printer friendly version

Identity and access governance unfurled

Given the risks that attend today’s punishing threat and regulatory landscapes, your need for identity and access governance (IAG) has never been greater. You need to know exactly who has access to what resources and if these levels of access are appropriate.

In recent years, this simple need-to-know mandate has evolved from an IT directive to a vital business imperative. As the general population’s technical sophistication grows ever greater, so grows your risk of security breaches and so grows the speed with which your organisation must respond to them.

Where identity management is a primary concern for your IT department, the related areas of security compliance, risk mitigation and access governance are among the primary concerns of your organisation’s business executives. Identity management and access governance systems share many overlapping functions. But the people who use these systems – IT professionals and business executives – typically have very different objectives and technology backgrounds. And while converging these two systems makes sense, the converged systems must be robust enough to meet IT’s demands and simple enough for non-IT business professionals to manage.

This is not to imply that one system can, or should do the jobs of both. Rather, it means your IAG solution must seamlessly integrate IT and business tools.

IAG industry overview

Market forces

Many factors have contributed to the explosive growth of the identity and access governance (IAG) marketplace. Following are some of the primary factors driving this growth.

Attacks, cyber terrorism, internal breaches and fraud

While most companies find it relatively easy to provide ample physical security for workers at each of their facilities, they find ensuring the safety of their systems, data and intellectual property a daunting task. Cyber, or computer attacks can come from anywhere – external sources or even organisations’ own employees. While the Federal Bureau of Investigation (FBI) increases the number of fraud cases it pursues each year by an average of 10%, the number of cases that do not reach the FBI-involvement level is significantly higher. From disgruntled employees to unscrupulous competitors to cyber hackers looking for data they can sell, the risks have never been greater than they are today.

Sadly, most cyber-attacks and security breaches are preventable: Your company probably already has the information it needs to stop attacks. What it most likely does not have is a way to organise, manage and monitor data in such a way that it can see security risks and take preventive actions.

Emergence of the cloud

The National Institute of Standards and Technology (NIST) defines the cloud as “the delivery of computing as a service rather than a product, whereby shared resources, software, and information are provided to computers and other devices as a utility (like the electricity grid) over a network (typically the Internet)”.

Cloud-hosted platforms and services are becoming popular all over the world. It is easy to see why. Cloud-delivered software as a service (SaaS) is inherently scalable. Companies pay only for the software they need now; and as they need more capacity, they can easily allocate additional resources. However, using cloud-delivered services is not without its challenges. For example, providing all users with access to all applications can be expensive and risky. To keep costs in check and mitigate security risks, you need a way to allocate access to cloud resources based on users’ roles and responsibilities. That is, you need an effective IAG solution.

Mobile access

To stay competitive, you must provide any time, anywhere access to network resources. Doing this entails far more than installing traditional virtual private network (VPN) clients on company-owned machines. Remote users need access from a variety of non-traditional devices – such as smartphones and tablets. To securely meet these needs, your access-control solution must both authenticate users and permit them to access their cloud-based resources from multiple devices. Such access requires secure and trusted identity management that works across all platforms.

Budget constraints

During difficult economic times, organisations often constrain IT budgets even as they increase demands for IT services. Fully integrated IAG solutions that automate common procedures and processes are worthwhile investments even in tough times: Such solutions save time, money and frustration.

IAG solutions save money in two main areas: productivity and security. If your workers do not have access to the resources they need to do their jobs, productivity suffers and labour costs rise. Similarly, productivity costs rise when your IT professionals must spend expensive hours doing mundane, repetitive tasks. But the greatest costs associated with separate, manually managed identity and access governance solutions occur when organisations do not have adequate security and compliance controls. Data breaches are expensive and become public knowledge very quickly. If your organisation loses trust within the marketplace, it is at risk of extinction.

Resulting pressures

As the aforementioned market forces increase, the pressure to adopt an effective, integrated, automated IAG solution mounts. Organisations like yours must ensure both the integrity of their systems and their abilities to effectively manage access to them. Market forces apply pressures in two key areas.

Audits, regulation, compliance

Increased government and industry oversight result from concerns about data security, which in turn result from market forces such as the Internet’s expansion and the cloud’s growing popularity. Government and industry regulators often deploy oversight in the form of regulations, and regulations sometimes become laws to ensure compliance. Sarbanes-Oxley (SOX) and the Health Insurance Portability and Accountability Act (HIPAA) are just two examples of the many regulations that require effective IAG solutions for compliance: The ability to certify that people have access only to the resources they need, and only when they need them, is vital to compliance efforts.

Speed of access and updates

Years ago, businesses were content to wait for the US mail to deliver correspondence and information. In today’s communications setting, businesses expect instantaneous information sharing. They also expect instant user-provisioning and de-provisioning. Generating helpdesk tickets and waiting for heavily burdened IT staff to manually grant or remove access to each resource is no longer an acceptable practice. More than ever before, functions such as updating systems and applications to meet new business needs and compliance regulations, routine upgrades, and IT policy and procedure updates receive visibility at your organisation’s highest levels.

Melding two worlds

Definitions

To understand IAG solutions, you must first know something about how identity management and access governance systems work.

Identity management

IT’s needs and requirements drive identity and access management systems. Identity management tools allow IT professionals to:

* Provision application and server access.

