Wake-up call on the way

Identity and access management adoption shouldn't be pushed by law, but rather by the pain of loss.

Read time 9min 40sec

Great men have mused on the true nature of identity for millennia. Is it what you look like? What you do? What you say? All of the above?

If there are few clear-cut answers to those questions then small wonder that employers and employees struggle with the concept too. Our identities enable access to goods and services, they identify who we are both on and offline, and they are closely associated with the roles we must perform.

Samresh Ramjith, GM of security solutions and services at Dimension Data, says there are positive and negative aspects to identity.

"The positive side is that identity enables useful things such as unified communications," he says. "But negative things like identity theft have pushed identity to front of mind. What is my identity? Is it my banking details and ID number? Is it all the stuff I put on to Facebook? Is it all those things together? In the future, with augmented reality systems where you can use technology to pull up publicly available information about people, it will become all about how much you're willing to share. Enterprises are different because they want to solve business problems. We need to take a leaf out of the military and always associate physical identity with logical identity."

Despite identity and access management's age - it's been around for seven or eight years now - vendors and consultants still need to do quite a bit of education. Liam Terblanche, development director at Accsys, says instead of throwing education at customers, the best thing to do is go back and show them the time saved.

"Show the time spent by your IT department managing sign-ons, profiles and roles. It's much easier to show them rands and cents saved there rather than regaling them with horror stories."

But how do you define true identity management? Hedley Hurwitz, director of Magix Integration, says it's just a building block of risk management. "All too often you can get to the logical user who is perpetrating something, but who is the physical entity behind that? Unless you know who you are monitoring, then the investigation ends there."

Marius Coetzee, COO of Ideco, agrees and says managing risk throughout an organisation is a futile process if you don't know exactly who it is you're dealing with in the process.

"There are more requirements from customers who are starting to use identity management as a tool in the process to be able to build a sequence of events around the identity itself. Some aircraft manufacturers can tell you everyone who touched every screw in an aircraft. The education process is huge. There's a lot of misconception about the difference between personal information and private information. The business card that I give to someone may have personal information on it, but it's definitely not private."

It's much easier to show rands saved than regaling them with horror stories.

Liam Terblanche, development director, Accsys

There's another misconception about identity management with roots in our unpleasant past, notes iPulse Systems MD Gary Chalmers.

"There's great concern about what data is being kept, especially for large portions of our population, who associate fingerprints with police dockets and pass books. People need to understand that we don't keep fingerprints but just some data, and that we can't reconstruct a fingerprint from it."

Selling to the business

Today, identity and access management is technology-heavy: there are all sorts of gadgets to identify our fingerprints and irises, hardware to check time and attendance and grant access, and entire risk management systems costing millions that can check what employees are doing or not doing. All too often, it's seen as a technology project. This is not true, says Nyiko Nkuna, business manager at GijimaAst.

"Identity is not a technology project - it must be a business project that looks at business processes. Over and above, you need to write a business case that shows where you want to go. It's not a once-off thing either, it's something that will evolve over a period of years."

Pieter Neveling, SOA architect at Software AG, agrees. "Every time a new way of doing identity and access management is developed, vendors create a need in the market for it and as a result, there's a proliferation of tools that can do ID and access management. We've also found that it's a business process that needs to be driven from the source, connecting a person to a business process. We need to be cognisant of the fact that IT cannot drive it. But the amount of applications out there makes it difficult for customers to make sense of it sometimes."

That's no exaggeration, notes Dimension Data's Ramjith. "ID and access management has been around for seven or eight years now. In the past, companies have spent millions; they've dedicated teams to this thing. They've matched the 5 000 users to the 50 000 roles and tried to mesh the thing together but never got anywhere. People have become disillusioned that it can ever work."

Magix's Hurwitz says IT is partly to blame. "I think we always fall into the trap as IT guys of coming up with a technology, getting excited about it and then expecting the process to just fall in around it," he says. "The logistics of identity management is what kills it most often. When I can't even manage my passwords and I don't even see the user, then the idea of a widget that can do this for 10 000 users is unrealistic. You have to take a pragmatic approach. If I can do it for a hundred users and certain core systems, then that's a success."

IT guys expect the process to just fall in around it.

Hedley Hurwitz, director, Magix

Riaan Ferreira, senior technical consultant at HP ProCurve, notes something else key to understanding the topic. "Identity-driven management forms part of security, and security is a process. People who think it's a product have a security issue. We tend to build Fort Knox perimeters and ignore the fact that 80% of threats come from the inside."

Business needs to say what the problem is and what needs to be protected, notes Fred Mitchell, Symantec business manager at Drive Control Corporation. "How often people go for a smoke is not as important as protecting intellectual property from being stolen. Another business will have different requirements from yours. So the policy setting and the business need are the most important things to get right."

iPulse's Chalmers sees a wider trend and possibly a new type of company officer as a result. "Today security, IT and HR are crossing over at the policy level. You have security policies and IT policies that touch each other and HR policies that cross over into IT. Companies want to know not only who came into the building, but what time they came in so they can be paid, and were they there when they were supposed to be? The convergence of those three things means that there will be a new role for people who can understand all of them and how they fit together."

Legislation looms

Much of the urgency around identity management comes from the law. International regulations such as Sarbanes-Oxley that were put in place to prevent another Enron have a far wider impact than just in the US.

HP's Ferreira says he had a discussion about three years ago with the auditor general about identity and access management to networks. "Post 9/11, people started to get interested in who was sitting on their networks as legislation such as Sarbanes-Oxley started filtering down around the world."

Andrew Whittaker, senior consultant at Ubusha Technologies, says a lot of his clients are seeing regulatory issues around compliance.

"International companies are buying local companies, which then see regulatory and good governance issues becoming important in a way that we weren't seeing 24 months ago. So the solutions we're pitching to our customers are gaining in complexity. One of the fears we've seen at customers initially was: can we do this? But the technologies have matured considerably."

Whittaker says compliance can be a good way to improve process.

"What we've seen with Sarbanes-Oxley requirements isn't necessarily that we need to provide access controls and identity management control overnight, but rather that we just need to improve the processes that are already in place for managing access to systems. If something is form-based, then provide an electronic repository for that so that when the auditors come they can quickly see you are compliant, rather than it taking six weeks. Then, over time, we can improve how we're complying."

Identity management is just a tool in the process.

Marius Coetzee, COO, Ideco

Locally, the new Privacy Bill will be a driver, says Ugan Naidoo, MD of EOH Security. "We do have a number of industry regulations for financial services, and identity and access management has been aggressively adopted because of those regulations. The Privacy Bill will force a lot more organisations out there to adopt them. Everyone who has personal information will now have to be accountable. We believe that many major players will be investing because of the law."

Ramjith says the new laws will just shift behaviour.

"Rica resulted in greatly increased theft of cellphones because criminals could no longer register one. So the law-abiding people are penalised but the criminals find another way. My deepest concern is that the immediate reaction of the industry will be to encrypt everything. We wouldn't have addressed identity management, data leakage or any of the high-order stuff that the market desperately needs because people will do the bare minimum to comply. It's the same thing with PCI regulations about credit cards. So many organisations are PCI-compliant, but the next day, they report that they had 24 million card numbers stolen."

Ideco's Coetzee says the protection of information is just one of the principles in the new legislation, and agrees with Ramjith that one of the major effects is going to be a shift in liability. "Companies will move their responsibilities to an operator. We also need to keep in mind that personal and private information are not the same. There's a lot of information that we regard as private but if you look at the definition, it's in the public domain at the deeds office or at Cipro. We should not think it's about just protecting access."

And what of the World Cup? South Africa has never had a catastrophic event that made us all rethink how we do business and security, says Ramjith, and it might just be the prod we need as a country.

"The World Cup might just be the defining moment where we encounter every single kind of fraud, criminal and cyber criminal, and corporate South Africa will have to tally up its fraud bill at the end."

See also