Iam report


Published on

Published in: Business, Technology
1 Like
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Iam report

  1. 1. Incorporating Technology Evaluation and Comparison ReportOVUM Butler Group Identity and Access Management 2011/12 Delivering essential business protection and compliancePart of the Datamonitor Group WWW.OVUM.COM
  2. 2. Enterprise IT Knowledge CentreAt the heart of the new service are more than 150 ICT analysts from the former Ovumand Butler teams. They provide deep insight into both vertical and horizontal businesstechnology, delivered through best-in-class research and analysis. To their insights, weadd the expertise of Datamonitor’s 350 business analysts. It is this combination thatmakes the new Ovum IT service especially valuable to clients: by integrating the threeteams, we can offer unique insight into the opportunities and issues facing you and yourcustomers, and dispense invaluable advice to help you create an effective technologystrategy – a process that we describe as Collaborative Intelligence.Our comprehensive research agenda spans the full IT investment lifecycle. Our analysisand advice help you to create the optimal technology investment portfolio for theorganisation, select and implement the appropriate solutions and services, and managethose investments to realise the desired business benefits. Our coverage ranges frominsight into industry-specific business processes and analysis of vendor markets,through to radical opinion on disruptive technologies and best-practice ITimplementation guides. Here we present thought-leading research and strong examplesof Collaborative Intelligence in action, and we look forward to working in partnershipwith enterprises globally.For more information, please contact Mike James on +44 1482 608380 ormike.james@ovum.comResearch Important NoticeAndy Kellett We have relied on data and information which we reasonably believe toGraham Titterington be up-to-date and correct when preparing this Report, but because itNishant Singh comes from a variety of sources outside of our direct control, we cannotSomak Roy guarantee that all of it is entirely accurate or up-to-date. This Report is of a general nature and not intended to be specific,Acknowledgements customised, or relevant to the requirements of any particular set ofMaxine Holt circumstances. The interpretations contained in the Report are non-Tim Gower unique and you are responsible for carrying out your own interpretationTim Jennings of the data and information upon which this Report was based. Accordingly, Ovum is not responsible for your use of this Report in any specific circumstances, or for your interpretation of this Report.Published by Ovum The interpretation of the data and information in this Report is based onPublished January 2011 generalised assumptions and by its very nature is not intended to© Ovum produce accurate or specific results. Accordingly, it is your responsibilityAll rights reserved. This publication, or any part of to use your own relevant professional skill and judgement to interpretit, may not be reproduced or adapted, by any the data and information provided for your own purposes and takemethod whatsoever, without prior written Ovumconsent. appropriate decisions based on such interpretations.Artwork and layout by Karl Duke, Steve Duke, Ultimate responsibility for all interpretations of the data, information andand Jennifer Swallow commentary in this Report and for decisions based on that data, information and commentary remains with you. Ovum shall not be liablePart of the Datamonitor Group for any such interpretations or decisions made by you.
  3. 3. Identity and AccessManagement 2011/12ContentsChapter 1: Management summary 91.1 Management summary 111.2 Report objectives and structure 17Chapter 2: Business and technology issues in IAM 192.1 Summary 212.2 Identity and access management projects are large-scale investments 212.3 Business processes need to be overhauled 252.4 Cloud services add urgency to the need to federate identities between organizations 262.5 The vendor landscape has been rationalized 282.6 Recommendations 29Chapter 3: Identity and access management and compliance 313.1 Summary 333.2 IAM delivers services that are relevant to business improvement, continuity, protection, and compliance 343.3 Regulatory compliance has a demanding impact on most organizations 353.4 Audit adds urgency to the need for a better IAM infrastructure 393.5 Continuity and the lifecycle approach to managing identity delivers business value 403.6 Everyone needs to be accountable 413.7 Achieving and proving compliance is a key business objective 433.8 Recommendations 44Chapter 4: Identity services in the cloud 454.1 Summary 474.2 The need for an internet identity is now recognized 484.3 Several levels of identity assurance are needed 504.4 Legal and commercial issues are still of paramount importance 534.5 Technology is being developed for internet identity 554.6 Recommendations 58 CONTENTS – IDENTITY AND ACCESS MANAGEMENT 2011/12 3
  4. 4. Contents – ContinuedChapter 5: Federated identity 595.1 Summary 615.2 Organizations can benefit from using a federated approach to identity management 625.3 Drawing up clear rules of engagement is important 645.4 Making better use of standards is the way forward 675.5 Recommendations 72Chapter 6: Technology comparison 736.1 Summary 756.2 IAM Features Matrix 766.3 IAM Decision Matrix 1136.4 Vendor Analysis 116Chapter 7: Technology Audits 131CA – CA Identity and Access Management Suite 133Entrust – Entrust IdentityGuard, GetAccess, & TransactionGuard 143Evidian – Evidian IAM Suite (version 8) 153Hitachi – Hitachi-ID Portfolio 163IBM – IBM Tivoli Identity and Access Management Products 173Microsoft – Microsoft Forefront Identity Manager 2010 and Associated Products 185Novell – Novell Identity Manager 4 Advanced Edition 195Oracle – Oracle Identity and Access Management Suite – Release 11g 205RSA (The Security Division of EMC) – RSA Identity & Access Management 215 CONTENTS – IDENTITY AND ACCESS MANAGEMENT 2011/12 5
  5. 5. Contents – ContinuedChapter 8: Vendor profiles 225ActivIdentity 227Aladdin (SafeNet) 228Avatier 229Aveksa 230Beta Systems 231BMC 232Courion 233Cyber-Ark 234Fox Technologies 236Imprivata 237Passlogix 238Ping Identity 239Pirean 240Red Hat 241SailPoint Technologies 242SAP 243Sentillion 245Siemens 246WSO2 247Chapter 9: Glossary 249Chapter 10: Appendix 259 CONTENTS – IDENTITY AND ACCESS MANAGEMENT 2011/12 7
  6. 6. Incorporating Technology Evaluation and Comparison ReportOVUM Butler Group CHAPTER 1: Management summary WWW.OVUM.COM
  7. 7. 1.1 Management summaryCatalystIdentity and access management (IAM) has become an essential part of the IT infrastructure formedium- to large-scale organizations. Its benefits of productivity and policy enforcement havebeen understood for some time, but it was widely regarded as a technology that was too hardto deploy. There is now wider agreement on standards and a much better understanding of howto conduct a successful project. At the same time the business case is becoming morecompelling as the scale of automated interoperation with entities outside the enterprise grows,including the growing use of cloud services.Ovum viewIdentity and access management must be approached as a business issue and designed aroundbusiness processes. It is fundamentally about how the organization works with its people and with otherorganizations. IAM projects must be approached with a comprehensive and long-term vision, but it isbest to implement it incrementally in phases, each with a clearly defined business benefit. The totalinvestment will be large, but many parts of the process can be expected to pay for themselves inmonths. While extensions to the project can be expected to deliver lower rates of return than the low-hanging fruit addressed by the early stages, the overall project should still represent a good investmentas there is no requirement to implement the full vision in one project. Key findings: IAM projects require upfront and continuous high-level business sponsorship. Address pain points first and deliver significant and quantifiable benefits to demonstrate the value of the approach. Federation of identities between collaborating organizations has been enabled by general acceptance of the main standards, including the WS-* family and Security Assertion Markup Language (SAML) assertions. Use of cloud services creates an important application for IAM. IAM is an essential tool in delivering compliance and protecting information. Business may soon be able to connect to Internet identity services that will be useful for authenticating people outside the organization.The role of IAM IAM is the disciplineWhat is IAM? of determiningIAM is the discipline of determining policies for who has access rights to policies for who hasinformation assets in an organization, the issuing of these rights, and the access rights toimplementation of the consequent access controls. It is at the heart of information assetsinformation protection, and of compliance programs with all regulations thatcontrol access to information. in an organization...Historically IAM was limited in scope and delivered as a function of operating systems. It has emerged asboth a business concern, and a broader field of technology, as business IT systems have developed froma collection of siloed systems into a complex network of interconnected systems, which are connected tosystems in partner organizations and to customers, employees and other users across the Internet. Thecomplexity of managing large numbers of users on multiple systems requires an automated and process-driven system to satisfy both the efficiency and security needs of the organization. CHAPTER 1: MANAGEMENT SUMMARY 11
