


 

Ready to work with us?