Mention identity and access management (IAM) to business managers or CIOs and they are likely to politely interrupt and then point you toward an IT employee several tiers down the corporate ladder. Why? For the most part, IAM is considered a set of IT operations tasks associated with a specific business unit or application. We understand that Executives realize that identity management is important but they delegate the details to others.
This attitude is understandable but we strongly believe it is about to change in a big way. IAM will evolve from an IT administrator to executive management issue over the next few years.
So what’s needed to make this right? IAM best practices and controls supported by a tightly-integrated and unified IAM architecture that spans the enterprise. Our solution gives organizations what they need:
∙A common source of IAM truth. IT balkanization has driven an army of IAM tools with different management methods, repositories, and naming conventions. Unconventional naming is a problem making it difficult to assess a user’s access rights or separate two similar users. To rectify this confusing situation, large organizations need a common source of IAM truth that clearly articulates users, roles, privileges, etc. This repository centralizes or federates all identity information about all employees (and other users with IT accounts). Unifying this information will not only improve IAM operations but also help streamline IT audits and help the CISO manage risk, apply granular identity-based security controls, and correlate identity information with other security data.
∙Central management, reporting, and auditing. A there are a number of common identity management challenges faced by large organizations. Obviously, these issues are exacerbated when enterprises have to perform tasks repeatedly across different identity silos. Aside from these operational issues, numerous instances of IAM can significantly increase IT risk. For example, administrators may misconfigure access privileges, miss suspicious account creation, or fail to delete delinquent accounts as users leave the organization. By centralizing management, reporting, and auditing, security analysts have one place to go to fine-tune security controls or correlate user identity data with security investigations.
∙Extensibility to the cloud and mobile applications. Aside from getting the internal house in order, increasing cloud initiatives demand an IAM architecture that provides extensibility to the cloud and mobile applications. What does this entail? Everything. From an IAM perspective, cloud-based and mobile applications should be managed and monitored in the same manner as internal applications. Ideally, user provisioning, change management, authentication, and reporting should be identical (or at least very similar) regardless of whether applications reside in corporate data centers, mobile devices, or are provided by cloud-based SaaS vendors.
∙Tight control and oversight for privileged users. Privileged users should have unique identities (and multi- factor authentication in the best case) rather than shared passwords. This may be possible by tightly integrating privileged user management with existing identity systems and enforcing policies for least privilege as a means for mitigating security risk. It is also important to capture privileged user sessions so they can be monitored and reviewed for anomalous/suspicious activities.