  8. 8. Cloud services require IAM The adoption of cloud services by organizations places greater urgency on the need to deploy comprehensive IAM systems. When valuable information is placed in a cloud, the access controls to the system become the only protective layer for that information. It is therefore essential that the access controls to the cloud service are maintained in a state that is consistent with the corresponding access controls in the data center. The cloud service provider can and should be seen as a business partner. IAM must recognize the diversity of users Mobility, whether between workstations within a building such as a hospital or factory, or between working locations, requires IAM to provide an easy to use and consistent user experience. Automated processes, extending beyond the enterprise walls, require a pervasive access control mechanism that recognizes corporate entities and other processes as having equivalent access control needs to those of human users. Business issues The business case IAM is a key issue for the business. Implementing a system represents a major investment and its deployment will require changes in business processes to capitalize on its benefits. However, successful projects provide a high return on investment and a payback period of less than two years is frequently achieved. IAM is a useful, if not absolutely essential, tool for satisfying the more demanding regulatory and compliance requirements. It provides the audit and reporting functions to determine, with a high level of confidence, who has done what with critical information. The business benefits of IAM come in two main categories: productivity/ease of use, and security. In the efficiency category, we can list: Reduced cost of administration due to automated approval processes, synchronization of permissions, and user self-service functions, including password resets that typically account for 25% of IT help-desk workloads. Single sign-on (SSO) to raise end-user productivity by providing quicker access to systems, and reducing the burden on users of having to manage multiple sets of credentials. People who use several systems, or work from workstations in multiple locations, can save substantial amounts of time in a typical day. Improved experiences for external users, leading to more business, and better collaboration with business partners. From a security perspective, good quality and effectively deployed IAM provides: Rapid and accurate provisioning and de-provisioning of users, minimizing unauthorized access to information and processes. The opportunity to adopt more secure forms of identification and authentication, including two-factor authentication, further enhancing access controls. Full audit and logging capability of user sessions on corporate systems. IAM is a means of implementing business strategy insofar as it relates to IAM is a means of information processing. The issues of who the business needs to work with, implementing the level of automation that is required in these interactions, and the depth business strategy of trust between organizations, are represented in the IAM configuration insofar as it relates and deployment. Internal issues also have a major impact on the architecture of IAM systems, such as employee mobility, integration of IT to information systems following mergers and acquisitions, and the way in which processing. compliance obligations are met.12 IDENTITY AND ACCESS MANAGEMENT 2011/12
  9. 9. Running a successful IAM projectIAM projects are neither quick nor cheap. It is therefore essential that theyhave the wholehearted support of senior management and that this support IAM projects areis sustained throughout the project. Project managers can help to sustain neither quick northis enthusiasm by adopting a phased approach to the project, with clearly cheap.defined business benefits flowing from each phase. This approach alsominimizes both the technical and business risks, as design errors can be rectified before they becomewidespread.External identity on the InternetWe are now entering an era in which individuals can call up “Internet identities” that carry a level ofassurance that we do not have with the self-asserted identities that are almost universal on the Internettoday. For the business, this will open up new ways of communicating with customers and others thatdo not have a strong existing relationship with the organization, at a lower cost than pre-registeringthem with the organization. While this prospect is still at an early stage of its evolution, standards worklargely promoted by the US government provides a basis for identity services along with a potentialbusiness and liability model.Organizational issuesFederation technologies have to align with business relationshipsIdentity federation technology allows organizations to work together, with individual users beingidentified and held responsible for their actions across all of the collaborating entities. It avoids the needfor replicating user registration in each organization by regarding their employer as the authoritativesource of information about them. It also ensures that any changes in their status are immediatelyapplied across the whole eco-system.The technologies available for identity federation reflect the business structures to which they areapplied. Traditionally the most deployments have been to a “hub and spoke” model in which the keyorganization federates to several of its partners such as its suppliers or channel partners. This modelalso works well between a company and the subsidiaries it has acquired or created. More complexwebs of collaborating organizations can be supported with “claims-based” networks, and managedservices are appearing to simplify the deployment of federated networks.Taming the super user Computers, networks and applications have traditionally been managedA comprehensive through an account called “administrator” or “super user”. The requirementIAM suite will for 24 x 7 operation has led to several people having access to thisprovide a means of account. Across a large organization, with thousands of servers andsecuring and hiding applications, there has been a proliferation of privileged and effectivelyall super user anonymous accounts. This has created a nightmare for both security and compliance officers.accounts... A comprehensive IAM suite will provide a means of securing and hiding allsuper user accounts and assigning administrator privileges to the individual users who are authorizedto perform these roles. This ensures that they are monitored and held responsible for all the actionsthey perform in this mode and deals with segregation of duty issues.The extended enterpriseIn addition to integrating the management of partner organizations, IAM helps to define who workswithin an organization. Human resources departments are often only concerned with permanentemployees, whereas IAM systems have to provide for all users. Even the payroll department has norecord of contractors who are paid, directly or indirectly, through the purchase invoice system. CHAPTER 1: MANAGEMENT SUMMARY 13
  10. 10. IAM systems can be integrated with physical access systems, enabling physical and logical access to be controlled through common credentials and providing an extra channel of authentication by correlating system access with physical location. When this approach is adopted, the IAM registration process has to be extended to include all people who are entitled to enter the premises, irrespective of whether they use IT systems. Technology issues The scope of IAM IAM systems are technically complex, comprising the following functions: enrolment of users provisioning/de-provisioning of access rights to users, in accordance with corporate policies role management routine user administration, including functions such as issuing credentials and password reset access approval and revocation processes, and escalation of disputed issues identification and authentication of users, including flexibility to adapt authentication to match the appropriate level of business risk; an important part of this function is SSO functionality to a wide a range of resources by a single act of logging in to a workstation control of access to all information and process resources according to policy reporting and auditing of actions relating to access permissions and access usage acceptance of corporate entities and automated processes as “pseudo-users” facilitating usage of corporate resources by business partners and customers, according to appropriate policies and controls. IAM projects are based on IT and process integration IAM projects are mainly integration projects. The largest parts of the work in an IAM deployment project are in configuring the system to reflect the business, and in integrating the components of the system with the infrastructure of the organization. A major factor in selecting an IAM suite is its fit with the existing technology in the organization. SSO requires the IAM system to be integrated with each platform and application that it is required to support. Vendors provide connectors to some common applications with their product, while other assets will require bespoke connectors using APIs. In many cases these can be bought from third parties. The foundation of every IAM system is one or more corporate directories, and most support Active Directory and any Lightweight Directory Access Protocol (LDAP)-compatible directory. Organizations will want to automatically move existing user registration information from existing data stores, which may be either directories or files. The ability to re-use existing configuration data will significantly affect the duration and cost of the IAM project. The task of integrating with external organizations, including cloud service providers, has been made easier since the industry moved towards a common set of supported technologies. In particular Microsoft’s acceptance of claims-based communications, including the use of SAML assertions, has removed a major stumbling block to federated working. Integration is a two-way activity and today the level of integration offered by cloud service providers is limited, but this situation will improve. Administration and workflow Identity administration tasks can be complex, particularly when authorization requires the participation of multiple asset owners. IAM tools should provide a workflow-based configurable process model. It is advantageous if this workflow engine is open and allows the integration of IAM processes with wider management processes, so that provisioning can be seamlessly and automatically incorporated into other management activities.14 IDENTITY AND ACCESS MANAGEMENT 2011/12
