As organisations turn to cloud services and mobile apps to boost productivity and cut costs, managing user identities and access to IT resources has never been more important -- or challenging. In this emerging IT environment, a key task is managing access to applications and data by employees and partners from multiple devices...
and locations, without compromising security.
IT and security leaders gathered at the November 2014 meeting of Computer Weekly's CW500 Club to hear from experts and practitioners about how they meet the challenges of identity and access management (IAM).
IAM remains a struggle
Martijn Verbree, director of information protection at KPMG, said that -- despite all the advances in IAM technology in recent years -- identity management remains a constant challenge.
"We are still struggling with how to manage access to our critical systems," he said. "How do we make it efficient? We don't seem to have moved on an awful lot."
Verbree identified five critical issues in IAM, which have been the same top five problems in the area for the past five years.
The first issue is orphan accounts -- user accounts set up in systems yet without a clear owner.
"You can find accounts that may belong to an application that is only used once a year, but it does something important," he said. "Or it could be an account called, for example, 'Rsmith' -- is that Robert Smith, or Richard Smith? It's really basic stuff, but it's such a common issue that hasn't been resolved."
A lack of monitoring or review of IAM set-ups was Verbree's second issue: "This is the key control to have on the checklist. Although it sounds easy, it is really hard to do in practice."
Read more about identity and access management
- IAM can improve security and cut costs
- Tackle IAM with a risk-based approach, says KPMG
- Eight steps to extending IAM to third parties
- UK companies use IAM for business not security, study shows
- Strategic vision should head up IAM goals
- Digital identities and the open business
- Gartner IAM summit: Identity and access management in flux but progressing
A third problem is that not all identities and their access privileges are properly approved.
For example, Verbree said he has seen plenty of examples where a new recruit is simply given the same levels of access as another employee in a similar role -- often by "cloning" their account -- without realising that the existing staff member has accumulated higher privileges or administration rights over time, that should not be passed on to others. "The new guy gets all this stuff as well, on day one," he said.
"We've seen some horrific stuff happening in investment banks when this happens with users on the trading floor."
The fourth challenge is what Verbree calls "toxic combinations of access" -- meaning situations where individuals are able to use functionality that in itself appears acceptable but, when combined with other privileges, can lead to problems.
He cited the example of a rogue trader scandal at a Swiss bank: "I was involved in the aftermath -- it was a perfect storm of control failures.
"One of the key questions that stood out was, how do you manage these toxic combinations of access? How do we make sure people don't have segregation issues in the application and can register and approve things as well as pay out? It's a big issue at the moment, for the banks especially."
The final issue he raised was a lack of control over privileged access to applications -- super-user accounts, for example. Although such accounts are easy to find in the system, it's harder to control, especially if you need to allocate temporary permissions to certain users. "Despite the fantastic tools available, this is still very much on the list of problems."
The challenge of invisible complexity
The growing complexity of IT means these issues getting worse, he said. "There are more people accessing systems, they do more critical stuff, they are moving systems to the cloud, so their roles are only getting more complex."
The difficulty for IT leaders comes in trying to make a business case for investing in IAM. "The business hates IAM, they don't care about it at all," said Verbree. "The business doesn't get it. So you need to take them on a journey, addressing the real pain that the business sees."
Despite these attitudes, getting buy-in from the top of the business is essential for a successful IAM programme. Verbree recommended setting up a dedicated team to focus on IAM, and to concentrate on the organisation's most important systems and data.
"Focus on what matters most. Include externally managed identities and systems too. And get to a critical mass quickly," he said. "A lot of people don't know what their crown jewels are."
Ultimately, IAM is all about managing risk. Verbree said he has rarely seen a situation where IT leaders can prove a positive return on investment for implementing IAM from a purely financial point of view, because the costs of ineffective IAM are often hidden and activities that should be taking place are just not happening.
