Identity and Access Management

Identity and Access Management (IAM) is a concept that combines business processes, policies and technologies that enable companies to:
* provide secure access to any resource.
* efficiently control this access.
* respond faster to changing relationships.
* protect confidential information from unauthorized users.cite web|date=2000-2005|url= http://www.sans.org/reading_room/whitepapers/services/1640.php|title="SANS Institute Identity and Access Management Solution, Page4"|work=SANS Institute|publisher=SANS Institute]

Overview

In the past, IT security was designed mainly to keep people out of a network. Today, more and more of these internal applications need to be exposed and shared with outsiders—from partners and customers to remote users in the field. In essence, organizations need to open their virtual doors to the world while ensuring that only the trusted walk through them.

To resolve this enterprise-access quandary, many companies are turning to identity and access management (IAM) solutions. These software products—also known as identity management(IdM) solutions—promise to reduce the costs associated with application deployments and user management by aggregating control and visibility across multiple applications. They also protect an organization from network attacks by applying centralized security policies in a uniform fashion.

Maintaining a secure ebusiness infrastructure requires a comprehensive IAM system that maintains detailed profiles about each user’s personal credentials and professional roles. Such a system should establish rule-based and rolebased policies about who can access information resources, and it should maintain those policies and profiles in one place for easy, coordinated management.

Essential Ingredients of IAM

Today’s identity and access management solutions must span a complete range of functionality—from initial identity provisioning to long-term management; from highly secure access to cross-organization deployment; from fine-grained authorization to federated trading relationships—all of which should be built on a robust and wellproven security infrastructure. A comprehensive solution should include the following essential ingredients:

* Directory Services that provide a single centralized LDAP-based repository for user management, along with advanced productivity-enhancing features such as dynamic groups, user self-registration, and multidirectory integration. These services also include virtual directory technology to ensure no single vendor’s LDAP directory is required to tap into identity data residing elsewhere.

* Identity Administration capabilities to help reduce security risk by governing how digital identities, groups, and organizations are created, maintained, and leveraged throughout an organization. The solution should provide a simple, controlled means to change user, role, group, and organizational information that dynamically affects access privileges.

* Authentication, Authorization, and Single Sign-On to manage who has access to what information and when. Single sign-on delivers dramatic cost savings by reducing time spent with thousands of users addressing password reset and update issues.

* Federated Identity Management to link internal employees to external portals, or external constituents to internal portals, without the burden of managing their identity and credential information in both places. This drastically reduces the costs and complexity of managing partners’ users, and accelerates the adoption of networked business portals.

* User Provisioning to manage the creation of and on going changes to users and their privileges. This includes connecting users to the resources they need to be productive, and revoking unauthorized access to protect proprietary information.

* Web Services Management in a service oriented architecture, to expose business applications and information to the Internet for use by customers, business partners, and employees. A robust, secure framework is critical for managing access control, monitoring, and auditing these services.cite web|date=vol. 1 issue 2|url= http://www.oracle.com/partnerships/si/eds/i-am-who-i-say-i-am.pdf|title="I AM Who I Say I AM"|work=Hasan Rizvi|publisher=EDS Agility Alliance]

ecure Funding for IAM

1. Make the case with hard and soft benefits. Be prepared to educate business partners about identity and access management—what it is and why it is important. “It’s a very nebulous area to someone outside IT,” says Bruce Metz, CIO of Thomas Jefferson University. “One challenge is to have people understand what you’re trying to do. Then, the second question is, ‘Why does it cost so much?’”

Members who’ve successfully secured funds for their identity- and access-management projects say the secret is in staying away from the nitty-gritty details of single sign-on, smart cards and other elements of security infrastructure. “Keep this from becoming a techie exercise,” says Keith Glennan, VP and CTO at Northrop Grumman. “Anytime you’re doing something that’s essentially an infrastructure project, you have to explain clearly what you’re trying to accomplish in business terms.”

Glennan made his case by showing that new ID-management systems would reduce IT administration and help-desk costs (by reducing the manual hassles of resetting passwords and assigning application access). Security would improve (no more sticky notes with passwords under the keyboard), and so would user productivity (since users wouldn’t have to repeatedly log in to multiple systems). And Glennan points out a soft yet exceedingly important benefit: being better prepared to enforce compliance with regulations and demonstrate that compliance to Sarbanes-Oxley auditors.

2. Pilot the processes, not just the technology. CIOs who’ve begun identity-management efforts say that business-process issues present bigger hurdles than the technology. Steve Strout, CIO at Morris Communications, advises peers to walk through processes and rules related to identity creation and resource access before hardening those processes into code: Who is able to create, modify and view employee IDs? What is the trigger for giving a new employee (or an employee changing jobs) access to systems—and for revoking access when an employee leaves or changes roles? “We spent a lot of time walking through the logic behind why we were doing things a certain way,” Strout says. His project team (which included representatives from HR, IT and finance) created a new business process: When a user successfully passes the company’s mandatory drug test, it serves as the trigger for creating and then enabling systems access.

3. Plan on customization. To achieve the full benefits of ID- and access-management tools, Strout says, most IS shops will have to do some customization, especially if they want to enable automated provisioning and single sign-on to legacy systems, homegrown apps, software from small startup companies and other nonstandardized systems. “The security designs aren’t necessarily the same, so you just have to tackle each one as they are,” Strout says. In some cases, it may not be cost-effective to do automated provisioning to a nonstandardized system, especially if it has few users; it could make more sense simply to generate an automatic e-mail to an admin requesting systems access and have the admin manually fulfill the request.

4. Protect yourself against industry consolidation. While Strout was evaluating vendors for his identity-management initiative, the industry consolidated right before his eyes. Netegrity was bought late last year by Computer Associates. And earlier this year, after Strout had committed to buying an identity-management suite from Oblix, Oblix was bought by Oracle. “We’re predominantly a Microsoft shop,” Strout says, and he wonders if future iterations of the Oblix ID-management suite will remain Microsoft-friendly.

His strategy for dealing with the uncertainty: “Build processes in a standardized way.” That way, if he has to move to a new technology, he’ll minimize the amount of re-architecting that he needs to do.cite web|date=December 01, 2005|url= http://www.cio.com/article/14772/How_to_Tackle_Identity_and_Access_Management|title="How to Tackle Identity and Access Management"|work=CIO.com|publisher=CIO.com]

References

IAM Summits

* [http://www.acevents.com.au/idm2008 ID & Access Management Summit Australia 2008]
* [http://www.gartner.com/us/iam Gartner Identity & Access Management Summit 2008]