  11. 11. Market issuesThe market for IAM products has undergone substantial consolidation. The market for IAMWhile many specialist vendors remain serving individual parts of theproduct spectrum, the number of comprehensive suites is limited. Most of products hasthe providers are the major IT vendors. They have continued to acquire undergonespecialist vendors to fill gaps in their product range, with the result that they substantialnow have almost completely covered the required range of functionality. consolidation.They can still be differentiated in terms of how well individual componentsin their suite meet the needs of an organization, but the major area of differentiation is in their level of integration with the wider IT environment. As the implementation of IAMThe emergence of projects is largely a consultancy exercise, channel partners are also an important factor in selecting a vendor.identity providerservices on the The emergence of identity provider services on the Internet will provide aInternet will new area of opportunity for businesses. However more work needs to be done to establish a business model for such providers. The value of servicesprovide a new area to the relying parties who will use the services is clear. The only conceivableof opportunity for revenue model is one in which the relying party pays the identity provider,businesses. most probably with a per-use payment. Providers could charge according to the level of assurance of each identity. One obstacle to the development ofthis market is that the main candidates for providing such services are organizations (such as banks) thatdo not see being an identity provider as one of their core business concerns. The other major obstacleis the need for a limited liability model that meets the needs of both sides.RecommendationsRecommendations for enterprisesEvery large, and large-medium, enterprise needs an IAM system to enhance its operational efficiencyand to improve its security and compliance posture. Smaller organizations should review their particularcircumstances.IAM projects are about business process automation and need to be approached from a businessperspective. IAM deployments need to be carefully planned, and deployed incrementally. Most of themajor vendors provide a comprehensive coverage of the solution space, but some are easier to useand to integrate with existing infrastructure. An IAM project is mostly about integration with the ITinfrastructure and with business processes. These are the areas that need most attention.Recommendations for vendorsIAM is one of the most strategic areas of corporate IT. Success in the IAM sector will place a firm in astrong position to influence corporate-wide IT policy.IAM is an essential companion to information protection, and both technologies have enhancedbusiness value when they are deployed together. IAM is never an island, and integration andinteroperability with the wider environment are primary product differentiators. Focus on ease ofdeployment and flexible use.The Ovum IAM Decision MatrixThe Ovum IAM Decision Matrix explores the competitive dynamics within the IAM security market andis designed to help organizations make informed choices among the leading offerings. It presents aview of the market based on three factors: technology assessment, user sentiment, and market impact.It offers a snapshot view of the market as it stands today, and indicates those vendors that, in Ovum’sopinion, organizations should shortlist, consider, or explore. The results of Ovum’s in-depth researchare summarized in the following table. Vendors are listed in alphabetical order within each category. CHAPTER 1: MANAGEMENT SUMMARY 15
  12. 12. Rating Company/Solution Ovum Opinion CA CA’s IAM portfolio is among the most CA Identity and Access comprehensive in the IAM space. The company’s Management Suite current IAM positioning focuses on “content aware identity management”, which incorporates IAM, data loss prevention (DLP), and governance, risk, and compliance (GRC) integration. IBM IBM is among the largest and most successful IBM Tivoli Identity and Access vendors in the IAM space. Its coverage includes Management Products enterprise and web SSO, user provisioning and role management, password management, access control, and federated identity management services. Shortlist Novell Novell Identity Manager 4 provides a Novell Identity Manager 4 comprehensive suite of IAM products. Novell Advanced Edition delivers an enterprise-class IAM product set that has the scalability and high availability required to deal with large, complex, and diverse operating environments. However the company’s market impact is significantly lower than that of its main competitors. Oracle Following its acquisition of Sun, Oracle has become Oracle Identity and Access even more of a market leader in the IAM space. It Management Suite (release has a strong presence across all traditional IAM 11g) markets including financial services, healthcare, and the public sector and its geographic reach is also extensive. Oracle provides a very comprehensive set of IAM capabilities with a good focus on enabling customer usage across all available platforms. Evidian Evidian delivers a near-full suite of IAM products. Evidian IAM Suite (version 8) However, the company’s influence remains largely restricted to European markets. It provides a good range of enterprise and Web SSO, user provisioning, and access control services, and strong support for standards and authorities. Hitachi Hitachi is not a strong contender in web access Consider Hitachi-ID Portfolio management or the web and enterprise SSO markets. It does, however, provide good quality user provisioning, access control, and password management services, and is respected for its privileged user management capabilities. Microsoft Microsoft’s impact on the IAM market continues to Microsoft Forefront Identity grow. It is well respected across enterprise and web Manager 2010 and SSO, user provisioning, password management, Associated Products access control, and federated identity management dimensions. It is seen as a low cost provider of IAM technology and a supplier that small and medium enterprises (SMEs) are likely to turn to as their first IAM provider. Continued on the next page...16 IDENTITY AND ACCESS MANAGEMENT 2011/12
  13. 13. ...continued from the previous page. Rating Company/Solution Ovum Opinion Entrust Although SSO and provisioning services are Entrust IdentityGuard, provided by third-party partners, Entrust remains a GetAccess, & strong contender in the authentication and fraud TransactionGuard management space. It also exhibits good password Explore management capabilities. RSA RSA is the authentication market leader and RSA Identity & Access partners with Courion for provisioning and role Management management. Across security areas adjacent to IAM such as security information and event monitoring, DLP, and GRC, RSA is strong and active. However, the growth in its overall IAM capabilities has failed to keep pace.1.2 Report objectives and structureReport GuideThe report is aimed at chief information officers (CIOs), chief security officers (CSOs), IT managers,business strategy managers, business analysts, system architects, development managers, and othersenior decision-makers in both IT and the business.Chapter 2: Business and technology issues in IAMThis chapter summarizes the content of this report and provides a deeper insight into the need foridentity and access management (IAM). It focuses on the delivery of IAM projects, their scalability andcomplexity issues, and the corporate investment required. It addresses the requirement to improvebusiness processes, the need to support the use of cloud-based services and the growing requirementto be able to federate identities between organizations. It also considers the changing vendorlandscape, which continues to be rationalized.Chapter 3: Identity and access management and complianceThe deployment of IAM is a vital component of any enterprise security strategy. It provides thefoundations for controlling who has access to operational information systems, and as such alignstechnology-based controls with business and operational rules and access policies. Improving theorganization’s security position helps towards achieving regulatory compliance. Domestic, industry-related, and international regulations all have an impact on the actions that companies must now takein order to be compliant. IAM solutions should not be purchased just to help tick compliance boxes.However, the value of the technology to businesses brings together important efficiency improvementssuch as providing streamlined access to systems, delivering efficient user provisioning and rolemanagement services, and providing the ability to accurately control and report on user access rights.Chapter 4: Identity services in the cloudToday identity continues to reside mainly in individual websites with little or no interaction between them.Users have to identify and authenticate themselves to each site or service in order to gain access. Also,once users have given personal information to a site, they have no control over how the information willbe used. Site operators have very little confidence in the accuracy of the information they are given. Anidentity infrastructure that works across sites must be based on policy and semantic interoperability. Wealso require standards that go beyond syntactic and semantic levels and embrace business processissues such as assurance, privacy, and liability. They must be both privacy-enhancing and cost-effectivefor both users and website operators. An interoperable identity infrastructure that would be recognizedat multiple websites would provide a major advance towards a truly connected world. CHAPTER 1: MANAGEMENT SUMMARY 17
