From Compliance to Control

IAM has evolved significantly in recent years in line with the threat environment. What security advantages does a strong identity and access management solution offer? And in what ways has the changing nature of the threats driven the industry’s response?

JB. The nature of threats has evolved because the nature of doing business has evolved. For example, because outsourcing is now a fundamental part of doing business in a global environment, contractors have become an integral component of large enterprises. As a result, the industry responded with strong IAM solutions that must also manage access for an enterprise’s large and growing contractor population. In addition, companies now have better auditing technologies in place, which provide the ability to demonstrate these requisite access controls to a compliance officer or auditor. Enterprises must also be aware of threats from a regulatory perspective. A strong IAM solution provides the ability to exercise control over an organization’s internal processes, demonstrate continued and sustained compliance, and reduces an enterprise’s risk exposure.

AE. Enterprise environments are becoming more and more complex. They have grown in complexity as they deal with, compliance mandates, cost reduction initiatives, business agility demands driven by extensive mergers and acquisitions, and rapid application on-boarding and integration. Every CXO faces the challenge of implementing the necessary threat-management controls without severely impacting costs and user or consumer productivity. The CXO must adopt IAM technologies to meet this challenge. To minimize cost while achieving sufficient threat management, IAM technologies should provide the following automated roles-based provisioning techniques; runtime context-based access control to all resources in the environment, including web-based and thick applications; and application integration with strong identity.

BM. A key advantage is providing enterprises with a well-defined business process for granting access to resources based upon approvals – for example, if I need access to the safe, there is a standard process for me to request access, have my manager approve this access, have that access granted to me and subsequently removed when my job changes or there is another business change. This provides an auditable record of “who has access to what”, as opposed to the manual environment with access granted on an as needed basis. IAM has evolved in importance over the last decade because of the changing nature of threats. Threats used to be from the outside; hence, firewall technology was deployed to “keep the bad guys out”. This technology is still valid and necessary, but now the damaging threat is from the inside – employees within the company, who want to capitalize by hurting an enterprise for financial reward. The recent Societe Generale incident is a great example of an insider threat that could have been avoided through implementation of an IAM solution.

DT. IAM represents only one piece of a strategy to manage access-related risks. The increasing number of breaches exposing sensitive financial and personal information has put tremendous pressure on companies to go beyond IAM’s limited focus on security enforcement. Enterprise-wide visibility is required to ensure that each user has access only appropriate to do his or her job, and that each user’s access conforms to all applicable compliance requirements and internal policies, even as job responsibilities or reporting relationships change. The access governance system must provide a unified view of user access across all information resources (application, data, files, host, and network) as well as to all roles and entitlements to these resources. This system also must provide automated authorization and access certification, a business-centric view of entitlements in relationship to job roles, a system of record for evidence of compliance, and automated change management and access rights remediation. These capabilities will enable a company to deploy an effective access governance system able to handle today’s threats to a company’s data, IP, brand, and revenue.

As the IAM market continues to mature, we are seeing a great deal of consolidation through acquisitions. As companies continue to make acquisitions in an attempt to complement their existing offerings, what issues do you foresee in terms of effectively integrating these newly acquired products with current portfolios?

AE. As with most acquisitions at the enterprise level, there are challenges for the IAM market as it consolidates and matures. Where many acquisitions focus on market synergies, technology acquisitions must also focus on how the new technologies will integrate and function together in their new form. One of the significant challenges when adding new technologies to any portfolio is understanding and controlling how they affect existing customers. To prevent this burden from falling on customers and users, companies should develop technologies using open standards – technologies that are built for integration and that are highly tested. After all, the acquiring company must create not only a new offering, but also an easier implementation for customers and, most importantly, a better solution than existed before. If the acquiring company fails to address customers’ needs and the user experience at the front end of any acquisition, it will likely fail.

BM. Two key issues with integrating acquired products are product overlap and business process integration. Product overlap is rampant in the IAM space when consolidations occur. One technology needs to win over another, and it is painful for customers to move from one technology to another since IAM products become very “sticky”. The sticky nature of IAM products is a result of 1X to 3X in professional services cost to deploy and customize these products. This could result in various businesses process and connectors built with one technology that needs to be replaced in the event of an acquisition. Business process integration is also complex as each IAM component has an associated process – for example, provisioning is tied to a business process around new hires or entitlement attestation is tied to a process around quarterly audit reviews for compliance. These business processes need to be linked together because one process may kick off another. For example, if I certify that Bill should not have access to the safe, then the provisioning process needs to remove the access, but not before initiating a process to obtain the necessary approvals.

