CIO Zone

Access denied

Read time 6min 50sec
Bjorn Bergmann, Britehouse.
Bjorn Bergmann, Britehouse.

Digital transformation is thorough. It presses its sticky digital fingers into every system and sector, bringing change that disrupts and redefines how things are done, who does them and why. Identity management is no exception to this digital rule. Identity management systems are under pressure to be agile enough to pivot with the business while ensuring that the security threat is held at bay. The technology that enables it is changing as swiftly as the environments it supports, and it is seeing some of the big movers shaking up the industry.

SAP purchased Gigya. Google acquired Bitium and SecureAuth, and Core Security announced a merger. Hot on the heels of all the merging and acquiring are the statistics released by Stratistics MRC, that point to the global identity and access management market reaching $2 087 billion by 2022 at a CAGR growth of 14.8%.

"In a world that is moving towards more open, network-based business models, e-commerce, mobile and contingent workforces and socially networked consumers and customers, identity management is a non-negotiable foundational requirement for every organisation," says Simon Carpenter, chief technology advisor, SAP Africa.

It is vital that the business prepares patrols for the virtual world that can effectively combat security challenges while still allowing for a measure of flexibility. Identity management has become one of the most important boxes to tick as the heavyweights of cloud, digitisation and government regulation shove the business from one side to another in the fight for speed, dominance and compliance.

"These three major IT trends have pushed conventional organisations online, inviting more people than ever before to engage with their systems," says Bjorn Bergmann, Oracle practitioner, Britehouse. "Understanding where the organisation is going and what it wants to achieve is probably the most important thing the CIO can do. A critical question that needs to be addressed by the CIO is - who are they currently dealing with and who will they deal with?"

Who are you?

Understanding the users and managing the information they have access to has become critical. Some of the most devastating breaches and security failures of 2017 have rested in the hands of a single employee. The Kaspersky disaster comes to mind. As does the Yahoo breach across three billion customer email accounts. No business wants to rush around burying a digital body of this size, ever. The organisation needs tools and technologies that are designed to control user access intelligently and effectively.

"There have been so many examples where successful companies have suffered revenue loss and brand damage through data leakage or full-blown data breaches," says Sagan Pillay, security solution strategist, CA Southern Africa. "I believe that identity management and data security go hand in hand. You first have to protect the data entrusted to you, then you have to control who has access to it. Now, more than ever, data needs to be secured and businesses need to be 100% certain that the person accessing it is who they say they are, and that they have the right permissions and authority."

Identity and access management solutions need to be innovative, easily accessible and capable of catering for all things connected - employees, customers, devices, complex cloud-based environments and even robots.

Wandile Mcanyana, Accenture

Technology such as machine learning-based insider threat detection, or user and entity behavioural analytics, can mitigate insider threats and allow for organisations to develop a powerful automated threat response. Add this to continuous network monitoring tools and the company can use all the generated data to identify anomalous behaviour and extract information that can support their security strategy. This level of insight ensures that the right people can make swift decisions in the event of a breach.

"Live data analysis can show which devices have joined a network and at what times and where, and enable the business to rank the security threat," adds Pieter Engelbrecht, business unit manager, HPE Aruba. "With this type of visibility, the information should give IT managers the opportunity to be more granular in pinpointing security devices with different levels of threat, while granting different levels of access to different users."

Implement and engage

According to Marcus Bossert, technical manager: identity and access management, Datacentrix, the level of technology influence can be largely determined by business needs. It can be as little as a property administered directory service, or it can be one that demands higher capabilities and maturity.

"An identity and access management (IDAM) portfolio could consist of items such as an IDAM strategy, policy, standards and procedures," he says. "It could also include ISO27001 ISMS and IDAM control implementation alongside technology such as IDAM system privilege access management PKI, SIEM, CIRT, SOC and third party contractor management. This would further be bolstered by integration with business processes, physical access control systems, positive identification and multi-factor authentication."

As with any truly relevant technology implementation, there is no one-size-fits-all approach. Actually, it's probably time to ditch that clich'e for good when it comes to technology applications within the fourth industrial revolution. One size can't fit all if the business wants scale and flexibility. True IDAM maturity is more of a journey alongside business growth than it is an event. It requires ongoing adjustment to map back to the ongoing changes in the environment, and it has to be capable of doing so on demand. This is why any identity management implementation must be partnered with a clearly defined and transparent strategy. Objectives must be mapped to the capabilities of the system.

"Do not plan in isolation, the system needs to be integrated into the enterprise architecture and designs," says Bossert. "Follow formal project management and SDLC approaches, formally initiate the process, plan it, design it, test it, ensure proper training and implement its capabilities in phases."

If the system is integrated with the overall ICT strategy and long-term business strategy, then it can adapt to the evolution of business and environment. Controlled access expects that not only will the organisation invest in appropriate tools and technologies, but that the access strategy is in line with business requirements and that all aspects are clearly defined.

"Identity and access management solutions need to be innovative, easily accessible and capable of catering for all things connected - employees, customers, devices, complex cloud-based environments and even robots," says Wandile Mcanyana, security senior manager, Accenture. "By applying velocity in Identity and Access Management (IAM) solutions, combining speed with market-leading innovations that are flexible and easy to manage as a service will assist in having the least amount of impact. Solutions with higher quality that are easily scaled, repeatable and predictable will have the most powerful outcomes."

Identity management has become a headache for the modern organisation. It demands a complete shift in attitude and aptitude and for the organisation to invest in a radical new approach to identity management that overcomes the risk, cost and complexity that currently impacts on the organisation.

"Next generation identity management requires thinking beyond the process perspective. We need to be asking - do we need to hold a fresh copy of identity for every process, or do we simply need assurance that the identity is valid? We must develop a clearer understanding of what information is relevant to the organisation and should be held in-house with the associated risk and cost, and what information could be outsourced to the likes of an identity bank," concludes Ideco CEO, Marius Coetzee.

This article was first published in the February 2018 edition of ITWeb Brainstorm magazine. To read more, go to the Brainstorm website.

See also