  14. 14. Chapter 5: Federated identity The use of technology allows businesses to run lean and efficient supply systems. To support the approach, organizations rely on all required components being available at the optimum time. Having full visibility of stock levels, product delivery dates, new pricing tariffs even when that information is the property of a partner organization, adds real value to decision-making processes. Federated identity management technology can be used to create local, as well as global, interoperability between online businesses and trading partners using agreed identity management approaches. Utilizing a SSO approach, allows users to move between business systems of their own organization and beyond corporate boundaries to access third-party systems. Chapter 6: Technology comparison The technology comparison chapter presents Ovum’s view of the leading IAM vendors and their technology solutions. It includes feature comparisons of the technology along with decision matrix information on the vendors and market analysis information. The features matrix presents a side-by- side view of vendor technology capabilities in their existing product ranges. The decision matrix groups vendors into one of three categories (‘shortlist’, ‘consider’, or ‘explore’), and backs this up with a detailed view of each vendor in terms of technology assessment, market impact, and end-user sentiment. Chapter 7: Technology Audits The Technology Audits chapter contains in-depth evaluations on the latest product releases from nine of the IAM sector’s leading providers. Chapter 8: Vendor profiles The vendor profile chapter contains profiles of IAM vendors whose products Ovum considers to be important to the delivery of the core components of an IAM strategy. In many cases these are vendors with best-of-breed products that cover one or more core areas of IAM or provide complimentary services that integrate with IAM. Chapter 9: Glossary This chapter contains a glossary of technology terms that are used in the report. Chapter 10: Appendix This chapter contains information about additional reading and the methodology used for this report.18 IDENTITY AND ACCESS MANAGEMENT 2011/12
  15. 15. Incorporating Technology Evaluation and Comparison ReportOVUM Butler Group CHAPTER 2: Business and technology issues in IAM WWW.OVUM.COM
  16. 16. 2.1 SummaryCatalystThe extended enterprise needs a comprehensive identity layer. Identity and access management(IAM) is an essential tool for compliance and a key component of information protection in opencollaborative working. More than this, however, it is a productivity tool enabling tighter workingpractices, collaboration, and automation of some error-prone, laborious processes.Ovum viewIAM is a business issue, and projects must be driven by business priorities. However, many otherfactors need to be taken into account, and a lot can be learned from organizations that have completedsuccessful projects. Future proofing must be built into deployed systems. IAM is an idea whose timehas come, as it can be considered a strategic component of adopting cloud services.Key messages IAM projects are large-scale investments. Business processes need to be overhauled. Cloud services add urgency to the need to federate identities between organizations. The vendor landscape has been rationalized.2.2 Identity and access management projects arelarge-scale investmentsBusiness strategy must drive technological decisionsIdentity and access management is a business process. The requirements The requirementsfor handling identities and the use that is made of these identities aredetermined by how the business wishes to operate. IAM is a fundamental for handlingpillar of security strategy, while the security and regulatory requirements identities and thethat the business has to satisfy are also determined by business, rather use that is made ofthan technological considerations. It is the job of technologists to meet these identities arebusiness needs. Business leaders must specify their requirements. determined by howIAM systems link organizations, and inter-organizational relations must be the business wishesdriven by business managers. The level of buy-in from these associated to operate.organizations will depend on the configuration of the chosen system. Theconfiguration can range from a close two-way federation of their respectiveIAM systems to a more basic arrangement that allows employees of the partner organization to use theprimary party’s resources as external users. However, any level of inter-operation requires a businessunderstanding of the status and assurance level of the other party’s identity credentials and acommitment from both parties to keep their identity bases up to date. Both of these require business-level convergence. CHAPTER 2: BUSINESS AND TECHNOLOGY ISSUES IN IAM 21
  17. 17. IAM systems change the way in which users interact with IT systems. Provided that the system is well- designed, these changes should have a positive impact on the user experience. Security will certainly be enhanced. However, access will be restricted in some cases and this may block some established working practices, particularly where roles are not well documented or IAM systems change understood. The business must be prepared for these inconveniences and the way in which have a method for rapidly resolving issues as they arise. users interact with IAM projects are large and costly. Without substantial business buy-in at IT systems. the highest level they will not be completed. They have to be integrated into business processes, which will inevitably disrupt the business process to some extent. The process owner must be an enthusiastic supporter of the IAM project to ensure the necessary commitment through this stage. A rough estimating rule is that buying professional advice and assistance is likely to cost five times as much as the technology. The “identities” in IAM systems mostly relate to people. (Some systems may also manage systems, processes, and corporate entities.) They contain personal information that is subject to privacy legislation, and organizations that do not have IAM practices that meet all legal requirements risk substantial penalties. Therefore, a technical failing One way to reduce within the IAM system can have substantial business-level repercussions. risk and maintain This risk increases when an IAM system integrates silos of information that previously only existed within small systems in departments. business commitment to the One way to reduce risk and maintain business commitment to the project is to roll out IAM incrementally, delivering real business benefit at each project is to roll out stage and starting with “low-hanging fruit.” Fortunately, IAM is well suited to IAM incrementally... incremental rollout by dicing up according to organizational units, systems and applications, and user groups. The majority of the cost of a project goes into the configuration, data acquisition, and process definition aspects, rather than into technology acquisition. This makes an incremental rollout viable. Ultimately, the business and political issues are significantly more challenging than the technology issues involved in IAM projects. The project is about managing people, not user accounts. The benefits of IAM IAM delivers many business benefits, ranging from good governance through security, improved user experiences, and productivity enhancements to cost savings. While every IAM project is different, it is realistic to aim for a project whose benefits will pay for the project within 18 months. A comprehensive, enterprise-wide project will typically take longer to recover its costs as it embraces aspects with a lower return-on-investment, but organizations can configure a project to fit a required rate of financial return. IAM systems can enhance user experience and productivity. Single sign-on While every IAM (SSO) to multiple platforms and applications removes the need for users to project is different, remember different user IDs and passwords, which they often feel they it is realistic to aim have to write down. It avoids the irritation and wasted time of having to for a project whose repeatedly re-authenticate information to the system. benefits will pay for IAM systems automate the provisioning process for new users and users the project within 18 who take on new roles. The time required for the provisioning process is months. typically reduced by 90%, from days to hours. The new user is therefore able to become productive much more quickly. This is particularly significant for contractors and short-term hires, for whom the provisioning time can significantly add to employment costs. Identity federation allows the provisioning of a user in one environment to extend to collaborative environments immediately and automatically. Moving forward, IAM will be at the heart of open-enterprise computing.22 IDENTITY AND ACCESS MANAGEMENT 2011/12
