Identity and Access Management: A New, Less Excruciating Approach
Jan 10, 2012 5:00 AM PT
As essential as open systems and mobile applications are for doing business, they also put significant strain on an organization's security systems and, in particular, the key line of defense: identity and access management (IAM) systems.
Allowing a broad spectrum of users -- from employees to partners, to temporary workers, to customers -- to access vital information increases an organization's speed of doing business, but it also creates a variety of new risks. Add to these risks the growing use of mobile devices and applications, cloud-based applications, virtual environments and social networks. Risk isn't just multiplying; it is also moving further outside the control of the traditional "four walls of the organization" -- whatever they might be in an era when people can work from anywhere through several different technology options.
Managing this environment is a constant battle of avoiding business, financial, reputation and regulatory risks. On the front lines of these challenges are the IT security and audit teams. Increasingly, their most effective weapons are IAM and access risk management systems that help these teams identify, quantify and manage the business risk.
Slow and Painful
Many of today's IAM solutions are a loose collection of applications woven together with manual workflows and custom software. Traditionally, companies relying on band-aid approaches to managing user access and ensuring policy and regulatory compliance are exposing themselves to business risks such as:
- loss of intellectual property;
- loss of customer/employee information; and
- a damaged company reputation or regulatory infractions.
These systems' fundamental weakness is they are too slow and operationally painful to manage to be effective in the market's fast-paced and open IT environment, according to Steve Coplan, senior analyst of the enterprise security practice at The 451 Group.
"Organizations across the board struggle to generate value from many IAM projects both in terms of implementing more efficient business processes and more effective administration and governance of identities and their associated data entitlements," Coplan said.
There is no question that some IAM solutions have a reputation for being too expensive and ineffective. In a well-meaning move to accommodate their customers, most IAM providers emphasized heavily customized solutions that conformed to customers' existing manual business practices. This level of customization jacks up implementation costs to several times above the software's purchase price. Just as significant, it extends a customer's time to value to months, if not years, and leaves many organizations with partial implementations that don't deliver the expected value and protection. The result is increased ongoing software maintenance expenses and the cost in time and money to augment with manual processes.
By contrast, organizations that automated their security processes and cut the time to identify security/governance issues had substantially lower security breaches and audit findings, according to a recent study of 4,500 organizations by the IT Policy Compliance Institute.
But new approaches to the problem are proving that a flexible solution that adapts to the organization's goals and risks can be deployed with less cost, less customization, fast time to value, and low cost of maintenance. These new approaches focus not just on automation and operational efficiency, but on addressing organizations' most critical access risks.
Prescription for a New IAM Model
To achieve operational and user access risk management goals, new IAM solutions automate the collection and organization of critical identity, access and resource information. Then it matches the data with company policies and user activity to create a comprehensive view of access risk and the impact it has on the business, critical assets, personnel and regulatory risks. Using a real-time analytics engine, the system can immediately notify an organization of changes in security risks and the tools to remediate issues immediately. No more waiting three to six months to receive certifications/attestations of who has access to what, or to view weekly status reports on security issues.
This faster time-to-value is essential. The IT Policy Compliance Institute study mentioned above pointed out that a major difference between the best- and worst-performing companies included a security focus on the business risks rather than responding to audit issues.
In addition, this user access intelligence helps prioritize IAM initiatives to target the most important areas to an organization and helps with compliance and auditing by enabling "what if" analysis that can answer not only who has access to what resources, but what users are doing with that access and its potential impact on the business.
Integration of IAM functions and alignment between IT and user access policies means the system can alert all levels of management to a business, asset, security or financial risk caused by inappropriate access as it is happening, shortening response times and limiting potential damages. This is a policy-based approach that supports over-arching business goals, rather than a tactical process that performs specific tasks, but it does not contribute greater business value.
Traits of Effective Solutions
The new generation of effective IAM solutions has three basic qualities:
- Out of the box, integrated functionality based on a prescriptive model of industry best practices. This functionality automates the collection and management of all identity information and then integrates key IAM processes such as user provisioning, role and profile management, compliance, attestation and password management while allowing managers to grant, revoke and modify user access privileges. This model allows an organization to be up and running and delivering real operational and business value in weeks. At the same time, it provides simple utilities for configuring the systems to fit with the way they do business.
- Real-time access intelligence engine that can monitor not only the traditional IAM fuctions but also look at surrounding activity to reveal associations and patterns that might violate compliance guidelines and company policies, or that indicate hidden risks to the company.
- Visualization and business intelligence that displays near-real-time graphical profiles of risks to the most critical business, people and governance assets. Graphical risk profiling replaces the error-prone manual approach to data sorting and static risk scoring that lacks context and a connection to business priorities. Integrating real time access risk profiling and notification with provisioning and attestation enables managers to address risks associated with inappropriate access as soon as they are identified.
The ultimate value of this new generation of best practice-driven IAM solutions is that they elevate IAM from a tactical process to a strategic business solution while performing operational and management tasks faster and cheaper. Companies that embrace open systems, mobile devices and applications, cloud-based services and social networking as conduits into their vital information systems will find they have a new approach to being both open, safe and efficient. That's a prescription worth taking.