DT. Integration of an acquired technology into an existing suite of identity and access management products frequently results in a loss of momentum in the advancement of this technology. Fitting the acquired technology into the host platform takes precedence over product innovation. New features are likely to be aligned to the legacy of the acquiring company’s stack platform, developed to enhance core IdM functionality rather than addressing enterprise-wide compliance requirements that span beyond the scope of the IdM system. Customers are best served by an IT security strategy that is built on the principle of deploying best of breed solutions and technologies, particularly critical given the high stakes involved to protect the organization from access-related risk. Addressing the rigorous demands of access governance requires a different approach and set of capabilities than the account-oriented paradigm found in identity and access management suites.

JB. The real challenge is integrating where it makes sense in terms of both technology as well as talent. In terms of technology, the reality is these products don’t function like Lego – one piece fitting nicely into the next with the ability to indefinitely add on as resources permit. Interoperability, redundant functionality, usability, and positioning are all important factors for consideration when integrating a newly acquired product with an existing product line. All of these things considered, a more gradual and reserved acquisition strategy stands a better chance of success in terms of product line integration.

Role lifecycle management is getting a great deal of attention in the IAM market. How important is it for enterprises to have a role management solution, and do you consider role management as part of the user-provisioning problem, or is it solving something else entirely?

BM. Enterprises should have a role management solution, because it essentially allows an enterprise to structure job functions into well-defined categories that are linked to the business. These roles can be location, organization and/or project based. Without role management driving user provisioning, an enterprise is implementing a process in an unstructured manner, leading to a continued risk of unauthorized access. Role management is an important part of the identity management challenge, as is role mining, user provisioning and compliance management.

DT. The challenge of discovering roles, defining new roles to business need, connecting roles properly to the IT infrastructure, ensuring they meet compliance requirements, and managing roles through their lifecycle requires a solution designed to provide true roles-based access governance.

A different approach is needed to overcome the complexity that exists with managing roles at an infrastructure level. Role design is best done top down, as roles should first and foremost relate to business process and compliance is written from a business process perspective, so taking this approach will make it easier to achieve compliance with various regulations. Role management is continuous, not a one-time project. Change occurs so frequently in the business and regulatory landscape that roles need to be properly maintained, or the results will quickly lead to increased business risk.

JB. It is important for enterprises to have a role management solution. Role lifecycle management is definitely part of the user-provisioning problem. In fact, the natural progression of user provisioning leads to a role management solution for a number of reasons. We think of user provisioning as creating, updating, and deleting users across an enterprise. One of the key benefits of a user-provisioning solution is that each user identity can be managed centrally versus managing unique identities for each siloed resource or application throughout the enterprise. A user-provisioning solution helps reduce inefficiencies associated with managing user identities, which ultimately results in reduced IT costs. A role management solution helps to further reduce these inefficiencies. Defining business roles and their associated entitlements adds another layer of automation to the provisioning process. Instead of managing entitlements at the individual user level, a user can be assigned a role with predefined entitlements that have already been approved and verified for compliance.

AE. To achieve the highest productivity, managers expect the UI/management experience to be integrated with their day-to-day provisioning management, which provides self-help (password management, white pages) as well as request/approval activities. As users or roles are provisioned, there must be integrated management in the request and approval workflow. The centralized management view must allow for real-time, on-screen approvals based on threat-management policies. Rules, workflows and roles must be integrated to provide the most efficient system, while the solutions must leverage policy that combines roles with rules and manual workflows. To do this correctly, roles lifecycle management needs to be integrated deep within the fabric of the user provisioning system. The only way to provide the most efficient user provisioning system with the highest ROI at the lowest TCO is to combine roles with rules and manual workflows. Finally, with so many different players involved in user provisioning (roles management, manual workflows and overrides, rules and policies) it is imperative that the process be governed with a robust event bus that provides real-time event data that can be monitored, audited and remediated. Without this capability, there is lag time and inconsistent reports that create unnecessary risk to the environment.