  18. 18. The direct financial savings of IAM come from the automated provisioning and The direct financialde-provisioning capabilities and reduced IT helpdesk workloads. Typically savings of IAM come25% of IT helpdesk workload is eliminated due to the much-reduced numberof forgotten password calls. Many IAM tools provide self-service password from the automatedreset capability, which can further reduce the password-related workload. provisioning and de-Process improvements in the areas of access request consideration and provisioningapproval and periodic reviews of access permissions deliver further savings. capabilities andIAM is an essential element of corporate reduced IT helpdesk workloads.compliance and securityOrganizations should deal with compliance as part of their operational infrastructure. For example, theSarbanes-Oxley Act (SOX), the Health Insurance Portability and Accountability Act (HIPAA), and the Payment Card Industry Data Security Standard (PCI DSS) requireIAM provides organizations to restrict and monitor access to sensitive information. IAMauditable policies provides auditable policies and a control framework that addresses many requirements of compliance. Many aspects of compliance require anand a control organization to control who can perform certain functions to reliably monitorframework that who does what, and to raise the consistency of process performance.addresses many When used in conjunction with logging tools, IAM can provide a wealth ofrequirements of information about who did what and when. Logging tools need the strongcompliance. and accurate access control tools provided by IAM to be certain that the reported user was the actual user. Four aspects of the benefits of IAM are: Access rights can be more closely aligned to roles and responsibilities. Traditionally IT users with administrator-level privileges can do almost anything on the systems on which they enjoy these privileges. Furthermore, because of the need to keep systems operating 24×7, several people are often given administrator rights to each system, sharing the same user credentials. This creates the perverse situation in which the most privileged users are not subject to personal accountability for their actions. The better IAM systems can block all anonymous systems access, restrict all administrator-level access to sensitive data, and provide separation-of-duty controls. The ability of IAM systems to automatically remove access rights from leavers and employees who move on to different roles blocks one major category of inappropriate access to systems. This de- provisioning function is one of the most important security functions of an IAM system. IAM systems can give much faster and easier login to systems, removing the very real temptation for users to share sessions on machines in common access areas, and hence provide a level of personal accountability for user actions. The value of this feature is seen in hospitals with the access patient records and in financial dealing rooms. ...IAM can enhanceThese benefits also help raise the security of corporate systems.Additionally, IAM can enhance security by bringing in stronger security by bringingauthentication systems than were previously available. Traditionally in strongerauthentication is built into platforms, systems, and applications and offers authenticationlittle scope for changing the default mechanism. IAM systems can allow the systems than wereflexibility to adopt different forms of authentication, use two-factor previouslyauthentication, and even vary the level of authentication according to thecurrent characteristics of a session or the business being transacted. available.These security enhancements are essential to satisfying e-governance requirements because theassociated reporting is meaningless without personal responsibility. Data loss prevention (DLP)systems are similarly hamstrung without a reliable indicator of who is handling a piece of information.The combination of IAM and DLP is particularly powerful, and can be configured to implement dataprotection policies that are appropriate for specific countries, for example. CHAPTER 2: BUSINESS AND TECHNOLOGY ISSUES IN IAM 23
  19. 19. How to run a successful IAM project The key to success in an IAM project is to focus on the business issues. Too often they are technology- driven and fail as a consequence. We have already discussed the importance of getting buy-in and commitment at the highest levels of the organization. The next prerequisite The key to success is to know your users and understand what they do and how they do it, in an IAM project is remembering that actual practice may have diverged from theoretical processes over time. If the new IAM-related processes do not fit with to focus on the business practices, the project will fail. business issues. The aim should be to introduce the maximum amount of automation into the processes. This will win the support of key business movers as well as providing the necessary payback. When selecting products, ease of management should be a key consideration. The selected product should enable you to specify each change in access rights or processes once, and have it rolled out across the enterprise automatically and consistently. Pay particular attention to any pain points in the existing processes and ensure that they The IAM system are mitigated in the new system. should be capable of The IAM system should be capable of seamlessly and effortlessly seamlessly and incorporating any changes in employee working practices, particularly effortlessly relating to flexible working and homeworking. It is likely that within the incorporating any lifetime of the IAM system the organization will have moved some way towards allowing employee-owned endpoints, and that virtual client changes in technology will be widespread. employee working We have also mentioned the importance of cross-enterprise working in practices, modern business. External users need to be deeply integrated into IAM in particularly relating a form of federation. However, there are different federation architectures to flexible working and it is important to choose the right one, considering future changes that and homeworking. may occur in the way the business operates. The main choice is between a “hub-and-spoke” configuration in which the central player takes the main role in establishing bilateral relationships, and a many-to-many model in which a central federation service negotiates claims by people who require access to any organization in the network. Above all, when you are ready to implement the IAM system, adopt an incremental rollout and review the success of each phase as you go, refining the details to resolve issues that arise. Incremental rollouts reduce the capital risk by partitioning the project budget, and allow proven economies to be recognized as justification for following phases of the project. They also help to win support for the project. In particular, SSO has to be configured to accommodate each application, platform, and service that it embraces. These targets can be implemented in batches. Incremental rollout and pilot projects can also be used to validate the processes that are being defined within the It is important not to IAM system – for example, to remove bottlenecks in the approval process. overlook the need to Use existing identity stores to avoid unnecessary reinvention of the wheel. educate users 75% of enterprises will find that their Active Directory (AD) will give them before they are the bulk of their required configuration file. However, all imported data brought into the should be reviewed for currency and accuracy to avoid perpetuating bad practices. scope of the IAM system. It is important not to overlook the need to educate users before they are brought into the scope of the IAM system. It should not be assumed that the new working methods will be self-evident. It is also a good idea to communicate with users during the implementation phase and afterwards as the system is extended and improved. There are complex issues involved in extending the IAM system to customers and others who are not employed by either the organization or its federated partners. In particular, there is the question of what information about each person needs to be held in the system. Within the workplace, a person’s identity is usually primarily about the roles they perform.24 IDENTITY AND ACCESS MANAGEMENT 2011/12
  20. 20. For external users, identity is about their relationship with the organization. For customers this couldinclude their payment information, relationship history, and identity assurance requirements. Eachsituation brings its own requirements, and the system needs to be designed around them. External usersshould not be regarded as “pseudo-employees” because this approach will not deliver the requiredsecurity level or meet business requirements. For example, there is no defined “leaving” process forexternal users that could trigger their de-provisioning. External users have particular needs for controls onthe disclosure of their attributes that are held in the system, because this information tends to be personal.2.3 Business processes need to be overhauledManaging non-employees in the workforceIAM systems provide a single central authority managing the identities of IAM systemssystem users. This is in itself a culture shock for many organizations in provide a singlewhich the management of contract and temporary staff is often handled atdepartmental or project level, with little reference to the HR department. central authorityThe accounting department, with its responsibility for payroll, is often closer managing theto being the global authority of current workers. However, in some cases identities of systemstaff may be paid locally or through the invoice process, rather than through users.the central payroll.The IAM system often has to manage access for workers employed by subcontractors on site who arenot covered by any direct payment system. In some organizations volunteers work on the companysystem. The group of people who are entitled to be in the building and use the IT system is often muchwider than the current employees. All of the issues surrounding access rights management are magnified manyAll of the issues times when looking at user accounts with administrator privileges.surrounding access Administrator accounts are, by default, all-powerful and anonymous. Eachrights