Johannesburg, 02 Nov 2006
Some vendors claim to offer a "one-size-fits-all" identity and access management solution. But, says Grenville Payne, Consultant at Unisys Africa, there is no such thing.
Most large organisations today are chock-full of internal security software and business applications operating in silos according to business unit, with separate perimeter hardware and software security, which means that implementing a corporate identity and access management strategy is really about integration.
According to Butler Group: "A security framework, containing identity and access management functionality, is capable of bringing together the disparate security services into one shared platform for user identity and access control, allowing one infrastructure to be developed to meet all the security requirements of the organisation. Competitive advantage can be gained from the lower cost of operation, and the ability to deploy new services without adding to the security overhead."
The framework needs to be populated with the right software. Trying to manually tie together widespread heterogeneous system security and access control into a central and fully visible identity and data resource is a project littered with complications and advanced potential for human error.
Although it may sound untenable, this is the current security situation in many organisations. In some cases, even system administrators do not have their access rights revoked when they move from administering one system to another. It slips through the cracks because it is a simple but tedious task that everyone assumes must have been done by someone.
This is one of the primary reasons for the need to shift to proper identity and access management in a highly regulated world that requires evidence of effective risk management and audit trails as a minimum. According to Butler Group: "It is essential that companies move to an identity-centric approach, where the focus is on authentication to reduce risk, rather than relying on the current mechanisms of perimeter control and detection. The move to Internet-based business processes and collaboration, and the Web services framework, means that it is not a question of if, but when, enterprises must implement an integrated security management solution, based on the principle of identity and trust."
How to get there?
But how do organisations get there and which system is best for their business? First on the list is to create a vision that stakeholders can see and understand. Winning key stakeholder understanding and buy-in by showing them the tangible business benefits of identity and access management is a priority.
In assessing the business's IT security makeup, detailing a strategy, defining objectives, implementing and reviewing an identity and access management system, consider what identity management must address.
* Demand for risk management
* Secure business partner relationships
* Secure customer relationships
* Cost impact
* Productivity impact
* Business impact
That would lead you to answer the next important question: should identity and access management be a part of your business strategy?
In terms of good corporate governance, the board of directors are collectively and individually responsible for ensuring the risks to the business are identified and appropriately mitigated. Access to the "assets" of the business, tangible or intangible (eg intellectual property) is a business risk.
Therefore, an identity and access management strategy should reflect the specific demands for access placed on your business and your access management policies. Such policies would typically flow from:
1) The risk profile of the business and your vision of what security you need, and
2) What makes the board and your stakeholders feel that they have met their obligations, in terms of good governance, to secure the assets of the business and thus the business itself.
Bearing this in mind, you'll answer whether or not identity and access management should be a part of your business strategy. You'll also realise that the claim many vendors make that their one system fits all simply cannot be.
Share