Identity and Access Management – Use Technology to Reduce Security Risks and to Meet Compliances
Do you think that heavily guarded castles with invaluable treasures in them exist only in fairy-tales and history books? Maybe but there are analogies in today’s world—modern day organizations keep their critical technological resources in somewhat similar way—within heavily guarded IT infrastructure with strict access controls. One will not be get access to such resources unless the organization wants him to have the access. Also, access will be extremely limited, and only for a limited period allowed by the origination. But how all these are facilitated in organizations where thousands of employees work on large computer networks, many devices, websites, files, folders, software, and other resources? The credit for this goes to an idea known as Identity and Access Management (I&AM).
Identity and Access Management
Identity and Access Management ensures that the IT infrastructure of the organization is as secure as the old fairy-tale castle. I&AM ensures that only trusted people with genuine purpose can use the resources of the organization, that too in very controlled way. Then what is I&AM?
Identity and Access Management is a combination of policies, processes, and technologies intended to protect the resources like applications, databases, and system data from being misused. Apart from protecting, it helps to meet the mandatory security compliances. Simply, I&AM is the primary tool for protecting the technological resources of the organization through the effective management of its digital identities.
Why Identity and Access Management?
An organization has to share its data and resources with different types of users–employees, costumers, clients, partners etc. Depending on their role or relation with the organization, they may have to access different types of data and other resources. It is not necessary and safe to share all the resources with all users. Organization has to keep the security of data, cost of information sharing, and regulatory compliances in mind. So I&AM is used to facilitate secure and controlled access to its resources.
The importance of policies, processes, and technologies
Identity and Access Management starts with security policies. And technology is there to support the implementation of policies through various processes. Depending on its risk tolerance, the organization should enforce some restrictions regarding the usage of its resources. Then comes implementation of these restrictions through a series of steps. In every step, care is taken that resources are not misused in anyway at any level. Use of technology helps to automate these processes to ensure compliance and to eliminate security risks, with the optimum usage of resources.
Digital Identity, Directory Serveries, and Access Management
The entire I&AM stands on three pillars: Digital Identify, Directory Services, and Access Management.
The most essential thing for implementing I&AM is a digital identity. In order to access a resource, a digital identity is essential for people and devices. Email accounts, user accounts, and computer accounts are examples of digital identity. Ideally a digital identity consists of an identifier and its credential (attributes too). In day-to-day life, it simply turns out to be a user id and a password. However, in more complex situations a digital identity has more dimensions.
It is Directory Services that stores digital identities. It is also responsible for giving entitlement—the privileges and rights provided to users and user groups. Also, it hold security polices like password complexity, trust configuration etc. MS Active Directory Service is the most popular example for a directory service.
The Directory Services allow access to resources after authentication and authorization of the credentials of the identifier. In authentication the credentials of the identifier are validated, and in authorization, it is ensured that the identifier has legitimate right to access the resource or to perform a particular action.
What are the challenges faced by I&AM technologies?
Before adopting I&AM technologies, organizations should have an idea about the key challenges faced by them. Hera are a few:
- Extremely complex IT environment
IT environment of organizations are extremely complex. Most of the organizations work from many different geographical locations, operate from many different time zones, own braches and operational centers in different countries and regions, are divided into many departments and business divisions, and go for merger and acquisition quite often. So the IT environment they own is as complex as the organization itself. Also, they are used by users of different types—employees, clients, contractors, customers, business partners etc. They work in complex computer networks and BYOD devices using sophisticated technologies. So an Identity and Access Management System need to be competent enough to meet to the requirements of such a complex environment.
- Need to enforce access management policies of the organization
I&AM technologies should be well-designed, and effective enough to safeguard the security interests of the organization. It should be able to implement the access management policies of the organization in a foolproof way. While providing access, it should strictly control when and to what extend the resources can be accessed, depending on who is accessing.
- Need for simple and effective access to business resources
An Identify and Access Management System need to be simple—simple even from the view a non-technical end user. Simplicity of the tool helps in increasing the productivity of the end user and improving the efficiency of the business process.
- Cost considerations
Identity and Access Management comes at a price. But organizations want it to be as cheap as possible. Also they wants to improve productivity with the help of it. An automated Identify and Access Management system can save the productive hours of the IT team and the employees by minimizing the human effort. A quick logon and authentication and password reset mechanism can reduce number of calls to IT helps desks and also employee waiting time. Additionally, a good I&AM should be able to check the duplicate identity data so as to reduce costs. In short, the Total Cost of Ownership (TCO) needs to be as less as possible.
- Security concerns
Organizations need to protect business resources form unauthorized accesses and misuses. The possible threats can be external or internal. To meet the security requirements, an I&AM system should be able to provide effective access controls. Enforcement of account policy, effective handling of stale or inactive accounts, secure mechanism for data transfer, an authentication mechanism supported by strong technologies, robust directory services, flexible authorization mechanisms, entitlement management and provisioning facilities, powerful identity life-cycle management and group membership management features, reduced attack surface, and password policy implementation features are expected in an I&AM technology.
- Requirement for flexibility
Mergers and acquisitions, which are very common now, poses unique challenges to organizations. After such events, the organization needs to ensure swift access its resources through a consolidated I&AM system. An I&AM system that need to be very flexible in situations like merger and acquisitions.
- Regulatory compliances
No organization can be casual about regulatory compliances. Failing to meet compliances may lead to legal and financial issues. I&AM system actions, especially provisioning, need to be auditable. I&AM technologies need to support the organization to meet the regulatory compliances.
Identity and Access Management refers to an automated system that that secures the technological resources of the organization by implementing its security policies. Apart from ensuring information security, it help organizations to improve the efficiency of the business process, and to improve productivity.
Rupesh Kumar is managing director of Lepide Software