Effective access governance ensures that users have access rights only to information resources needed to do their job and appropriate to their role within the organization, and that these access rights do not violate compliance regulations. How is the industry responding to help companies to achieve sustainable, effective access governance?

DT. The industry is witnessing the evolution of the next generation of solutions specifically designed to help customers enforce access policies and manage access-related risk. IdM solutions have proven inadequate in delivering a sustainable model of access governance because they are designed to provide only security enforcement when what businesses need is access governance. Access governance enables organizations to put into place policy management and process automation that works in conjunction with IAM/user provisioning and spans the organization and all information resources. Aveksa recognized this gap between traditional IdM systems and the requirements of access governance needed to be bridged with a true access governance solution that provides a robust set of capabilities that deliver enterprise-wide visibility into user access, enables policy enforcement to be automated, and provides the system of record for access compliance. The solution delivers organizations this automated, policy-based approach for governing user access that mitigates access related business risks while reducing the cost, complexity and burden of deploying sustainable compliance.

JB. Sustainable, effective access governance can be achieved by further automating the recertification process. Strong IAM solutions not only automate the remediation process, but also help streamline it to further reduce costs. Taking a look at the evolution of user provisioning gives us some insight here. Before centralized user provisioning solutions were available, provisioning was done manually with little to no control over who had access to what. The same holds true for access governance. Today we see access recertification being done manually, which is a very costly process and, again, extremely prone to human error. In this environment, it’s all too easy for a manager to give carte blanche access approval to his employees simply because the specific entitlements have little or no meaning in a business context.

AE. Effective governance and good risk management are two of the most important steps for an organization to achieve continuous and cost-effective compliance. By providing a simple, compliance-based mechanism to control access to their resources, organizations can; tie business and compliance mandates into actionable IT policies; remove human error and ensure corporate and compliance mandates are followed; automate and streamline the process of granting and revoking access; confirm that proper steps and authorizations are in place; ensure access does not violate separation of duties or other overarching mandates; use roles-based provisioning to reduce costs; and consistently enforce compliance policies and industry best practice so line-of-business owners can manage access rights based upon predefined controls. This effective governance releases the IT staff from focusing on daily user access, allowing organizations to shift IT resources onto more strategic, revenue-generating opportunities.

BM. At CA, we are responding by adding layers to our existing identity and access management solutions that can provide access governance. A centralized solution can then pull this information from across identity, access and auditing systems. In addition, above this layer, an IT governance, risk and compliance layer provides organizations with the ability to measure and manage risk across applications by pulling information from all aspects of the IT infrastructure, including security.

Deepak Taneja is Founder, President and CEO at Aveksa and drives the vision and overall business and technology strategy for the company.

Bilhar Mann is Senior Vice President of CA’s Security Management business unit and responsible for continuing to build out CA’s portfolio of world-class security management solutions.

Andrew Eliopoulos is Director of Product Marketing for Novell’s Identity & Security Management Solutions. He is responsible for all product marketing functions for Novell’s industry-leading Identity Management portfolio.

John Barco is Director of Product Marketing and Product Management for the Identity Management software portfolio at Sun Microsystems. He is responsible for driving the product strategy and execution.

Four reasons to implement IAM

1. Cost reduction: To determine if there is a cost savings to be had, evaluate the major costs associated with your current way of handling IAM and how much those might be reduced through automation, deducting any yearly maintenance costs or license fees that the new software will incur.
2. Improved security: Does the solution provide better protection for the network or the enterprise? One measure of that is whether it provides extra accountability and audit trails for system access and authorization.=
3. Achieving compliance: Does the solution help your organization meet new security requirements, such as by archiving records or logging details of all user activity on the system in case of a future investigation?
4. Improving efficiency: Not all efficiency gains are easily translated into hard dollar savings. But any solution that automates a formerly manual activity is likely to be increasing efficiency and, at the same time, reducing the chance of human error.

What the analysts say

According to a recent report by Boston-based IT research firm Aberdeen Group, an estimated 40% of all firms are performing at sub-par levels when it comes to automating access to core business information. And, they note, that’s assuming a fairly modest goal of equipping 40% of a company’s business functions with automated access. If the bar were raised to 60%, says Aberdeen, most businesses would be at a sub-par level.