The focal point of enterprise security has long been on fighting malware and outsider threats, while most of the breaches these days are accounted for by insider threats. This is where identity and access management (IAM) solutions step in, which basically is a centralised and automated approach to regulating access to resources by employees and other authorised individuals. The primary objective of Identity management is defining an identity for each user, associating attributes with the identity and enforcing a means by which a user can verify identity. Once implemented, IAM systems support single sign-on (SSO), the ability of a user to access all network resources after authentication.
Though the concept of IAM has been around for a while, it is a cool idea that hasn’t really caught on among enterprises. But, now that is beginning to change with IAM being figured on the top of the agenda for many IT manager this year, partly due to regulatory compliance reasons and the need to give access to information to the right people at the right time. “IAM is driven for the most part by the requirements for compliance in enterprises and institutions, compliance to internal and external regulations that address access to sensitive or critical information. They also seek to make the process of requesting access to information and services more efficient, to streamline and automate those activities associated with the creation, maintenance, use, and retirement of digital identities,” says Earl Perkins, Research VP at Gartner.
Erwin Martin, Technical Consultant with Secureway, says enhanced productivity and important user experience are also key drivers. “Single sign-on, automation, self-service will result in more efficient processes, delivering quick response times and allowing staff to focus on higher-leverage tasks,” he says.
Enterprises across all industries are facing the same common challenges when considering an IAM solution. “Firstly they want to ensure their enterprise security, meaning that the right people have access to the right information at the right time. This is easier said than done given that people might have the full right to access information, but how are they using that information? Increasingly we find enterprises asking what people are doing with the information they are allowed to access,” says Franz Erasmus, Practice Manager – Information Security, CA MENA
Perkins from Gartner says regulatory compliance brings a major challenge to enterprise, namely to answer questions such as (a) who has access to what; (b) who gave the user/customer/partner that access and when was it given; (c) what level of access was given. “IAM is a process that spans multiple business “silos” such as enterprise resource planning, customer relationship management, supply chain, accounting—each has requirements for accountability, transparency, and control of access. Providing a common process and approach to managing identity in those silos can be a significant political challenge: each silo often has its own view of IAM,” he adds.
Perhaps, the most significant challenge associated with IAM today is how do you actually manage identity and access across physical, virtual and cloud environments. “You need to turn the concept of identity on its head,” says Deepak Narain, Manager – Systems Engineers MENA, VMware. “If you look at existing policies, you’ll see that they’re still rooted in the physical world. A key building block of existing policies is that boundaries are well defined and change comes slowly. The model is simple – boundaries are defined, appliances are placed at the boundaries, and once placed they are likely to live a long productive life there. Virtualisation and Cloud Computing challenge both of these assumptions – boundaries are much more elastic, change is constant, new endpoints are appearing faster than ever before, multi-tenancy is becoming a fact of life.”
Erasmus from CA echoes a similar opinion: “The introduction of virtual and cloud environments have presented business with immense value and business opportunity. However the risk of losing control over such environments by means of rapid proliferation and associated identity creation are real and growing exponentially.”
Those shopping around for IAM solutions should keep in mind that there is not one-size-fits-all to address your challenges. “While there is no single solution for all IAM challenges, there are technology vendors that have accumulated in one place the products often required to build a comprehensive IAM program. These vendors, known as IAM suite or portfolio vendors, contain access, identity administration, and intelligence functions in two or more IAM products and provide services (either themselves or through partners) to integrate those functions within an IAM program. There are smaller IAM vendors that create partnerships with other IAM vendors to compete against the suite concept. It is an active and vibrant market for solutions,” says Perkins.
Diyaa Zebian, MD of Novell Middle East, says an IAM solution should grow as an enterprise grows. The challenges faced by a 100 employee organisation are both the same and vastly different than one faced with 10,000 employees. Any IAM solution should be robust enough to both economically tackle your challenges today– and be able to be used a foundation to tomorrow’s opportunities.
Given the fact that each organisation is unique from the standpoints of IT and workforce environments, the right IAM solution should be flexible and integrate easily with the existing IT environment and can be easily configured to conform to each organisation’s policies and risk/compliance posture, according to Chris Rixon, Principal Solutions Marketing Manager at BMC. Selecting an IAM solution also means selecting the appropriate long term technology partner that best reflects not only your requirements as an enterprise but the architecture and ‘philosophy’ of the enterprise. Perkins from Garnet says that most IAM programs are major investments with considerable deployment times, and choosing a partner that will be a significant part of your enterprise for years to come is critical. Criteria such as viability, the availability of integration partners, strong regional support, and technology that addresses your requirements are all important. In addition, a partner that understands the process and organisational needs of the enterprise to support and use IAM is considered critical.
A daunting task
Within in the security community IAM initiatives are considered high value but notoriously problematic to deploy. Yet despite IAM’s complexity it represents 30 percent of more of the total information security budget of most large organisation, according to IDC. Ironically, the deployment difficulties stem from having to reconcile the very people and process breakdowns IAM automation is meant to solve, such as too many or too few people involved in authorising requests, a lack of documentation for access requests and approvals, connecting to target systems with “dirty” or obsolete data, and so on. This conundrum has led to the rise of what is called identity governance.
Identity governance involves defining and executing the identity-related business processes that are most critical to the organisation. For example, an engineer needs root access to the server hosting an ERP system–who needs to approve that request? Who is the one who actually takes the action that grants that access? How does that process get documented? Where is it stored, and for how long? How can we report on it during an audit?
Getting your organisation’s governance processes locked in is a tall order, but well worth it. One of the many benefits of proper identity governance is that it pinpoints which identity-related processes are most in need of attention
Vendors acknowledge that IAM systems are complex to deploy and say they are making efforts to simplify the process. “Traditional IAM systems have earned a reputation for being complex and difficult to deploy. But the good news is that next-generation IAM solutions have addressed many of the shortcomings that plagued early IAM deployments. For example, we provide simple and intuitive UIs “out of the box” for common tasks such as access request, approvals and reviews that business users commonly need. This minimises the need for custom-building workflow and forms. In addition, our solution is designed to be modular – to integrate quickly and easily with existing applications and platforms, but also with existing IAM tools. We offer integration modules to third party provisioning solutions, access management products, and help desk products. In other words, we complement previous investments by adding friendlier UIs and better business insights,” says Jackie Gilbert, Co-founder and VP of SailPoint.
Erasmus from CA says his company has acknowledged the complexity of IAM systems and has developed a number of services and tools that assist an enterprise with deployment of IAM solutions on business, project and technical level. CA’s rapid implementation service deploys CA Identity Manager in an initial bounded deployment that delivers results quickly. CA architects and consultants work with the enterprise to develop solution design and integration specifications that include implementation and test plans. Technically CA has also developed a tool that facilitates system integration via a wizard style interface. This eliminates the costly and error-prone need for manual coding of the solution to enterprise systems, he adds.
IAM implementations promise big rewards but demand big investments and don’t ever underestimate the amount of preparation involved. Do prepare your environment for a smooth implementation before you get on the bandwagon.