management platform, system, and application may have an administrator to manage it and keep it in good health. As work needs to go on around the clock, severalare magnified many people need to have these powers to ensure that at least one will be availabletimes when looking when needed. Business systems run across many servers and applications.at user accounts This leads to a proliferation of administrator accounts. For example, Ovumwith administrator knows of one organization that has 86,000 users and 100,000 administratorprivileges. accounts. The anonymity of administrator accounts makes it impossible to assign personal responsibility for the actions of such users. We look to IAM systems to “hide” the administrator accounts and only allow users to exercisethem after they have logged into the system as a normal user and through the IAM system itself. The accessrights to information held within the system can also be restricted through theIAM mechanisms. These opportunities should be exploited. Although using Removal of userexternal IAM services is an option that many organizations have successfullyexploited, particular sensitivities about outsourcing the management of rights and de-administrator accounts need to be considered. provisioning of users who cease toLeavers work for theRemoval of user rights and de-provisioning of users who cease to work for organization makethe organization make up one of the most important functions of the IAMsystem from a security perspective. However, integrating this apparently up one of the moststraightforward task into business processes can be complex. Whereas the important functionsarrival of a new employee is a single-step process, their departure is long and of the IAM system...drawn out, going through several stages. In the simplest case the departureprocess is triggered by the employee’s resignation. Their leaving date should then be known, but may notbe cast in concrete at this stage. They may have more restrictive access rights at stages during their noticeperiod. With redundancies or disciplinary procedures, the process becomes much longer and morecomplex. These processes all have to be captured within the IAM system, and each change in the statusof the employee must be recognized in the system immediately. CHAPTER 2: BUSINESS AND TECHNOLOGY ISSUES IN IAM 25
  21. 21. When we consider volunteers, subcontractors, and other non-employees in the system, the process becomes even more confusing. What event signifies or triggers the user’s departure? How is this communicated to the IAM system? Do subcontractors retain any residual maintenance functions after they finish their period on site? One possible approach to this problem is to re-certify the access rights of all non-employees periodically, but this may place an unacceptable burden on managers. Mergers and acquisitions Mergers and acquisitions place a heavy burden on IT administration. The consolidated business will be working towards a single comprehensive IT infrastructure to achieve economies of scale and rationalization. However, this is only achievable at a reasonable cost if it is a long-term objective. In the meantime, there is a need for a convergence strategy that will enable The easiest way to interoperability and start to realize cost savings. A unified IAM system should be at the heart of the convergence strategy. embrace diverse infrastructures The easiest way to embrace diverse infrastructures immediately is to federate the parts using an identity federation tool. This avoids the need to immediately is to enroll a user in both parts of the organization, and can provide the basis for federate the parts SSO across the enlarged enterprise. This scenario is a relatively simple using an identity scenario for deploying identity federation as there are no issues federation tool. surrounding inconsistent standards of identity assurance to resolve. In this scenario, the deployment team can focus on the technical issues. Moving forward, the business will want to increase the level of convergence towards total unification. The IAM system should allow the move to be made incrementally, with federation technology ensuring that users retain their necessary access permissions on both sides of the merged organization. 2.4 Cloud services add urgency to the need to federate identities between organizations Use of cloud services requires corporate identity to be externalized Many organizations are using or planning to use cloud services. The issues surrounding access control are particularly important for cloud services. Public cloud services are accessible to anyone on the Internet, with only the access control mechanism between the corporate intellectual property and the outside world. Services implemented in a so- Many organizations called “private cloud” on the corporate Intranet are also relatively open to unauthorized access. are using or planning to use Access control to cloud services has two main requirements: cloud services. User authentication has to be strengthened to reflect the ease of access to the service portal and the value of the information and processes behind that portal. The directory of authorized users of the service has to be kept up to date. It needs to be automatically synchronized with the internal corporate IAM directory to be both secure and efficient. Access control based on user IDs and passwords held within the cloud service does not meet either of these requirements. The best option is to configure the cloud service to accept assertions from the corporate IAM system as the only means of gaining access to the service. The user experience would require the user to log in to the corporate system and then enjoy an SSO transfer to the cloud service when required during their session. The strength of authentication is determined within the internal IAM environment. A possible compromise is to configure the service to use an assertion from the corporate system as a second authentication factor. This can deliver most of the security benefits of full integration, but it does not give the user seamless access to the cloud service or perform automatic provisioning and de-provisioning.26 IDENTITY AND ACCESS MANAGEMENT 2011/12
  22. 22. While this discussion represents current best practice, regulators and legislators lag behind technology.Organizations may find their options restricted by regulatory impositions. For example, financialservices regulators generally dislike passwords being shared between services. It remains to be seenhow they will react to a claims-based access regime, which effectively means using the same passwordas the user’s system login.Federation delivering benefitsThe early history of identity federation saw most deployments in configurations in which a centralorganization wants to improve collaboration with several of its business partners. Typically a largecorporation would want to tighten its relationship with its suppliers or channel partners. The two majorcivil airline manufacturers, Boeing and Airbus, both made extensive andsuccessful use of identity federation technologies, along with major The other area forautomotive manufacturers. which federationThe other area for which federation has delivered substantial benefits is has deliveredbringing together the parts of an enterprise following a merger or acquisition. substantial benefitsFederation is starting to move out into more diverse deployments, including is bringing togetherones in which there is a more flexible community of organizations than the the parts of anrigid “hub-and-spoke” configuration in the early deployments. Some of enterprise followingthese deployments are enjoying a simplified design by adopting themanaged federation services available in the cloud. a merger or acquisition.Even when federation services are used, the user identities are retained in-house. The common characteristic of all federated identity deployments isthat each user identity remains with the user’s employer, and the employer asserts their access rightsto the other partners when required. This ensures that other partners do not incur a user managementoverhead by participating in identity federation, as well as protecting the privacy of the individual.Technology issuesIAM usually focuses on controlling access to systems and information by human users. However, in thecollaborative and automated business environment that is emerging, the concept of identity needs tobe broadened to include corporate entities, computers, processes, services, and applications.Integrated cross-organization automated processes need to control access by all of these. These can collectively be described as “objects”, taking the terminology from theThe claims-based object-oriented programming world. Thus, IAM systems need to be able toapproach to inter- manage identities for any such object, and these objects need to have the means of identifying and authenticating themselves.organizationalaccess control is a The leading IAM suites available today are fundamentally architected to deal with objects of all types, but some of the user interface componentssound basis for need to be tailored to fit these broader concepts.moving forward. The claims-based approach to inter-organizational access control is asound basis for moving forward. Unlike some earlier protocols, it is scalable and flexible. Claims aresimple statements that can be composed into more complex requirement statements using the basicoperators in Boolean logic such as “and” and “or.” Using these avoids thesignificant administrative burden of maintaining access control lists. Many organizationsMany organizations find role management a particularly difficult task. Roles find roledefine sets of entitlements and are an efficient method for grouping employees management awho perform similar duties. Most IAM suites allow individuals to perform a set particularly difficultof roles. However, many employees perform tasks that are not identical to task.those of any other person in the organization, particularly those inmanagement or knowledge-worker fields. In these cases, roles become cumbersome and confusing. IAMproducts should allow administrators to combine role-based access permissions with additional individuallyallocated permissions, and should not force everyone into the role model. CHAPTER 2: BUSINESS AND TECHNOLOGY ISSUES IN IAM 27
