SDA India is an online resource for Software, Development,IT, Architecture, Open Source, Mobile, Security, Databases, Delphi, C, OS, Asp, .Net, Php, Xml, Java

Overview

Users’ identities and their access are at the core of your business and must be effectively managed. Increasing access points, multiplied by the various users both inside and outside your enterprise, cause a proliferation of identities.

Effective security management starts with identity and access — knowing and controlling who can do what and accounting for what they have done.

Businesses are evolving to increase their accessibility to customers, partners, vendors, suppliers and employees. As organisations were not originally structured for such access, a disjointed collection of point solutions has been accumulated. These address specific identity and access problems as they arise.

Hence, enterprises are deploying an ever-increasing number of applications with incompatible security models, inconsistent management of identities and different auditing mechanisms — resulting in inefficiencies, increased risk of identity theft, unauthorised access, and failure to meet regulatory compliance.

What is an Identity?

To allow users to benefit from the many applications and services used today, organisations assign identifiers to individuals in order to represent their rights and privileges. Individuals take on multiple roles using these identifiers as their digital identities when they move through the organisation. These identifiers may change as a transaction flows from business to business or supplier to manufacturer.

Identities are required for all users, including employees, customers and business partners. As online operations become the standard of today’s business model, identity is also becoming a key asset to all levels of business operations.

Why do Identities Need to be Managed?

Multiple, parallel approaches to managing identities have often appeared — even within a single company. However, identities cannot be securely and cost effectively managed in silos. A consistent, efficient and secure method is needed to manage identities both internally and externally. Managing identities and identifiers across this complex landscape is now a core organisational survival skill that requires consistent, cost-effective administration and enforcement of access privileges with end-to-end auditing of all identity-related activity. The proliferation of identities has also increased the need to manage access to business assets.

An organisation’s success depends on the integrity, confidentiality and privacy of its information and processes with the ability to audit governance, compliance and use. As today’s business systems are all too accessible, organisations need fine-grained, policy-based protection to safeguard their mission-critical data and services.

Furthermore, identities need to be managed to facilitate the right access to the right resources for employees, customers and partners. Without properly managing these identities, employees may be given access to applications and resources that were not deemed necessary for their job functions. Additionally, customer and partner privacy cannot be maintained.

To avoid such an outcome, businesses must ensure they control and audit the process of issuing a user credential, conducting business transactions inside or outside an organisation, or allowing employees, customers or partners to access web services, files or databases.

To accomplish this, organisations need a single view of all activities, such as user and policy management, or creating a new user account. To securely manage the end-to-end identity lifecycle while protecting corporate resources, businesses must adopt an approach that takes into account the existing systems that they have already invested in.

In today’s world of increasing risk, we need tools that aggregate information about an employee, customer or partner. For example, without effectively managing identities, it is impossible to deliver the simplest requirement that most security officers demand: “Tell me everything about a person (user),” in regards to what systems they have access to, what they can do and what they have done on those systems.

Business and Technology Trends

Organisations want to leverage the 24 x 7 availability of the web to provide their customers access to information. In many cases, this also includes the ability to place orders, track shipments and delivery dates, ask questions and contact customer service representatives. However, we are also living in a time concerned with identity theft and security of personal data, as well as financial and other confidential business data.

Additional concerns are posed by superusers, who can gain unrestricted access to virtually all your files and commands — regardless of their permissions, and “ghost” users — where some access points are not revoked after an employee leaves a company.

Today, organisations need to provide auditable proof that only appropriate access is granted to critical data.

Dimensions of Identity and Access Management (IAM)

Every type of population requires IAM, but has its own unique requirements:

• Employee populations need a traditional, inward-facing security management solution that focuses on users’ access to physical resources, IT systems, and protects internal systems.

This solution requires automation of account management for employees and contractors, access control for internal systems and files, provisioning of physical access to buildings, single sign-on to web and other applications, strong authentication mechanisms and work flow. In addition, it must reduce costs and improve auditing while supporting huge sum of users. Key to its success is the integration of technical and business process components.

• Customer populations need an outward-facing security management solution that enables secure web access to customer services.

From a business perspective, the emphasis is on customer acquisition and enabling new customer services. From the customer’s perspective, the focus is on ease of use and providing confidentiality of personal data and transactions. The solution must include identity management (registration, self-management and administration), extranet access management, web services infrastructure and large-scale directories. Additionally, this solution must be scalable to support a large number of customers.

• Business-oriented identity and access management (also known as business to business, or B2B, such as partners) is focused on cross-organisational transactions.

