Five steps to mastering identity and access management
- — 04 June, 2012 16:40
As the workforce becomes increasingly mobile and dispersed, identity and access management becomes more important in ensuring organisational security. While managing user identities and controlling access are separate tasks, they are closely related. Identity and access management (IAM) needs to be a key part of business security strategy, particularly as organisations grow and IT architectures become more complex. Here are five things to consider when planning your IAM strategy.
1. Identity data infrastructure
It is not possible to manage user identities without having an appropriate data infrastructure in place to store user information. This generally involves the use of directory and metadirectory systems, usually based on lightweight directory access protocol (LDAP), industry standard for accessing directory data.
Decision makers should consider federated identity as part of the underlying data structure. This allows systems to automatically grant access to users of other systems. Federated identity systems assign permissions to each other, creating a secure web of trusted applications. However, enterprises need to tread carefully when designing these systems—complexity can create more headaches than necessary and increase management overhead, while also limiting the flexibility to change application specifications or relationships.
While federated identity can be used to integrate disparate systems together (including those inside a single organisation), it is also necessary to assign the appropriate level of expertise to the design and maintenance of such a solution.
2. Define roles and entitlements
Two important, but still nascent, techniques that have a significant effect on access control are entitlement management and role-based access control. Systems that carry out these functions allow administrators to define multiple roles in an organisation, along with a granular set of entitlements to allow system access. When combined, they allow for very tight control of user access. For example, someone in a junior accounting role could access a particular database, but only until 6pm.
Defining and maintaining these roles and entitlements requires significant input from business management, which can potentially lead to complications if organisational requirements change. Business management needs to carefully monitor entitlements and roles in order to ensure operational security.
3. Automate the provisioning process
Identity management helps improve company-wide productivity and security, while also lowering the cost of managing users and their identities, attributes and credentials. This requires automation, but it also contains hidden challenges, as just setting up a user name and a password is often simply not enough. Instead, multiple steps must be included in the provisioning process. For example, users might be assigned a sales region, enrolled into a different number of organisational teams or given a list of company resources to which they have access.
4. Simplify access control
Controlling access to systems is a separate but related task to managing identity. The user can only be authenticated if their identity is in the system, but the task of authentication poses another challenge. Users must be able to access the system relatively easily to avoid illicit circumvention of security settings, and yet their credentials must be secure enough to stop attackers simply waltzing through the gate. Enterprise sign-on systems can provide users with access to multiple enterprise applications using just one set of credentials. For added security, hardware-based tokens can also be issued as part of a two-step authentication process.
Any identity and access management system is not complete without a robust reporting capability to meet the needs of auditors facing compliance regulations. Organisations should be able to provide audit trails showing which users had access to what resources, and what was done with those resources. With increasing levels of compliance required from organisations, it is wise to ensure that evidence can be provided when needed.
Any comprehensive IAM effort is complex, but cloud-based services can help to reduce deployment times. A competent and experienced IT operator can not only host the infrastructure necessary for managing both identity and access control, but can also provide consulting services to help integrate it effectively into a customer’s existing IT architecture. When the time and due consideration is taken, IAM can prove to be a valuable asset to any organisation.
MORE IN Security Leadership