  23. 23. There is a divergence of opinion about whether IAM systems should manage both access to IT systems and physical access to facilities, or whether they should be limited to information system access. Cost and complexity are increased if physical access is included. However, the combined approach allows: The leveraging of identity credentials such as smartcards the use of a single identity directory, giving some economy security to be enhanced using a joined-up view – for example, physical presence can become an implicit authentication factor. However, a unified approach means that you will have to register everyone who works on site, even if they never use the IT systems – including cleaners and security guards. 2.5 The vendor landscape has been rationalized The vendor landscape has consolidated around big IT suppliers The vendors of the main IAM suites have been acquired by the big IT infrastructure vendors. In some cases, such as with CA, IBM, and Oracle, the vendor has made a number of small and large acquisitions over time to arrive at its current position. In contrast, some vendors such as Microsoft and Novell have largely built up their IAM offerings by internal product The vendors of the development. The current dominance of the market by the big players is a main IAM suites consequence of the central role that IAM plays in IT management and have been acquired delivering IT compliance. Organizations want to buy fundamental by the big IT capabilities from a strong vendor with which they already have a substantial relationship and whose IAM systems will fit in well with their IT infrastructure environments. The vendor landscape reflects the fact that IAM projects are vendors. “big-ticket”, long-term, and strategic. The trend towards big vendors has also been driven by the commercial The trend towards aspects of this market. Until recently IAM vendors found it difficult to make big vendors has also a profit in a relatively slow market. However, the consultancy work that went been driven by the with an IAM project was more lucrative. This encouraged vendors with commercial aspects large consulting practices to be active in IAM. of this market. A large group of vendors specialize in particular aspects of the technology, such as identification or authentication, clustered around the IAM suite providers. These include smartcard providers, biometric product vendors, and suppliers of a range of innovative authentication approaches. These products can interact with IAM suites using standard protocols such as the biometric application programming interface (BioAPI) protocols, supplemented with various amounts of bespoke integration work. Sun’s demise has provided the latest crumbs The club of IAM suite providers is now quite small and fairly stable. However, there have been two notable exits in recent years. In 2008, HP sold its IAM practice to Novell, which was already a major player in the space. In 2010, Oracle completed its acquisition of Sun Microsystems, including the latter’s IAM products. As both vendors had comprehensive suites, there is a lot of rationalization ahead, with most cuts falling in the former Sun portfolio. Oracle has provided an open The club of IAM path, allowing organizations that currently use Sun’s suite to migrate to its suite providers is products, in addition to incorporating a few Sun products into its range. now quite small and However, Oracle faces competition from Courion, which has also laid out a migration route for Sun users and is a strategic provisioning partner of RSA. fairly stable. As IAM is becoming increasingly strategic, both infrastructure vendors and security vendors that do not have an IAM offering are looking less credible in their fields. Most aspects of information protection require an awareness of who is accessing the information.28 IDENTITY AND ACCESS MANAGEMENT 2011/12
  24. 24. The focus of security is to move from network security to information protection, throwing the spotlighton gaps in the vendor’s portfolio. At the same time the limited number of players limits the scope forpartnerships, which in most cases would be with a competitor. The number of potential acquisitiontargets is now small.Currently, we can only speculate on how vendors such as HP, Symantec, Cisco, and Intel/McAfee willrespond to the new market perspective.2.6 RecommendationsRecommendations for enterprisesIAM is a strategic project that needs a strong, long-term business strategy behind it. If the project isexecuted well it will deliver a high rate of return, both financially and in terms of improved governance.It must be driven by business considerations and supported by buy-in at the highest levels in theorganization, not least because it will require changes in business processes. Implementation is bestapproached in an incremental fashion.IAM is as much about working with partners and outsiders in the extended enterprise as it is about theinternal IT systems. Systems must be designed to accommodate any foreseeable expansions andextensions in the working realm.Cloud services are about to boost the importance of IAM in the enterprise. The cloud service providercan be regarded as an important business partner that needs to be brought into the federated identitynet.Recommendations for vendorsIAM is also strategic for vendors. It is a sticky technology that can reduce customer churn by lockingcustomers in to building processes around your technology. IAM is now more than just an opportunityto drive consulting engagements, and has become a cornerstone around which to build systemsmanagement, compliance, and security offerings. CHAPTER 2: BUSINESS AND TECHNOLOGY ISSUES IN IAM 29
  25. 25. Incorporating Technology Evaluation and Comparison ReportOVUM Butler Group CHAPTER 3: Identity and access management and compliance WWW.OVUM.COM
  26. 26. 3.1 SummaryCatalystThe use that is made of identity and access management (IAM) technology within the public andprivate sector is growing in line with the threat environment. Most organizations understand theneed to maintain control over who is allowed to access their information assets. They recognizethe negative impact that not having the proper identity management controls in place can haveon the organization and its reputation. They also appreciate that industry regulators have thepower to extract fines and impose sanctions when organizations fail to fulfill their complianceobligations.Ovum viewThe deployment of IAM technology should be seen as a vital component of an enterprise securitystrategy. The use of IAM is foundational to controlling who has access to operational informationsystems. Knowing which users are allowed to have access to which information systems and aligningcontrol with the operational rules and access policies improves the organizations security position andhelps towards achieving regulatory compliance.Domestic, industry-related, and international regulations all have an impact on the actions thatcompanies must now take in order to be compliant. IAM solutions should not be purchased just to helptick compliance boxes. The value of the technology to businesses ought to bring together importantefficiency improvements such as providing streamlined access to allavailable systems, efficient user provisioning and role management The deployment ofservices, and the ability to share systems access with authorized third IAM never was andparties. It should also address the need to protect the integrity of business-sensitive data; controlling as well as facilitating access for information users is not likely tohelps to reduce data theft and fraud. become an easy fixThe deployment of IAM never was and is not likely to become an easy fix for brokenfor broken operational structures. The implementation of the products can operationalbe complex and difficult to achieve and maintain. There have been many structures.examples of organizations that have struggled to gain business value fromthe technology, often because they have been unrealistic in their objectives, or have failed to gainproject buy-in at the highest levels of management. However, when an organization gets its IAMdeployment strategy right, operational improvement, continuity, and security benefits accrue and as aresult compliance and audit advantages become more achievable.Key messages IAM delivers services that are relevant to business improvement, continuity, protection, and compliance. Regulatory compliance has a demanding impact on most organizations. Audit adds urgency to the need for a better IAM infrastructure. Continuity and the lifecycle approach to managing identity delivers business value. Everyone needs to be accountable. Achieving and proving compliance is a key business objective. CHAPTER 3: IDENTITY AND ACCESS MANAGEMENT AND COMPLIANCE 33
