Identity and access management is arguably the broadest issue in IT security.
There are few concepts that impact as widely on so many areas as that of managing identity in a business.
From enabling employees to access the internal resources they need to fulfil business aims, through companies outsourcing functionality and hardware, to consumers seeking to bank, trade or buy goods remotely, all are dependent on secure, reliable identity and access management.
In addition to enabling secure access to relevant resources of all kinds, well-structured identity management provides the lever to make huge efficiency savings that can grow exponentially over time.
Badly implemented projects, however, will not only soak up precious resources, but will merely automate existing problems, leading to a more costly cleanup exercise in
the future. Such are the basic risks and benefits of identity and access management (IAM).
Alan Rodger, senior research analyst, Butler Group, says: "It's certainly a mistake to look at IAM and see it as a series of technical implementations - business needs should be the key driver here.
"There is a huge scope of products available in this field, from single sign-on through authentication to federation, and any IAM implementation needs to map onto business needs explicitly - there are no hard and fast rules here."
Tim Farrell, CEO and co-founder of FutureSoft, agrees: "Any enterprise looking into this area must have a clear idea of its goals, so that it can match protection to its environment. Far too many enterprises try to implement a whole range of security widgets, which are ultimately self-defeating.
"The key is to identify the 20 percent of data that is business-critical and protect that, rather than trying to protect everything."
Farrell also believes that mapping essential data is vital: "It's key to know and map exactly where your data is stored, and this is often not as easy as it sounds.
"Local machines can cache data for performance reasons, and this needs to be acknowledged and analysed. It's important not to get too paranoid and set your security levels too high, though, as it's perfectly possible to step back 10 years in performance terms by encrypting all your storage and disabling caching."
Simon Godfrey, director of security solutions, CA, believes IAM can be the most complex project going. "It's without doubt one of the most challenging projects a business can undertake, and people really are the key to this one.
"Technology is very much in second place. It's all about ensuring you have strong methodology and have best practice policies in place, as well as keeping the complex process on track with a high level of project governance. Ultimately, IAM is less of a project, more of a program."
Many businesses will have begun an IAM program some years ago, and often in single departments or for individual groups of users,such as secure sign-on tokens for remote workers or finance department staff.
As demands and technology change, many large enterprises find they are operating several overlapping systems. The integration of these can be a headache, but will bring in extensive cost savings in the future. This is one of the key benefits of IAM, explains Godfrey:
"Often, identity management processes are either manual or semi-manual, and automating these can offer genuine cost benefits. A simple example here is password resets.
"These soak up huge amounts of helpdesk time, and deploying a single signon can cut costs drastically. One implementation we did for BT ended up saving it $4.5m a year.
Issue: 277 | March, 2010