Successive studies, including the recent U.K. Department of Trade and Industry Survey (www.security-survey.gov.uk) and the Computer Security Institute Survey (CSI/FBI) (www.gocsi.com/prelea_000321.htm), indicate a growing threat to organizations' information assets. In turn, this demands a coordinated end-to-end enterprise security program including:
- Controls environment - the policy and procedure foundation for management and user commitment to security.
- Technology platforms - core technical security issues, including the network infrastructure and operating systems.
- Enterprise application controls - the controls elements within the business applications.
But it is important to stress that security is more than just an insurance policy. Properly applied, security measures are a critical enabler to implementing new ways to do business faster, better and cheaper. With effective security, business risks may be mitigated, building confidence amongst employees, suppliers and partners alike.
Exploiting e-business initiatives has also brought a different focus for organizations, that of inclusion rather than exclusion. Whereas the challenge used to be keeping people out of your IT systems, now it is bringing the right people in and giving them appropriate system and application access. Embracing business partners, suppliers, contractors and customers, who are often connecting remotely, forces organizations to find a new approach to handle the sea of users and their complex requirements.
In addition, against a background of low security spending, convincing the board to implement security projects is difficult. The key to a security project's success is no longer in its technical excellence. Projects now need to show how they can deliver value to the business in direct cost terms.
Identity management technologies are the solution to this problem, providing a vehicle for bringing direct cost benefits to the business against a platform of improved security for organizations of all sizes.
What Is Identity Management?
With forecasts of considerable market growth in the near future, identity management is a common buzzword at the moment across the security industry and enterprise environments. However, there is confusion about what the term means and the benefits it delivers.
A common misconception is that identity management is about overseeing who users are within the enterprise or alternately what they may access. Both of these descriptions are too restrictive. A better definition is the collection of technologies and processes that enable appropriate user access to resources across an enterprise, technologies with which organizations may authenticate, authorize, provision and store user access rights in a secure and scalable manner, based on business roles.
Identity Management Framework
Building an identity management framework requires a combination of the following key technical and organizational components:
Authentication. Verifying a user's identity is a crucial element in the information security task, especially across the distributed enterprise or Internet. Authentication techniques include options from username and password systems to more powerful mechanisms such as biometrics and PKI that bring improved confidence in user identity.
Access control. Once authenticated, granting access to applications and resources is a core task of an information security system. Access control systems enable access for users only to those applications or resources that they are authorized to see.
User management. With large distributed user bases, user management systems are the key to administering users across the enterprise. User management systems act as proxy administrators, triggering updates to systems and applications, and notifications to individuals required to complete the provisioning process or remove users promptly from IT systems on departure.
Enterprise user directory. At the heart of the identity management system is the enterprise user directory, a centralized repository for storing and managing user information and credentials.
Managing the identity management task is eased considerably if users are grouped logically into roles. Role-based access control (RBAC) allows an organization to define a framework of user rights based on their real business information needs. Handling users as they move through an organization is then more easily managed by migrating them between roles.
We mentioned earlier that delivering business value was a key driver for implementing identity management. Through the discipline of adopting RBAC, and the use of potent software solutions, identity management systems deliver significant value to the business based on the following key elements.
Reductions are achievable in both direct and indirect IT management costs. The combination of technologies in an identity management solution leads to a reduction in system administrator and helpdesk staff that brings direct cost savings. With industry metrics showing over 40 percent of helpdesk effort devoted to password maintenance, the potential savings here may be significant.
Improved productivity is an indirect benefit delivered by identity management. Speeding up user account creation and password reset processes means that staff get or regain access to their IT systems quicker, minimizing both frustration and lost time.
Identity management is a vital element in providing an organization with a secure and scalable security structure. Identity management technologies provide a centralized, authoritative source of user identities, privilege and access information, enabling real-time enforcement of access rights based on a user's role. This reduces or eliminates the risk of unauthorized access to resources, or disclosure of confidential information. The ability to remove terminated accounts easily and automatically revoke all of their system access rights is also a powerful security feature.
The strong controls over access to systems and data delivered by identity management enhance an organization's ability to operate in regulated environments and its ability to respond to changes in policies, practices and procedures. However, in compliance terms the most important benefit comes from the combination of better auditing and a central interface from which to identify user access rights.
Flexible User Management
Traditionally, centralized management is one of the foundations of an effective security program, restricting the number of staff configuring access controls and managing users. However, in the distributed enterprise, delegation of user management can be the key to efficiency and scalability, particularly where the delegated administrators are tied to the users' organizations.
Identity management solutions deliver the ability to address both of these apparently contradictory requirements. The combination of user management and access control components provide centralized creation of user roles whilst also enabling the controlled delegation of routine user administration to business unit level.
Delivering Identity Management
Delivering identity management is not a trivial exercise. A strong commitment from management to set up a RBAC structure provides a solid foundation for progressing and delivering the benefits. The complexity of the identity management vendor landscape makes it difficult for organizations to map their requirements against solutions while ensuring that the real needs of the business are addressed in the identity management project. Successful delivery of an identity management solution requires a blend of business and technical skills, skills that force organizations to bring in specialist help.
The increasing focus on information security and the demands of enabling e-business have brought a new challenge for organizations. Whereas we used to try to keep people out of business IT, now we need to find ways of getting the right people in. More and more organizations are finding that identity management is the solution to this challenge.
By authenticating, authorizing, provisioning and storing user access rights in a secure, scalable and coordinated manner, based on real business roles, organizations can improve security while delivering real business value.