  27. 27. 3.2 IAM delivers services that are relevant to business improvement, continuity, protection, and compliance IAM provides vital business services Organizations evolve and change as the demands of their operations grow or indeed contract. Competitive influences dictate that most businesses are constantly looking to improve their existing operations. A common theme Cost controls dictate that more must be achieved with fewer resources and that runs across always more efficiently. Automation, self-service, and a whole range of many business associated approaches are used to deliver improvements. Similar requirements is the demands are placed on continuity requirements, such as the need to efficiently deliver corporate services while remaining fully protected and, need to make use of importantly, achieving the above objectives without falling foul of IAM to understand compliance regulations. and control who has A common theme that runs across many business requirements is the need the right to access to make use of IAM to understand and control who has the right to access our systems... our systems, what use they can make of that access and where they are allowed to gain access from. As such, it is no surprise to find that IT administrators struggle to keep pace with the need for change and at the same time maintain a balance between the organization’s desire to improve its operations and its need to remain secure. IAM can be used to improve service delivery – but beware Business improvement, efficiency savings, and the sometimes conflicting need for operational continuity are often addressed through an attempt to deliver an increased level of automation. This usually involves growth in the use of self-service and online facilities. For IT administrators working with IAM systems, there will be a need to improve service efficiency and deliver automated user provisioning, authentication, and access control services that meet the self-service requirements of the business and its users. Since the earliest Active Directory (AD) and associated Lightweight Directory Access Protocol (LDAP) management systems made their way onto the market, the value to business of controlling users has been widely recognized. That is not to say that technology associated with the management of identity that we conveniently bundle under the IAM label has always been particularly successful in achieving these objectives, but at least the opportunity has been there. For many organizations the struggle continues, and for those that have Organizations have deployed fully-featured IAM solutions or selected components of IAM the gone into identity resulting benefits have often been less than impressive. management Problems have occurred for a number of reasons. Some are directly projects without a attributable to the vendors and the solutions that they deploy being too clear enough vision complex and impractical. Others fall squarely at the feet of end-user of the ultimate organizations that have not fully understood the internal commitment that objectives, or have successful IAM projects require. Organizations have gone into identity simply tried to do management projects without a clear enough vision of the ultimate objectives, or have simply tried to do too much too soon. too much too soon. In such cases, IT has had to either go back to the basics of locally managing identity directories or starting up second- or even third-generation IAM deployments.34 IDENTITY AND ACCESS MANAGEMENT 2011/12
  28. 28. Controlling identity and user access is vital Controlling andMaking use of IAM technology to achieve business improvement and maintaining ease-continuity benefits and, at the same time, remaining secure and compliant of-access toinvolves the deployment of good quality IAM services that are also easy to information systemsuse. The objective is to identify and control authorized users and providesystems access whenever and from wherever access is demanded within is vital to achievingthe rules of the organization. business success.Controlling and maintaining ease-of-access to information systems is vital to achieving businesssuccess. At the same time, those elements of control that ensure that unwelcome visitors can berejected and the compliance components used to scrutinize how access to business-sensitive systemsand their data is controlled must also be maintained.Business improvement and compliance objectives need to beaddressed A driving force behind the use of technologies such as IAM is theA driving force competitive nature and efficiency demands of business organizations. Inbehind the use of many organizations, changes to business operations continue at a fasttechnologies such pace; updates and additions to user communities, operational work groups,as IAM is the and project teams can be just as dynamic and, as such, need to managed as efficiently as possible.competitive natureand efficiency Without the structure and management components that IAM provides,demands of organizations will struggle to keep pace with the maintenance overheads needed to ensure that users and the data controlling their access rights arebusiness kept up to date. Integrated IAM is required to support business improvementorganizations. and at the same time to ensure that compliance objectives are not ignored.3.3 Regulatory compliance has a demandingimpact on most organizationsOrganizations need to deal with compliance as part of theiroperational infrastructureMaintaining regulatory compliance and ensuring that the operations of an organization remain within therequired parameters involves combining the use of good technology controls, ensuring that systemsusers are responsible for their actions, and putting controls in place that are both usable and effective.Depending upon the industry and geographical location of the business, different regulations, rules, andinterpretations of compliance mandates apply. The Sarbanes-Oxley (SOX) Act, while not forcing the useof specific security products, takes in the requirement to be able to maintain the validity of corporateinformation and control who has access to it.Where there is commonality for rules and processes that can be applied to specific regulations such asthe Payment Card Industry Data Security Standard (PCI DSS) for the handling of financial data or theHealth Insurance Portability and Accountability Act (HIPAA) in the healthcare sector there is theopportunity set up and make available common operational processes.For example, PCI DSS dictates that where sensitive data are being processed or held, those data needto be encrypted; the rules and regulations also determine how long and under what circumstancesthose data can be held. CHAPTER 3: IDENTITY AND ACCESS MANAGEMENT AND COMPLIANCE 35
  29. 29. What organizations must do to ensure that they do not repeatedly fall foul of regulations that have already been addressed is to make sure that the information that they hold cannot be subverted during normal operational activities. Information relating to customers, citizens, A fundamental finances and so on may be held legitimately. That said, if access to requirement for the sensitive information is not continuously controlled then all the compliance efforts that have gone before count for nothing. protection of sensitive data A fundamental requirement for the protection of sensitive data involves controlling who has access and influencing what users can do with data involves controlling once access has been granted. Importantly, it must also involve having the who has access and knowledge and information required by the company’s auditors to be able influencing what to prove that the right user controls were applied. users can do with In an ideal world the demands of the chief information security officer would data once access has be for reliable, accurate, auditable IAM controls that safeguard and been granted. manage all access to key business systems and the sensitive data that they hold. Realistically, however, we have to accept that restrictions will be placed on what can be achieved, because of What ought to be the costs involved and IT budget restraints. considered is how IT What ought to be considered is how IT can make better use of the IAM can make better use facilities that they already have in place, how the operational use of user of the IAM facilities authentication and access control facilities can be aligned to the acceptable that they already risk profile for the organization and how IAM can be used to improve the security and compliance profile of the business. have in place... Addressing the compliance challenges and drivers Properly deployed IAM services deliver usability for an organization’s authorized users and invoke controls that help to maintain security and compliance. The requirements of the organization should include achieving full control over user access rights and, in doing so, providing the audit trail and management reporting facilities that prove that control is being maintained. This involves the use of stop-and-block controls, but ought to also include the use of warnings, alerts, and reports that are delivered to the appropriate authorities when suspect activities take place. Starting operational compliance involves having the ability to record all identity-related events, which includes both accepted and rejected access attempts. It involves making effective use of technology to automate the controls that are needed to allow or deny access, to detect and report on wrongdoing, and to deliver corrective actions. Some of the latest Some of the latest access control and systems management problems that access control and organizations face involve external influences. These originate with both systems the business partner organizations and users that need to be controlled and the mixed operational environments that need to be supported. IAM management has to be capable of working on behalf of mixed user groups across mixed problems that physical, virtual, and cloud based operations. organizations face The requirement involves the ability to maintain control. Specifically, it is involve external about managing the provisioned rights of users to ensure they are kept up influences. to date and that all de-provisioning elements are also effectively addressed. For leavers and users whose role within the organization has changed, this is a particularly important issue. Included within this area is any separation of duties that needs to be applied. This specifically includes access controls that are focused on privileged users, with the intention of ensuring that all user entitlements are proportionate.36 IDENTITY AND ACCESS MANAGEMENT 2011/12