Integrated Systems: An Identity Management Primer

March 16, 2006
/ Print / Reprints /
ShareMore
/ Text Size+
Security convergence brings together physical and logical security with identity management becoming essential in all facility and computer access controls.


A growing and important subset of security, identity management is gaining momentum. As network security evolves beyond securing traditional physical network domains, and as internal security threats and regulatory compliance become even greater challenges, enterprises and their chief security officers are giving identity management technologies a closer look.

Identity and access management (IdM) technology, best practices and integrated security architectures provide enterprises with a means to control who has access to what. Specifically, identity management software tools provide intelligence and visibility into which employees have access to what applications, systems, doors and data and who approved that access. Organizations can then centralize and automate the provisioning and control of access across the organization.



What to look for

When evaluating identity management providers and technologies, there are a few key considerations. At a high level, it is important to select an enterprise-class solution. Many deployments fail because the technology solution is not comprehensive or flexible enough. The solution should have the built-in adaptability necessary to extend across heterogeneous business processes and managed platforms that make up the largest enterprise.

Beyond these architectural parameters, the selected technology vendor or integrator should have demonstrable experience with implementations for global organizations and deployment case studies. The technology itself should undoubtedly meet the toughest IdM challenges. At the top of this list are insider security threats, external threats and compliance automation.



Internal threats

The insider still poses the greatest security risk. Security must establish policies that proactively identify and eliminate users that have amassed toxic combinations of access entitlements or rogue privileges across applications that contain sensitive data. The identity management system must then facilitate automated policy enforcement.

The solution should also incorporate business role management capabilities to define business relationships that exist within a department or division across the extended enterprise. This integrated approach will ensure the automation and enforcement of employees’ access to information, applications and systems based on pre-defined business roles, duties, interdependencies and relationships. For example, access rights to specific applications can be provisioned as employees work on particular projects and de-provisioned as soon as they complete the project.



In a survey conducted for SurfControl by Public Opinion Strategies, roughly nine out of ten (88%) employees support legislation to strengthen restrictions on explicit or pornographic spam and establish criminal penalties for spam that contains misleading information regarding the identity of the sender of the e-mail. Courtesy: PRNewsFoto

External threats

Would-be hackers are not the only external security threats. Network security is forced to evolve beyond traditional physical network domains. The old perimeter is officially dead, killed by a business necessity to externalize and extend access beyond the enterprise in order to facilitate cross-enterprise collaboration. This extended enterprise enables new business models, but it must be secured through IdM best practices and integrated security architectures.

Off-shoring, for example, is becoming an attractive business reality; but, in itself, it could pose additional external security threats. Organizations that pursue the productivity and cost-efficiencies with this model must also ensure that they do not sacrifice security. To mitigate this risk, security needs to consider off-shore service providers’ security policies and enforcement capabilities. Since off-shoring arrangements typically depend on access to critical information and systems, there must be verifiable practices in place to determine which people have access to these systems. This ability will become a differentiating factor across outsourcing service providers.



Compliance automation

Compliance drives more stringent security requirements. Sarbanes-Oxley, Gramm-Leach-Bliley Acts, the Basel II Accord and other regulations now challenge enterprise security. Due to the significant regulatory and customer privacy ramifications that security breaches can have, organizations need a better way to vigorously enforce and automate the management of user-access rights in a way that also facilitates audits.

For many enterprises, new identity management technologies and best practices ensure that organizations are on the winning side of the critical tradeoff to achieve compliance and security without unacceptable cost increases and application network performance degradation.

Did you enjoy this article? Click here to subscribe to Security Magazine. 

You must login or register in order to post a comment.

Multimedia

Videos

Image Galleries

ASIS 2013 Product Preview

ASIS International 59th Annual Seminar and Exhibits, September 24-27 in Chicago, Illinois, will include an exhibit hall packed with innovative security solutions. Here are some of the products that will be shown at ASIS this year.

Podcasts

Virtualization and Data Center Security: What You Need to Know for 2014

Data centers are increasingly becoming the center of the enterprise, and data center and cyber security is following the same path for security departments. According to Justin Flynn, a consultant at the Burwood Group, the virtualization of data centers allows enterprises to scale more easily and faster, with a smaller footprint.

However, hosting enterprise data in the cloud can make intrusion detection more difficult – how can enterprise security leaders team up with other departments to keep aware of cyber risks and traffic, and physical and data compliance during the virtual transition? How can CISOs and CSOs discuss cyber threats with the C-Suite to get the resources they need? And how can the proper infrastructure test and verify possible malicious attacks? 

More Podcasts

Security Magazine

Security December 2014 issue cover

2014 December

This issue of Security Magazine covers our 12th annual Top Guarding Firms list. Check out the best of the best as of December 2014. The 21st century has brought with it new types of security threats. Read how to combat and protect against these threats.

Table Of Contents Subscribe

Security Emergency Preparedness Training

Which security personnel emergency preparedness training is the top priority to you and your enterprise?
View Results Poll Archive

THE SECURITY STORE

comptiahighriseproductphoto
CompTIA Security+ Certification Study Guide
CompTIA's Security+ certification is a globally-recognized, vendor neutral exam that has helped over 60,000 IT professionals reach further and higher in their careers. The current Security+ exam (SY0-201) focuses more on being able to deal with security issues rather than just identifying them.
More Products

Clear Seas Research

Clear Seas ResearchWith access to over one million professionals and more than 60 industry-specific publications,Clear Seas Research offers relevant insights from those who know your industry best. Let us customize a market research solution that exceeds your marketing goals.

STAY CONNECTED

Facebook 40px 2-12-13 Twitter logo 40px 2-12-13  YouTube  LinkedIn logo 40px 2-12-13Google+

Vertical Sector Focus: Critical Infrastructures

criticalhomepagethumbFrom terrorism to vandalism, it’s preparedness, response, training and partnerships. Learn about some of the critical security issues facing this sector.

Visit the Critical Infrastructure page to read more.