Johannesburg, 24 Jan 2007
Accepting the need for an identity and access management security framework and having established its place in the organisation, what is the best way to go about creating and deploying it? Grenville Payne, Consultant at Unisys Africa, has the plan.
In an ideal world companies have an automated system for creating digital IDs and access rights to corporate systems and reclaiming those once an employee leaves or moves. All systems synchronise employee IDs and organisations can trust their partners and suppliers.
But the reality of the IT security world is generally far from ideal. IDs and their access permissions remain active long after employees leave or move within the business because systems are not automated.
Over-burdened system administrators are dealing with tasks they deem to be more crucial to daily operations and attend to the e-mail from the HR department asking them to revoke an employee's access rights sometimes only weeks after the event.
In one case a local network administrator was trying to do his job more efficiently by using a hacking tool to circumvent security. He could have done the job without the hacking tool but it would have taken many times longer with the incessant logging in and out of the myriad of company systems. On discovery, regardless of his performance gains, he was summarily ousted.
Whatever the reasons, manual systems have cracks. Getting identity and access management projects on the go is a priority for many organisations, but where do they begin?
The best place to start is at the top. Win executive commitment based on a vision that delivers value to the business. Good security governance and good practice amount to a good reputation, enhanced brand value and value to the business in customer attraction and retention.
The most highly recommended approach is to then assess the current state of identity and access management. You should consider how identity and access management will both address and enhance the following issues:
* The business assets and its strategy
* Risks to the business, both real and perceived
* Business relationships, internal and external
* People, processes and technology
Delivering an integrated solution that gives value to the business and the user is critical. The next step is to build and deliver the strategy. Decide what identity and access management system the business needs. If you deal in personal consumer information, the current social and legal climate dictates that you must have stringent control over who is allowed to look at what, when and where and be able to prove who did it.
Your identity and access management project should then define what the system requires and what architecture should support it. Does your business need to shell out millions of rand replacing existing systems that have not yet delivered a return on investment? Necessary resources and components cannot be budgeted for unless they form part of the plan. Once they do, and the board has approved the plan, go out and get them. After implementing the system a careful review and assessment will ensure executives appreciate that the business vision was realised or that changes are necessary.
This last point is critical. The entire operation began with creating a vision that the company's stakeholders could see and understand because they are necessary to support and drive the project to completion and it is they who are ultimately responsible for satisfactorily resolving the issues dealing with the business risks that identity and access management must address.
Share