Business-oriented identity and access management depends upon legal frameworks, which allow transactions to securely occur between independent entities. It supplies a secure web services infrastructure to address issues associated with cross-company authorisation and provides implementations of applicable standards, including: Universal Description, Discovery and Integration (UDDI), Security Assertion Markup Language (SAML), Service Provisioning Markup Language (SPML), Web Services Standards and Public Key Infrastructure (PKI). The keys to this solution’s success are trust models and bilateral agreements

Each user population impacts your business. However, while each group shares the same need for provisioning, (access) enforcement and activity tracking (audit), each has an exclusive set of challenges.

Within the employee population, organisations must enable productivity for their employees — often through applications. This usually generates a significant number of identities and applications that must be addressed. Without proper IAM, employees are not given access to their applications and therefore not productive. Even worse, the wrong people can have access to various applications and confidential information that can be tampered with or stolen.

For the customer population (business to customer or B2C), ease of access and safety of transactions are critical. This population size can soar, having a significant impact on revenues. However, customers require an organisation to deliver uncompromised protection of their personal information.

In contrast to the security and privacy issues of customers, an organisation wants to provide the customer the fastest, easiest means to do business with them. The reality is that businesses must deliver on both requirements. Only an integrated IAM approach can address all these needs and help an enterprise grow.

Two key dynamics exist for the partner population (B2B). The partner, needing access to confidential information inside another organisation, has similar requirements as a customer — secure and easy access. However, what differentiates the partner (B2B) population from customers is the second dynamic — automated system-to-system transactions.

With financial, health or commerce transactions, the original identity is often hidden behind layers of system-to-system transactions. For this population, the number of transactions is extremely large and so is the associated revenue.

For example, through automation and web services, an organisation system could check its current inventory and, if it is too low, automatically order more from its vendor. The vendor’s system will accept this order, but it first needs to verify the organisational “identity” of the system that is calling. In this situation, the transaction carries with it the identity of the organisation it belongs to.

Employee IAM drivers

• Cost Containment/Productivity Enablement: The need to react to business priorities has never been greater. A focus on operational procedures drives requirements around efficiency while the continued evolution of on-demand computing — the next level in automated systems management — drives an urgency factor unseen to this point.

On-demand computing dramatically increases the necessity for IAM due to its need to provide, provision and secure access. Organisations (particularly IT departments) are also being asked to “do more with less”.

Moreover, as the number of identities involved in daily transactions is rising exponentially, the requirements from auditors have multiplied. The rate of mergers and acquisitions may have slowed down, but it has not stopped — leaving IT departments with the specter of larger user populations, more consolidation and decreasing budgets.

Productivity loss — due to the need to sign on to multiple applications — represents a considerable cost overhead to many organisations. Lost credentials and account lockouts due to sign-on errors further increase these costs. In addition, manual user provisioning and administration are inefficient and expensive.

In today’s on-demand/utility computing environment, system management tools monitor the computing capacity of the environment and automatically bring additional computing power online when thresholds are crossed. IAM tools must complement system management tools to instantly provision user accounts without any human intervention, and allocate access to the new systems and services while installing access controls on resources such as files, databases and directories.

While promoting efficiency in one’s environment, IAM needs the flexibility to accommodate absorption of new systems and scalability to help ensure costs are not exponentially increased relative to an organisation’s on-demand requirements.

• Security Management: In addition to the growth in today’s complex business environment, organisations are experiencing a heightened focus on security. When designing business architecture for the distributed environment, organisations should incorporate security considerations at the earliest possible stage.

Organisations require a comprehensive approach to all aspects of security management, including threat and vulnerability management, intra-LAN server/host defense, as well as identity and access management. The effectiveness, quality and strength of a security infrastructure benefit from the interworkings and interoperability of the security solutions within it.

• Regulatory and Governance Environment: The amount of personal and financial information existing in distributed databases, coupled with open access requirements, has increased the demand for protection and highlighted the need for regulations against unauthorised access to information — as well as comprehensive auditing of information accessed by any type of identity. Regulations focus on data in two ways: personal privacy and financial validity.

Governments and industry regulatory bodies worldwide are responding with regulations and directives for the privacy and confidentiality of healthcare records. These include the Health Insurance Portability and Accountability Act (HIPAA), America’s Gramm-Leach-Bliley Act (GLBA), the EU Data protection Directive (95/46/EC); and new accounting regulations such as the Sarbanes-Oxley Act.

• Convergence of Physical and IT IAM: Provisioning, authentication, monitoring, reporting and de-provisioning now extend to all aspects of the business and extended enterprise. Employees and contractors are granted access to a wide range of corporate assets, from office buildings and secured test labs to computer systems, files, directories, databases and PCs.

