SOUTHFIELD – Organizations today are finding themselves in a difficult position. They must enable customers, partners, vendors, suppliers and employees to access various applications and corporate resources that reside across the enterprise. Yet, organizations, particularly in light of new regulations and rising awareness of risk management, are very conscious of the security implications of these business demands. They must effectively manage and control all user access to their critical corporate IT resources.
Compounding this issue, however, is the fact that organizations were not originally structured for such access. These organizations have deployed an ever-increasing number of applications with incompatible security models, inconsistent management of identities and different auditing mechanisms that result in inefficiencies, increased risk of identity theft and unauthorized access, and failure to meet regulatory compliance. This has fostered identity silos and numerous instances of duplicate efforts?causing an even greater challenge of managing these users and identities.
Effective security management starts with identity and access?knowing who your users are, controlling what they can access based on who they are and their relationship with the organization, and accounting for what they have done. This article discusses the requirements for a complete identity and access management (IAM) solution that will help organizations streamline management, allow trusted access to partners, protect investments in existing systems, reduce costs, improve efficiency and facilitate regulatory compliance.
Managing Identities Securely and Cost Effectively
An organization?s success depends on the integrity, confidentiality and privacy of its information and processes to audit governance, compliance and use. Organizations must control and audit the process of issuing a user credential, conducting business transactions inside or outside of an organization, or allowing employees, customers or partners to access applications or resources. Because today?s business systems are all too accessible, organizations need fine-grained, policy-based protection to safeguard their mission-critical data and services.
However, multiple, parallel approaches to managing identities often occur within a single company. These security silos prevent organizations from realizing a centralized security management infrastructure which can provide a single view of all activities, such as user management and policy management, or creating a new user account.
To securely manage the end-to-end identity life cycle while protecting corporate resources, organizations must adopt a complete, integrated, modular approach to identity and access management (IAM) to fully manage their environment and integrate with their business processes. This approach must take into account an organization?s investment in existing systems and aggregate information about an employee, customer and/or partner. For example, without effectively managing identities, it is impossible to deliver a simple requirement that most security officers have: ?Tell me everything about a user,? in regards to what systems they have access to, what they can do and what they have done on those systems.
Organizations need to provide their customers with 24 x 7 access to information?including the ability to place orders, track shipments and delivery dates, ask questions and contact customer service representatives. Organizations, however, must also grapple with identity theft, protection of security of personal and business data, and issues such as unrestricted access to files and commands by super users. Today, organizations need to provide auditable proof that only appropriate access is granted to critical data.
Organizations need to manage relationships with multiple and distinct populations of ?identities.? These may include employees, customers and business partners. Every type of population requires identity and access management, but has its own unique requirements:
Employee populations need a traditional, inward-facing security management solution that focuses on users? access to physical resources and IT systems, and protects internal systems. This requires automation of account management for employees and contractors, access control for internal systems and files, provisioning of physical devices, single sign-on to web and other applications, strong authentication mechanisms and work flow. In addition, it must reduce costs and improve auditing while supporting tens or hundreds of thousands of users. Key to its success is integration of technical and business process components.
Customer populations need an outward-facing security management solution that enables secure web access to customer services. From a business perspective, the focus is on customer acquisition and enabling new customer services. From the customer perspective, the focus is on ease of use and providing confidentiality of personal data and transactions. The solution must include identity management (including registration, self-management and administration), extranet access management, Web services infrastructure and large-scale directories. Additionally, this solution must be scalable to support tens of millions of customers.
Business Partner populations create the need to focus on cross-organizational transactions. It depends upon legal frameworks, which allow transactions to securely occur between independent entities. It supplies a secure Web services infrastructure to address the issues associated with cross-company authorization and provides implementations of applicable standards. Critical to this solution?s success are trust models and bilateral agreements that clearly delineate what resources each partner is authorized to access, and the acceptable use of each such resource.
As seen in Figure 1, each user population impacts the business. However, while each group shares the same need for provisioning, access enforcement and activity tracking (audit), each has a unique set of challenges.
In the employee population, organizations must enable productivity for their employees?often through applications. This usually generates a significant number of identities and a large number of applications that must be addressed. Without proper identity and access management, employees can?t access their applications. Even worse, the wrong people can have access to various applications and confidential information that can be tampered with or stolen.
For the customer population ease of access and safety of transactions are critical. This population size can soar, having significant impact on revenues. Customers require an organization to deliver uncompromised protection of their personal information, but organizations often want to provide the fastest, easiest means to do business with customers. An integrated identity and access management approach can help organizations deliver on both requirements.
Two key dynamics exist for the partner population. The partner, needing access to confidential information inside another organization, has similar requirements as a customer?safe and easy access. However, what makes the partner population different from customers is the second dynamic?automated system-to-system transactions.
Key Business Drivers
Properly implementing an identity and access management solution can enable organizations to realize many benefits including the following:
Cost Containment/Productivity Enablement
The need to react to business priorities has never been greater, but organizations?and IT departments in particular?are being asked to ?do more with less.? Mergers and acquisitions have left IT departments with larger user populations and more consolidation, yet often with constant or even decreasing budgets. The re