* Provide trusted authentication mechanisms that ensure users are who they say they are.

* Simplify secure sign-on processes.

* Allocate access for SaaS resources and mobile devices.

* Administer active directory functions.

* Provide detailed, privileged administration capabilities for IT personnel.

Access governance

Access governance issues typically reside at the business level, so access governance tools have user interfaces that are designed for business managers rather than IT personnel. These tools typically support the following activities:

* Ensuring that the business complies with IAG rules and regulations.

* Authorising access requests for new hires, employees whose positions have changed and temporary teams.

* Certifying appropriate access levels.

* Defining and managing system-wide user roles.

* Managing entitlements associated with various roles and positions.

* Assessing, managing and mitigating risks based on roles, entitlements and access levels.

Access governance tools not only give business leaders the ability to meet regulatory requirements and authorise access, they also automate common, repetitive tasks, which reduces the burdens these tasks impose on IT and helpdesk personnel.

IAG and organisational needs

IT organisations must support compliance efforts, provide access, keep systems secure and update technology and computing environments – all the while trying to support strategic business objectives. Business managers are concerned with staying compliant, passing security/regulatory audits, mitigating risks, quickly responding to internal and external customers and having the ability to view the entire enterprise in an easy-to-understand and use system.

As different as IT and business needs might seem, in the case of identity management and access governance systems, you cannot meet the needs of one without meeting the needs of the other. It is imperative that both systems work together.

Governance does not replace the need for strong identity management. Rather, it complements the identity management infrastructure and allows those closest to ultimate business needs to truly take advantage of business systems, rather than becoming slaves to them. In other words, seamlessly integrating identity management and access governance systems meets both IT and business needs.

Integration and real evolution

The value of existing investments

Some new vendors in the IAG space advocate pushing forward with emerging technologies, leaving the past behind. This ‘throw the baby out with the bath water’ approach is expensive at best and dangerous at worst. Leveraging existing equipment and technology provides greater value and has an important added advantage: Existing systems have already gained user acceptance. With the right IAG solution, you can maintain the technologies that have worked for you in the past and still stay current with important new technologies. The ‘right’ IAG solutions must support a wide range of platforms, applications and technologies. This ensures your ability to successfully use your current systems as a technology foundation upon which to deploy the latest technologies, thus enabling you to build a path for future development.

The future

Your company must create a strong vision for the future and determine which direction will carry it forward. Its IAG system will be an important part of this future. If you envision acquiring other companies (or if you see other companies acquiring yours), you know upfront you will need systems that can accommodate new and different technologies – but you will need such systems even if you see a future that does not involve acquisitions. After all, today’s technologies will become the legacy technologies of tomorrow. When they do, it will be better to build on them than to replace them. Ensure that your path forward includes strong integration capabilities that allow existing systems to seamlessly coexist with new and emerging technologies – including new platforms and computing environments.

Key elements for effective IAG solutions

The following product features are integral to successful IAG solutions:

* Full integration between identity management and access governance systems – Ensure that the governance system you select is more than just ‘compatible with’ or does more than merely ‘interface with’ your identity and access management system.

* Ease of use – A simplified, user-friendly interface is critical, especially for business users dealing with access governance. Look for a dashboard interface that enables business managers to quickly view the entire IAG landscape and drill down to detailed user profiles that show each user’s roles and entitlements. These capabilities will help business users quickly and painlessly adopt the new system and meet compliance objectives.

* Orphan account control – While it is important to quickly provision appropriate access to resources, it is even more important to quickly revoke access when employees or vendors leave. Make sure your IAG solution includes triggers that prevent orphan accounts from becoming potential security risks.

* Entitlement creep control – As workers transfer departments, accept promotions, join temporary teams and so forth, some solutions make it easy for them to retain access privileges from past projects.

* Trusted fulfilment – Governance systems are only as good as the identity management systems with which they are integrated.

* Multi-platform support – Strong IAG systems support all leading software applications and databases, operating systems, hardware, web server environments.

* Risk assessment and mitigation tools – The ability to quickly identify and mitigate risks is an essential element of any IAG solution.

Vendor selection

Selecting the right vendor is as important as selecting the right systems and tools. Here are a few questions you should ask when selecting a vendor:

* Credibility – What is the potential vendor’s reputation in the marketplace? How satisfied are other clients with the vendor’s support and services? If a prospective vendor’s reputation is suspect, or it is too new to have built a solid reputation, exercise increased caution in the selection process.

* Vision for the future – What is the prospective vendor’s vision? Is the vendor playing follow the leader or is it the leader? Do the vendor’s goals and strategies align with yours? Look for a vendor whose vision fits well with your organisations’.

* Industry leadership and track record – What is the potential vendor’s history? Has it been an innovator in the markets it serves? Has it shown that the IAG market is a key area of focus, or does IAG seem to be an afterthought? Past leadership is the best indication of future success.

* Demonstrated performance – How knowledgeable are the vendor’s engineering and support staff? Have the vendors successfully implemented solutions very similar to yours at other locations? Again, finding out how the vendor’s existing clients rate its performance can help you determine how well the vendor will perform for you.

As identity management and access governance technologies converge, it is doubly important to select the right products from the right vendors. Proper research, planning and partner selection will ensure that your organisation’s IAG solution will meet its needs for years to come.

Share this article:

Further reading: