Subscribe
  • Home
  • /
  • TechForum
  • /
  • Seven tenets of successful identity and access management

Seven tenets of successful identity and access management

A company's identities dictate who accesses its applications and data, as well as what can be done with that access, says Darran Rolls, CTO at SailPoint.

By Darran Rolls
Johannesburg, 19 May 2016
Darran Rolls
Darran Rolls

SailPoint is an independent identity and access management provider (IAM) helping global organisations with enterprise software, IT compliance, user provisioning, etc.

Your organisation's identities dictate who accesses your applications and data, as well as what can be done with that access. Securing and managing those identities is everything, and identity and access management (IAM) solutions play a key role in helping organisations meet those requirements, says Darran Rolls, CTO at SailPoint.

By automating processes for access certifications and policy enforcement, IAM solutions can help your organisation inventory, analyse and understand the access privileges granted to employees, contractors and partners. These solutions can also allow you to increase efficiency and reduce costs by replacing slow, outdated processes with modern, software-driven ones.

The IAM platform's job is simple in principle: give the right people the right access to the right data. To do this, trusted and properly managed identity access has to become the primary control. It comes down to three basic questions to govern access:

Who has access today?

Who should have access?

What is being done with that access?

When looking at the post-incident forensic reports from any high-profile data breach, there are always basic identity and access management errors at the root cause. Simple things like overly complex data access and unknown data classification are usually a factor. Others can include more complex questions such as data classification and contractor access.

The basic tenets of a next-generation IAM system are those that allow organisations to answer the tough questions about their users' access into their applications and data. Properly implemented, following these seven tenets enables organisations to have a true holistic view of access, allowing IT to make the right decisions when it comes to answering the overarching question: "Who has access to what?"

1. Consider everything: Identity and access management is no longer a "do it yourself" project. The sheer number of users, data applications, interfaces and platforms in the modern enterprise requires an integrated IAM system. Patching together an enterprise-level IAM solution by stitching the embedded identity control systems of multiple SaaS and enterprise software vendors leaves your network open to potential gaps in coverage and creates fragile links between systems. An integrated enterprise solution will control and monitor all your users, all your applications, all your data, and all access rights.

2. Remember your customer: The enterprise has to service a wide range of internal customers with different data access needs from different locations using different access devices. The IAM solution must be adaptable across all this. No matter where the user is (or on what type of device), they must be able to access the necessary data without complications. Any user, any platform, any time. In a friendly, easy way.

3. Be context aware: Understanding users and, most importantly, the data and resources they should typically access is critical. Identity context is about sharing and understanding these relationships and translating them into entitlements or rights. That context model needs to sit in the centre of the security and operations infrastructure as the identity governance and administration engine. It is a model of known relationships between people, accounts, privileges and data.

4. Govern by model: Managing the access of thousands of users requires governance models. These models are what make the IAM engine effective. Automation, role, change, risk, and control models each drive compliance and, as a group, drive common policy. Placing governance models at the centre creates a stable, repeatable and scalable approach to enterprise identity control.

5. Managing risk is a verb: Managing risk is the mechanism for how you know when an action falls outside of normal usage. Identity risk scoring can be accomplished by model in an advanced IAM system. Risk scoring allows for faster access authentication and tracking strategies. Low-risk accounts may have only read privileges and no access to confidential information, while a high-risk profile may have privileged access or orphaned accounts. No matter what, knowing a user's risk profile helps in assessing how closely their online activities need to be monitored.

6. Connect to everything: When considering an integrated IT system such as IAM, the most difficult decision an enterprise needs to make is determining how much of an existing platform to keep and how much needs to be replaced. Some parts of it internal IT architecture will stay the same and so the IAM system needs to be flexible enough to connect to everything and anything. Effective IAM requires connectivity from any kind of platform to any kind of data repository.

7. Be consistent: This may sound intuitive, but consistency in all these actions and approaches is key. The business user wants access regardless of where the apps are served. The auditor only cares about compliance, not where data is stored. The IAM solution needs to bridge gaps like these seamlessly and consistently to secure the business in a scalable way. Regardless of where the data resides, one-off connections or patched provisioning should be excluded from the IAM implementation design, otherwise scalability will be impacted, whether data is structured or unstructured.

The modern enterprise is more complex than ever and IAM is at its core. While it is possible for enterprises to piece together their own solutions, the number of rules, best practices, and intricacies involved with implementing a secure IAM solution is huge. There is a lot at stake. It only takes one incorrect configuration to open your enterprise to anyone wanting in.

SailPoint understands business users, business complexities and most of all, it understands what is at stake when it comes to accurate identity monitoring and compliance. You've spent your life's work on your business. SailPoint has done the same in IAM. It has refined the mechanisms for fast and effective IAM strategy and is ready to share its vision, solutions and knowledge with your organisation.

Share