Identity and access management is arguably the broadest issue in IT security.
There are few concepts that impact as widely on so many areas as that of managing identity in a business.
From enabling employees to access the internal resources they need to fulfil business aims, through companies outsourcing functionality and hardware, to consumers seeking to bank, trade or buy goods remotely, all are dependent on secure, reliable identity and access management.
In addition to enabling secure access to relevant resources of all kinds, well-structured identity management provides the lever to make huge efficiency savings that can grow exponentially over time.
Badly implemented projects, however, will not only soak up precious resources, but will merely automate existing problems, leading to a more costly cleanup exercise in
the future. Such are the basic risks and benefits of identity and access management (IAM).
Alan Rodger, senior research analyst, Butler Group, says: "It's certainly a mistake to look at IAM and see it as a series of technical implementations - business needs should be the key driver here.
"There is a huge scope of products available in this field, from single sign-on through authentication to federation, and any IAM implementation needs to map onto business needs explicitly - there are no hard and fast rules here."
Tim Farrell, CEO and co-founder of FutureSoft, agrees: "Any enterprise looking into this area must have a clear idea of its goals, so that it can match protection to its environment. Far too many enterprises try to implement a whole range of security widgets, which are ultimately self-defeating.
"The key is to identify the 20 percent of data that is business-critical and protect that, rather than trying to protect everything."
Farrell also believes that mapping essential data is vital: "It's key to know and map exactly where your data is stored, and this is often not as easy as it sounds.
"Local machines can cache data for performance reasons, and this needs to be acknowledged and analysed. It's important not to get too paranoid and set your security levels too high, though, as it's perfectly possible to step back 10 years in performance terms by encrypting all your storage and disabling caching."
Simon Godfrey, director of security solutions, CA, believes IAM can be the most complex project going. "It's without doubt one of the most challenging projects a business can undertake, and people really are the key to this one.
"Technology is very much in second place. It's all about ensuring you have strong methodology and have best practice policies in place, as well as keeping the complex process on track with a high level of project governance. Ultimately, IAM is less of a project, more of a program."
Many businesses will have begun an IAM program some years ago, and often in single departments or for individual groups of users,such as secure sign-on tokens for remote workers or finance department staff.
As demands and technology change, many large enterprises find they are operating several overlapping systems. The integration of these can be a headache, but will bring in extensive cost savings in the future. This is one of the key benefits of IAM, explains Godfrey:
"Often, identity management processes are either manual or semi-manual, and automating these can offer genuine cost benefits. A simple example here is password resets.
"These soak up huge amounts of helpdesk time, and deploying a single signon can cut costs drastically. One implementation we did for BT ended up saving it $4.5m a year.
"And federating new services, such as web services, can cut rollout times and increase flexibility hugely."
The broadening scope of federated management systems makes the task of deployment more complex, but also far more rewarding.
Once authenticated identities can be used in a portable fashion across autonomous security domains, administration efficiencies can be driven enormously.
However, crossdomain B2B deployments are even more complex, and strict adherence to standards is critical to success. Whatever the scale of deployment, standards are of vital importance, due to the wide area that identity management covers.
Equally, this scope can also make it difficult to ensure all relevant standards are met in every area of the network.
IAM impacts on areas including directory management, certificate authorities, provisioning, access control, as well as authentication standards for tokens, smartcards and biometrics.
The key standards bodies in the IAM space include the Liberty Alliance, which works towards developing standards for federated identity and identity-based web services;
Oasis (Organisation for the Advancement of Structured Information Standards), responsible for the development of SAML (Security Assertion Markup Language), a method of conveying identity and authorisation data, as well as WS-Security (Web Services Security), a methodology for attaching security data to web services messages;
and XACML (Extensible Access Control Markup Language), a standard for expressing security policies and access rights to information for web services.
There is also the Web Services Interoperability Organisation (WSI), responsible for WS-Security, a security standard for when data is exchanged as part of a web service, and WS-Federation that deals with the federation of trusted identities, their attributes and their authentication.
Additionally, ISO and British standards all play a part, depending on geographical territory, as well as a whole host of authentication standards.
Emma Harrington, global product manager, Thales, says: "A lot of customers have heard of one or two standards and ask for them, such as SAML, but many have no idea what these standards actually are, or what they do.
"This is a very important area, though, as often technology vendors are keen to lock customers into their own products, which can lead to integration difficulties down the line. The key to a successful IAM implementation is to be flexible.
"A project of this size is a great time to take a step back and assess business priorities, risk vectors and take an overview." Steve Brunswick, strategy manager, Thales, agrees: "Be sure to consider which standards are most relevant for your business, and discuss these with your chosen vendor. It's also wise to ask them about their intended roadmap; not all vendors will fully support the huge variety of standards in this area."
Jim Hietala, VP security, the Open Group, believes broader vendor adoption is required: "The standards are out there, but their adoption so far is fragmented, and it is also inconsistent.
"Organisations are trying to deal with this situation, but it's complex. The reality for companies tends to be implementing a solution for business reasons, such as a SaaS product like Salesforce, then looking at IAM later."
Other advantages of a standardsbased approach to IAM include increased visibility throughout the organisation, and the inbuilt presence of forensic tools.
In the event of a data breach or leak, it's important to be able to spot immediately where the issue originated, so that safeguards can be applied.
However, Rodger points out that the sheer scale of the task should not be underestimated. "Provisioning, for example, where access rights are granted as a result of authorised ID, requires a huge amount of work to define the roles of staff.
"It can take from one to three years to design and spec a large system. This means businesses need to be careful about future-proofing right through the technology stack, from applications right through middleware and hardware."
Future issues aside, another common IAM pitfall is to downplay the importance of executive buy-in, according to Godfrey.
"This is by far the greatest reason for failure in IAM programs, and when a client comes to us without it, we know that success is unlikely.
"Implementations on this scale will inevitably encounter resistance from some quarter of the business, and it's vital to have the weight of an executive sponsor to keep things moving."
It's clear IAM will mean different things to different companies, and implementations will range from single sign-on for double-figure user bases, through to international federated B2B marketplace systems.
But many of the preliminary steps remain the same, and the absolute requirement to co-ordinate and maintain project coherence is the top priority.
As the demand for efficiencies grows, the need for increasingly complex federated systems will increase, and the raft of standards that accompany the theory will mature further.
Keeping on top of the relevant ones for your IAM implementation is key.
-1.jpg&w=100&c=1&s=0)
.png&w=100&c=1&s=0)
