Five steps to mastering identity and access management
- 04 June, 2012 16:40
As the workforce becomes increasingly mobile and dispersed, identity and access management becomes more important in ensuring organisational security. While managing user identities and controlling access are separate tasks, they are closely related. Identity and access management (IAM) needs to be a key part of business security strategy, particularly as organisations grow and IT architectures become more complex. Here are five things to consider when planning your IAM strategy.
1. Identity data infrastructure
It is not possible to manage user identities without having an appropriate data infrastructure in place to store user information. This generally involves the use of directory and metadirectory systems, usually based on lightweight directory access protocol (LDAP), industry standard for accessing directory data.
Decision makers should consider federated identity as part of the underlying data structure. This allows systems to automatically grant access to users of other systems. Federated identity systems assign permissions to each other, creating a secure web of trusted applications. However, enterprises need to tread carefully when designing these systems—complexity can create more headaches than necessary and increase management overhead, while also limiting the flexibility to change application specifications or relationships.
While federated identity can be used to integrate disparate systems together (including those inside a single organisation), it is also necessary to assign the appropriate level of expertise to the design and maintenance of such a solution.
2. Define roles and entitlements
Two important, but still nascent, techniques that have a significant effect on access control are entitlement management and role-based access control. Systems that carry out these functions allow administrators to define multiple roles in an organisation, along with a granular set of entitlements to allow system access. When combined, they allow for very tight control of user access. For example, someone in a junior accounting role could access a particular database, but only until 6pm.
Defining and maintaining these roles and entitlements requires significant input from business management, which can potentially lead to complications if organisational requirements change. Business management needs to carefully monitor entitlements and roles in order to ensure operational security.
3. Automate the provisioning process
Identity management helps improve company-wide productivity and security, while also lowering the cost of managing users and their identities, attributes and credentials. This requires automation, but it also contains hidden challenges, as just setting up a user name and a password is often simply not enough. Instead, multiple steps must be included in the provisioning process. For example, users might be assigned a sales region, enrolled into a different number of organisational teams or given a list of company resources to which they have access.
4. Simplify access control
Controlling access to systems is a separate but related task to managing identity. The user can only be authenticated if their identity is in the system, but the task of authentication poses another challenge. Users must be able to access the system relatively easily to avoid illicit circumvention of security settings, and yet their credentials must be secure enough to stop attackers simply waltzing through the gate. Enterprise sign-on systems can provide users with access to multiple enterprise applications using just one set of credentials. For added security, hardware-based tokens can also be issued as part of a two-step authentication process.
Any identity and access management system is not complete without a robust reporting capability to meet the needs of auditors facing compliance regulations. Organisations should be able to provide audit trails showing which users had access to what resources, and what was done with those resources. With increasing levels of compliance required from organisations, it is wise to ensure that evidence can be provided when needed.
Any comprehensive IAM effort is complex, but cloud-based services can help to reduce deployment times. A competent and experienced IT operator can not only host the infrastructure necessary for managing both identity and access control, but can also provide consulting services to help integrate it effectively into a customer’s existing IT architecture. When the time and due consideration is taken, IAM can prove to be a valuable asset to any organisation.
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.
Larry Page wants to see your medical records
Dual-Persona Smartphones Not a BYOD Panacea
After two-year hiatus, EFF accepts bitcoin donations again
CIOs struggle to deliver timely mobile business apps: survey
Spiceworks' free management software gets integrated MDM
ESG Whitepaper: Integrated Computing Platform Survey
Data centres, servers, storage and more are being combined for simplified management and cost savings. In this survey, ESG looks at the current and future trends surrounding today’s integrated computing solutions. Download to find out how organisations are more likely to see commit IT budgets to the purchase of integrated solutions. Read more.
Mobile Load - Performance Testing for Mobile Applications
Key mobile trends and analysis on how performance testers must change their testing methodologies to ensure they are accounting for the changes caused by mobile usage. Download today.
New Demands for Real-time Threat Management
Many organisations are evaluating a new security model based upon IT risk management best practices. This is a good idea, but not enough for today’s dynamic and malevolent threat landscape. To keep up with IT changes and external threats, large organisations need to embrace two new security practices: real-time risk management for day-to-day security adjustments and real-time threat management to detect and remediate sophisticated, stealthy, and damaging security breaches (i.e., advanced persistent threats, or APTs). Learn more.