Furthermore, they may be assigned laptops, calling cards and corporate credit cards. Provisioning is no longer limited to IT practices. Today, a single credential can be used for authentication of both physical resources and cyber access. Specifications, such as ISO 7816, are trying to deliver on the promise of platform-independent smart card applications.

Digital identities need to be managed and monitored across entire organisations, authenticating to all corporate assets with a single credential, provisioning all IT systems, web services, devices and entrance badges, and securing access to files, directories and databases.

Customer IAM Drivers

• Web-based Business Growth: The growth of web-based businesses over the last five years has been substantial. The electronic business boom has attracted millions of users, and online transacting has become the most convenient way to conduct business. As organisations surged to embrace the global consumer-base, they did not fully conceive the sheer number of users the web would attract or how it would impact business.

As organisations place more applications online, the administrative effort needed to set up accounts and the network bandwidth used to individually authenticate users exponentially increase. Consumers are having their patience tried by the need for multiple identities to deal with different organisations.

Organisations lose opportunities because they are fail to recognise who they are dealing with. With the explosion of identities, organisations have unwittingly left themselves exposed to threats and vulnerabilities, such as website vandalism, stolen user information, breaches of customer and employee confidentiality, internal attacks, and even identity theft and fraud.

• Security on the Web: Modern enterprises are experiencing enormous growth in business-critical resources — from integrated Enterprise Resource Planning (ERP) systems to email, portals, and mobile and wireless applications — and all must be fully protected. These resources may reside on a host of different platforms, including the mainframe, UNIX, Linux and Windows.

Added to this is a complex infrastructure of web and application servers, integration platforms, registries and web services. Regrettably, the one constant we often fail to appreciate is the exponential increase in business risks associated with making these assets and resources available to the global business community. Consumers who entrust their personal data and transactions to organisations expect this data to be kept private.

Today, an organisation’s critical data and processes are more exposed than ever owing to inadequate server security and increasingly sophisticated attacks. Businesses need the assurance that access to corporate resources is only granted to authorised users and data.

Doing More with Less — The New Paradigm for Business Operations

As businesses expand, they go through transformations. New technologies are adopted and made available to employees, business partners and customers, which creates a plethora of digital identities and escalating administrative costs. Compounded by more security mandates on privacy and data confidentiality, IT administrators are tasked to include additional access and auditing projects. This calls for a higher degree of efficiencies to cope with mounting demands on existing limited resources, such as on-demand computing.

Increasing Complexity of User Identity Management

Managing users and access is no longer a simple task in today’s complex business environment. Users’ roles have expanded beyond the traditional enterprise users — customers, suppliers and partners are now an integral part of an organisation.

Business partners require a presumed, agreed trusted relationship to execute business transactions. Public-facing websites and business processes exposed via web services must accommodate unpredictable web users, including hackers or even disgruntled former employees. The complexity of identity management is further compounded by the need to manage identities and security of various components including HR, ERP and supply chain management systems right down to the operating system level.

Incomplete IAM Solutions

Many IAM solutions claim wide support of applications and platforms in user lifecycle management and automated user provisioning. However, the identity management solutions only address simple tasks of user creation, modification and revocation, while access management solutions only concentrate on intrusion detection against viruses and worms — neglecting the fundamental linkage between identity and access. Without an integrated solution, an organisation will only increase its workload as time progresses, since it has to work with multiple solutions that integrate and share information.

The Ideal Solution — An IAM Suite

The increased focus on the need to secure the organisation and protect confidential and personal data now demands a more integrated, comprehensive solution.

Since today’s organisations are plagued by a multitude of IAM challenges, they need to consider a modular, integrated set of IAM solutions that helps the enterprise reduce costs and mitigate security risks associated with users and their access across the entire enterprise.

A complete IAM solution should recognise and provide effective business processes, as well as integrate business processes into a streamlined, extensible business enabler. Furthermore, the solution should include:

• Full Integration Within the Organisation: The ideal identity and access management solution should address an organisation’s complete IAM requirements without disrupting current business processes. Broad provisioning coverage of applications and platforms, automated workflow process and entitlement, connecting legacy systems with distributed environments and web-based services have become critical to meeting the needs of the enterprise integrating into the current business processes.

