Image

Dead Ends in Identity Management

Identity and Access Management (IAM) is the core of any serious cybersecurity solution. Identity management functions are mentioned in almost every cybersecurity regulation and standard. Despite this, IAM components in cybersecurity projects are often underestimated and frequently misused.

This paper addresses recurring issues in identity governance and administration (IGA) deployment projects. We present several notorious examples of poor practices, such as:

  • Inappropriate composition of IAM components
  • Reliance on incorrect input data
  • Incorrect sequencing of implementation steps
  • Frequent issues in role-based access control (RBAC)
  • Problems in policy management, role, and application ownership
  • Misuse of certification processes
  • Unrealistic expectations regarding the benefits of artificial intelligence

For each dead-end scenario, we present the correct approach leading to a sustainable identity management strategy. The paper presents an incremental and iterative approach to IAM deployment, based on a bottom-up methodology, respecting the current state of the organization.

Well-managed identity governance is not a sprint, but a long-term effort. This approach allows for the gradual implementation and continuous improvement of identity management within an organization.

We introduce the dynamic application of the RBAC model (policy-driven RBAC), incorporating role analysis through AI-driven role mining algorithms, which enables long-term sustainable access policy management. Finally, we demonstrate how an IGA platform, with high-level policy support and AI-driven functionalities, can form a solid foundation for cybersecurity, regulatory compliance, and adherence to industry standards.

Ing. Radovan Semančík, PhD.

Radovan Semančík studied Software Engineering at the Slovak University of Technology in Bratislava, where he also earned his PhD. He works as a Software Architect at Evolveum and was one of the founders of the company. His main areas of interest include digital identity and software system architectures. Since around 2000, he has been involved in numerous enterprise identity management (IDM, IGA) implementations. He is an active contributor to open-source projects and collaborates on large-scale international software projects. Most of his time is dedicated to leading the midPoint project, which is the largest open-source identity management system available. He has also contributed to the Apache Foundation as a committer and a member of the Project Management Committee.