What are some best practices for identity security or IAM when dealing with decentralized users/assets? How can organizations adjust strategy or policies to address decentralization?

Managing identity access in a large organization is costly and challenging. We invested heavily in a centralized system to manage access across 60K employees, ensuring that once a user is disabled, they cannot access any resources. While decentralization presents challenges, tools like Okta have helped us track resources and users effectively. However, decentralization requires significant resources, and centralization is often more efficient. Despite the challenges, following best practices and leveraging the right tools can help manage identity security effectively.

It's essential to keep the stack lean as technology becomes more complex. Best practices include continuous review and refinement of access roles, especially in organizations with multiple domains. Collaborating with cross-functional business units ensures that identity management aligns with business priorities. Educating users on strong password practices and managing machine identities securely are critical measures. Implementing solutions like Google Secret Manager or AWS for automatic password changes can also enhance security and reduce manual overhead.

The technology landscape has become expensive and difficult to manage, with IAM tools not providing sufficient ROI. Instead, I've developed a simple internal app for access control, which is more cost-effective than purchasing a governance tool. We've pushed for Active Directory authentication to streamline processes, reducing the need for complex IAM solutions. This approach allows us to manage identities more efficiently without incurring exorbitant costs.

Focusing on cloud applications is crucial, as they pose a higher risk if local IDs are created without proper oversight. By ensuring cloud environments are clean and secure, we mitigate risks. Internal apps are less of a concern, as they are controlled by Active Directory and VPNs. While legacy apps may have vulnerabilities, focusing on cloud security allows us to address the most significant risks efficiently.

With my audit background, I view identity security from a risk-based perspective. It's crucial to centralize governance processes whenever possible, as it enhances security. When decentralization is unavoidable, we ensure that teams managing assets adhere to security standards, including best practices like least-privilege access, multi-factor authentication, and single sign-on. These measures help secure decentralized systems effectively.