Integrated Systems: An Identity Management Primer
A growing and important subset of security, identity management is gaining momentum. As network security evolves beyond securing traditional physical network domains, and as internal security threats and regulatory compliance become even greater challenges, enterprises and their chief security officers are giving identity management technologies a closer look.
Identity and access management (IdM) technology, best practices and integrated security architectures provide enterprises with a means to control who has access to what. Specifically, identity management software tools provide intelligence and visibility into which employees have access to what applications, systems, doors and data and who approved that access. Organizations can then centralize and automate the provisioning and control of access across the organization.
What to look forWhen evaluating identity management providers and technologies, there are a few key considerations. At a high level, it is important to select an enterprise-class solution. Many deployments fail because the technology solution is not comprehensive or flexible enough. The solution should have the built-in adaptability necessary to extend across heterogeneous business processes and managed platforms that make up the largest enterprise.
Beyond these architectural parameters, the selected technology vendor or integrator should have demonstrable experience with implementations for global organizations and deployment case studies. The technology itself should undoubtedly meet the toughest IdM challenges. At the top of this list are insider security threats, external threats and compliance automation.
Internal threatsThe insider still poses the greatest security risk. Security must establish policies that proactively identify and eliminate users that have amassed toxic combinations of access entitlements or rogue privileges across applications that contain sensitive data. The identity management system must then facilitate automated policy enforcement.
The solution should also incorporate business role management capabilities to define business relationships that exist within a department or division across the extended enterprise. This integrated approach will ensure the automation and enforcement of employees’ access to information, applications and systems based on pre-defined business roles, duties, interdependencies and relationships. For example, access rights to specific applications can be provisioned as employees work on particular projects and de-provisioned as soon as they complete the project.
External threatsWould-be hackers are not the only external security threats. Network security is forced to evolve beyond traditional physical network domains. The old perimeter is officially dead, killed by a business necessity to externalize and extend access beyond the enterprise in order to facilitate cross-enterprise collaboration. This extended enterprise enables new business models, but it must be secured through IdM best practices and integrated security architectures.
Off-shoring, for example, is becoming an attractive business reality; but, in itself, it could pose additional external security threats. Organizations that pursue the productivity and cost-efficiencies with this model must also ensure that they do not sacrifice security. To mitigate this risk, security needs to consider off-shore service providers’ security policies and enforcement capabilities. Since off-shoring arrangements typically depend on access to critical information and systems, there must be verifiable practices in place to determine which people have access to these systems. This ability will become a differentiating factor across outsourcing service providers.
Compliance automationCompliance drives more stringent security requirements. Sarbanes-Oxley, Gramm-Leach-Bliley Acts, the Basel II Accord and other regulations now challenge enterprise security. Due to the significant regulatory and customer privacy ramifications that security breaches can have, organizations need a better way to vigorously enforce and automate the management of user-access rights in a way that also facilitates audits.
For many enterprises, new identity management technologies and best practices ensure that organizations are on the winning side of the critical tradeoff to achieve compliance and security without unacceptable cost increases and application network performance degradation.