|
FROM THE USER'S
PERSPECTIVE, identity management can be as
simple as having a single login for multiple applications. But
from the enterprise leadership perspective, identity and
access management (I&AM) is a far more complex undertaking
that revolves around the policies, processes and products
designed to let the right people into — and keep the wrong
people out of — critical information systems. Doing the
identity management job right can: prevent IT executives from
losing time, money and sleep over data security concerns; put
all relevant information in a central location, making it
easier for administrators and allowing users to manage their
own profiles; reduce the likelihood that an intruder, or even
the wrong employee, can obtain confidential data or manipulate
old, unused accounts to access a company's systems. The
alternative, frankly, is to put critical information assets —
and individuals’ personal information — at unacceptable risk.
Identity management can be broadly described as a set of
business processes, policies and technologies enabling
companies to establish and manage digital identities,
designating who gets access to which systems and protecting
confidential personal and business information. Six
technologies — authentication, access management, user
management, provisioning, data repositories and network and
application integration services — are the foundation for
state-of-the-art identity management efforts.
Yet industry analysts discourage corporate
executives from thinking about identity management as a
physical commodity. “Identity management is a discipline,not a
product,” says Jonathan Penn, a director for Forrester
Research, Inc. in Cambridge, Massachusetts. “It’s about
coordinating business processes and efficiently managing data,
specifically identity data.”
Because so many companies have invested
heavily in expensive, highly customized and disparate computer
systems over the past decade, few currently use a cohesive
approach to identity management. “Right now, companies only
have bits and pieces in place,” says Chris Christiansen,
program vice president of e-business, infrastructure and
security at International Data Corp. (IDC), a Framingham,
Massachusetts-based research firm. “They’re unsure how to
integrate them as a whole.”
THE I&AM IMPERATIVE
In the
past, identity management primarily involved barring
unauthorized users from accessing specific data. Today
companies are moving toward a model that focuses instead on
allowing trusted, authenticated users access to web services
and applications, explains Andy Stone, manager of I&AM at
the global management consulting firm Accenture. To reach that
goal, companies are increasingly placing their services and
applications online for easy access and interaction. The
challenge, Stone says, is finding a way of granting access to
the right people at the right time without sacrificing either
security or efficiency.
The answer, he says, is to coordinate
identity with business process and policy — no minor task.
“Most identity data is handled in a highly fragmented way that
’s full of redundancies,” Penn says. Often, identity data is
recorded and maintained manually on paper, a costly and
time-consuming process that cuts into productivity. According
to figures from the METAGroup, Inc., a
Stamford,Connecticut-based IT research and consulting firm,
setting up computing privileges for a new user takes an
average of 28 hours, a block of lost time that results in a 36
percent loss of productivity and a 26 percent loss of
efficiency. Although there’s no standard identity management
package, companies increasingly are using the following key
technologies to improve security while cutting costs,
supporting business processes, and increasing efficiency.
THE SIX CRITICAL ELEMENTS
 AUTHENICATION
Proving all users’ identities is, of course,
critical to establishing the trusted relationships on which
every company depends. “If you’re opening up valuable
information and assets, authenticating identities is crucial,”
says Jamie Lewis, CEO and Research chair of the Burton Group,
an Atlanta-based IT consultancy. “You need to know whom you’re
dealing with. If you can authenticate the user and associate
specific access rights with that valid identity, you can
effectively manage access to resources and make sure you’re
not exposing sensitive information to someone who should not
see it.” In addition, using authentication to validate
identities can increase customer and partner confidence.
Many companies use portable device
technologies such as tokens, smart cards and digital
certificates to strengthen authentication. Until recently,
authentication was primarily password-based. It’s no secret
that hackers constantly find new ways to crack
passwords.Meanwhile, users may use upward of 10 passwords to
access different systems and often forget one or more of them.
Because of those shortcomings, password-based authentication
has rapidly lost popularity with users and administrators
alike.
The advent of single sign-on (SSO)
technology offers an alternative to using multiple passwords
for authentication. SSO provides a single identity across
applications and services throughout an enterprise. Used as a
component of strong authentication, SSO can reduce the number
of passwords that users must remember. But it’s important to
realize that while SSO gives users a more positive experience
and promotes productivity, in a way it also gives them the
keys to the corporate kingdom. One must protect those “keys”
with strong authentication, not just weak passwords that
unauthorized users can easily decipher.
Strong authentication, done right, also
delivers advanced levels of user accountability. It ties the
user to his or her actions, proving that the user in question
is the individual that accessed resources or completed a
transaction.
Top
 ACCESS MANAGEMENT Where as
authentication allows companies to validate user identities,
access management is both the tool and the process for
deciding who gets access to which applications, services and
business resources.
As companies increasingly hire contractors
and strive for strong, open relationships with partners and
customers, they open their systems to more and more users.
Often they do so without an enterprise-wide policy governing
system access privileges. As a result, outsiders may have
unnecessary access to confidential business resources.
Employees, too, may have unnecessary access
to sensitive information. No one wants, say, a sales
representative to be poking around in a co-worker’s personnel
file, but without a comprehensive policy, that can happen.