• A Modular Suite with Common Components: As a complete suite was unavailable, many businesses have deployed multiple IAM products, each addresses specific organisational needs and requirements. The ideal IAM solution should be a suite that offers flexibility to protect current investments and enables the enterprise to address all aspects of identity and access management in the customer, partner and enterprise domains. This suite should enable integration to business-critical applications and allow internal information to flow freely among its components, avoiding the need for administrators to perform time-consuming integration tasks. Additionally, the suite would offer a common set of services to address issues many organisations face today.

To further enable integration and investment protection, this suite should also include:
• a common web-based user interface to provide access anywhere and at any time;
• a simplified user experience to reduce the potential learning curve;
• common auditing and reporting, which offers a consolidated view of events and activities across the enterprise; and
• a consolidated repository for users based on open standards, such as LDAP.

• On-demand User Provisioning, Workflow and Entitlement:
Today’s enterprise requires real-time access, on-demand. When employees join the organisations, it is critical that they are immediately able to access resources and perform job functions. Employees are dependent on the appropriate digital identity with correct access rights.

As a result, IAM becomes time-sensitive and critical to the enterprise. Automated self-service capabilities include password resets, user provisioning, support for business workflow processes, automatic entitlement, allocation of access rights based on roles/policies, account revocation and security alerts. All these enable an organisation to minimise time and move closer to achieving its on-demand goals.

Benefits of IAM: Streamlined Management Process with a State-of-the-art Management Interface. One key feature of a good IAM suite is the ability to fully manage a user from hire to retire. All user identities across different systems are created, modified, suspended, revoked or removed according to the user’s defined role and policy within the organisation.

With a highly innovative web administration interface, the IAM suite leads the market with a portal-based administration console that provides a highly efficient interface to reduce the complexity of dealing with multiple technologies.

• Increased Revenues — Fast Deployment and Reduced Complexity : The IAM suite provides a secure, open identity management platform. All its components are seamlessly integrated to maximise efficiency and provide a foundation for additional integrations, either the same suite’s associated components, or from third-party vendors – greatly reducing deployment and enabling a quick return on investment.

An example of the associated IAM component is a high-performance X.500 Directory as its embedded repository. This LDAP v3-compliant solution enables you to take advantage of directories, such as Microsoft’s Active Directory or Sun ONE’s Directory Server.

• Reduced Security Risks : With centralised identity management and comprehensive access rights enforcement, the suite reduces the possibility of old identities remaining active in the system. Users are entitled to their role in the organisation, and receive only the appropriate amount of rights to access files or other resources to perform their job functions. When employees leave your organisation, their identity and access can be securely revoked or completely removed from all points of access.

• Protection of Existing Investments and Growth with New Technologies: The IAM suite has a modular, open design that provides standards-based interfaces to existing and future investments in security technologies. It should support a full array of industry standards, such as SPML, LDAP, WS-Security, XKMS, XACML, SAML, Liberty, UDDI, WSDL and WSDM as well as emerging protocols.

The ideal IAM suite should provide the centralised policy and decision points for provisioning web services and enhancing the security required to reduce the developmental burdens to adopt new standards.

• Assistance to Regulatory Compliance: A critical issue to bear in mind for many organisation’s boardrooms and top executives – the IAM suite should best provide many strong security features that can help reduce the risks of security breaches and ensure that confidential, privacy-related information is well protected, and in compliance to the new regulations from industry and governments.

By using high security features such as PKI and biometric devices, authentication can be enhanced and combined with strong platform security. With integrated, powerful auditing and reporting capabilities, the suite should offer strong compliance evidence and audit records to provide you with the necessary tools to enhance support for regulatory compliance and ISO-17799 IT security policy guidelines.

Conclusion

Organisations are facing a vast variety of identity and access challenges that drive the requirements of adopting more automated and secure IAM solutions. Economical and structural changes in the enterprise now require higher efficiencies in administrative functions, an increase in regulatory compliance, and reduced costs in managing users and their access.

Users desire an IAM solution suite that delivers strong, leading-edge technologies with critical solutions enable businesses to meet their identity management requirements – one that is a highly-comprehensive, integrated solution that addresses security for legacy systems, distributed computing environments and emerging web services. This open suite leverages industry standards for simplified, more manageable integration, support and deployment.

Hence, an ideal IAM solution suite should be of a modular design that can be deployed as individual components or as a complete solution. When deployed as a total solution, it should offer a highly efficient user provisioning capability that enables organisations to automatically assign access rights based on roles — all through a common user interface. In all these ways, an ideal IAM solution suite provides the necessary tools to make identity and access management an organisation’s core competency.

Anthony Lim, a security veteran, is Computer Associates’ brand director – Security, Asia South. Currently, Anthony is serving as the Chairman of the Security Chapter with the Singapore Information Technology Federation (SITF).