“You need to understand who has access to what,” says Roberta
Witty, security and privacy research director at Gartner,
Inc., a Stamford, Connecticut-based consulting and research
firm. “Otherwise, you can end up with someone who’s been with
the company for 18 years and still has access to information
they needed according to their very first job description.
People can easily end up with too much access in a situation
that should be need-to-know.”
Access management gives members of the IT
staff the power to assign access privileges to users based on
whatever criteria they choose — as general as users’
geographic locations and as specific as their departments, job
descriptions or tenure with the company. From a business
customer’s perspective, access can be set based on an account
balance, credit rating or other predetermined benchmark.
Top
 USER
MANAGEMENT It’s easy to confuse user management
with access management — after all, they’re both part of
identity management. But user management involves tools such
as delegated administration, which allows organizations to
distribute responsibility for managing user accounts outside
of IT. For example, a specific business unit or department can
have the ability to update its own user accounts rather than
adding to the IT department’s workload.
Another tool is user self-service, which
lets users update portions of their ID accounts, such as
address information, via a corporate intranet. Normally, when
users forget their passwords, they contact IT staffers, who
must then enter the system and reset the passwords by hand.
According to IDC, the average 5,000-employee company spends
between $1 million and $1.5 million annually on password
management.
User self-service can provide quick ROI by
reducing password-related help-desk calls, cutting costs,
improving data entry accuracy and increasing efficiency. In
turn,says Forrester Research’s Penn, “that means being able to
administer identities more smoothly when dealing with trusted
relationships.”
Top
 PROVISIONING Provisioning
often appears under the rubric of user management, but it’s a
different practice altogether. It refers to deploying digital
identities and access rights based on business policies for
employees, business partners and customers across multiple
applications and resources. Provisioning must be done
accurately and securely at the outset to reduce problems down
the line. Automatically assigning, maintaining and revoking
these identities and rights should be a centralized
function.
Incorrect provisioning creates outdated
“orphan accounts.” That happens surprisingly often. IDC
estimates that up to 60 percent of the identities in
enterprise directories and databases involve orphan accounts.
These expired accounts create security risks by leaving open
doors for ex-employees and hackers.
Top
 DATA REPOSITORIES Data
repositories,such as directories and databases, store and
retrieve information about user identities. They aren’t
sexy,but they are integral to identity management. They offer
a centralized way to view, gather and organize user data from
a variety of applications in far-flung locations. Data
repositories also eliminate duplicate identity information in
multiple applications.
Two technologies to consider when securing
data repositories are encryption and data splitting (dividing
the information among different servers). Some companies store
personal information — Social Security numbers, for instance —
to authenticate customers, which makes the database not only
valuable but tempting to would-be hackers. For this stored
data, encryption technology is widely used to scramble
customer information, making it illegible if hacked or
intercepted. By data splitting, companies ensure that no
single server contains a full Social Security number; a hacker
would have to seize control of multiple servers.
Top
 NETWORK AND APPLICATION INTEGRATION
SERVICES
To be truly comprehensive, an identity
management strategy must integrate its functions with an
organization’s existing and future enterprise technologies and
infrastructure. Among the elements that require protection:
VPN, CRM and HR application servers as well as supply chain
management systems linked to portals, Web servers and other
network and back-office systems. The security solutions
include application program interfaces, web agents, web
services and partner product interoperability — all designed
to effectively integrate heterogeneous enterprise systems with
the security technologies that keep them safe.
A strong identity management strategy also
provides strong accountability. With companies facing new
regulations such as the Health Information Portability and
Accountability Act of 1996 (commonly called HIPAA), the
Sarbanes-Oxley Act of 2002 and the Gramm-Leach-Bliley Act of
1999, the ability to create an audit trail is a valuable tool.
That level of accountability is a tall order, says IDC’s
Christiansen, but one that identity management technology is
uniquely able to handle.
Top
RSA
Security® Solutions
If your company is in the market for an
identity management solution, RSA Security Inc. offers a
comprehensive family of products that include authentication,
Web access management and developer solutions. RSA Security’s
offerings are a set of open, standards-based products and
technologies designed to integrate easily into an
orgaization's IT environment.
AUTHENTICATION: RSA Security’s
authentication products help to positively identify users and
devices before they interact with business-critical data and
applications through such network resources as virtual private
networks, intranets, extranets and Web servers. RSA Security’s
authentication offerings include RSA SecurID® tokens and smart
cards, RSA Mobile® one-time use access codes, RSA Keon digital
certificates and RSA ClearTrust® password management.
WEB ACCESS MANAGEMENT: RSA Security
takes a standards-based approach designed to help companies
generate revenue, increase customer confidence and reduce
costs by providing secure access to multiple Web-based
applications and services. The RSA ClearTrust® solution helps
map appropriate access privileges to end users, allowing them
to move easily and efficiently among the applications and
domains they are authorized to access using single sign on
technology.
DEVELOPER SOLUTIONS: RSA Security's
developer solutions help programmers create secure web
services in an identity management framework. These solutions
help companies quickly and cost-effectively build privacy,
authentication and digital signing technology into almost any
business application. RSA Security's developer solutions are
designed to empower developers to secure data in any format on
any network.
For more information on RSA Security’s
identity management solutions, visit: www.rsasecurity.com.
— Simone Kaplan
Top |