Digital by default in government
One place where the need for identity management is clear and significant is in the UK government. The current administration adopted a "digital by default" policy for delivering public services online, and many of the highest volume services are being redeveloped using digital methods. But moving away from face-to-face and phone-based interactions with citizens raises a question -- how do people prove online that they are who they say they are? When people are accessing tax records or applying for benefits, identity assurance is critical.
In October 2014, the Government Digital Service (GDS) launched the first service to use its new identity system, called Gov.UK Verify. The system is intended to become standard for all central government services -- and as such, is likely to be used by most UK citizens in the future.
"At the moment, if you need to prove who you are to government, you need to send something in the post or turn up in person. We've built a way to prove our identity to a high standard, digitally," said Janet Hughes, head of policy and engagement for the identity assurance programme at GDS.
"What would previously have taken 10 days to send something in the post, will now take 10 minutes."
GDS spent more than a year conducting user research into how best to implement Verify in a way that citizens would understand -- and also to address concerns over privacy by avoiding building a central identity database, especially considering widespread concerns about ID cards under the previous Labour government.
GDS selected five companies to act as independent identity providers, Hughes explained. Users will register with one or more of those providers, who will use a range of data and evidence such as credit reference agency data, electoral roll, passport or driving licence details, to establish a verified user identity to meet a defined level of assurance, as set out in published standards -- and those details are not stored centrally by government. When citizens subsequently log in to an online government service, their identity is verified electronically by the third-party provider, including an extra factor for further confirmation, such as sending a unique code to the user's mobile phone.
"We built a document-checking service, which means the identity providers can check immediately that the details provided -- such as driving licence or passport -- match a valid record that the government holds. That's the first time you've been able to do that entirely digitally, and it's at the heart of how we're able to do this process digitally, without sending things through the post," said Hughes.
"In the future, we expect at least one provider to offer a method where you take a photograph of yourself and that is matched with the photo on your passport record."
The Verify system establishes that the user is who they say they are, to the level of assurance suitable for the service they wish to use. Citizens register only once, and then can use that identity to log in to any public services they need and which support Verify. That process should take less than a minute, said Hughes.
"We have completed the things we need to do to make our service safe for public access -- we have pan-government security accreditation and have an identity provider that has reached the required standards, and we have finished the development work. It is ready for the first services to use. But we are scaling up gradually over time so that, as we test each batch of new users, we learn more things from those real people, about how they experience the journey," she said.
"Over the next 18 months to two years this will become the default way to verify your identity when signing in to services that need to know who you are."
A triple IAM challenge at Gatwick
At Gatwick Airport, the identity challenge is threefold. As well as needing to manage access to IT systems for staff, the company has users from other companies that use Gatwick services logging in - but it is also responsible for ensuring that passengers travelling through the airport are the same person recorded on their airline ticket.
For Gatwick CIO Michael Ibbitson, introducing identity management had to take place at the same time as a major overhaul of its IT systems, after operator BAA sold the airport in 2009. The company decided to move to cloud, software as a service (SaaS) and mobile, making IAM central to its security plans.
"Next year we are going to have over 38 million passengers, and every one of those travellers we have to identify," he said.
"On the outbound journey, we use biometric identification -- a high-speed device that scans your boarding pass and, if you're a domestic passenger, it takes an iris scan. When you get on the plane, we do another iris scan. This ensures that, for people travelling within the UK, the person that enters the airport is the person that gets on the plane.
"It prevents people transferring documents in the airport if someone wants to skip the border."
Read more from the CW500 Club for IT leaders
- Bring your own IT department?
- The next threat landscape -- what to expect
- IT governance in the era of shadow IT
- Social media for communication inside the enterprise
- IT infrastructure for data protection
- Why data analysts need a soft edge to make the most of hard data
- Is the CIO still as important in 2014?
- BYOD best practice
That biometric system is already in Gatwick's south terminal, and will be introduced in the north terminal.
For staff security, Gatwick is rolling out information security training to all employees. "We had to go through a mindset change. From the ground handlers to the security people who pat you down -- all the way up to executive staff," said Ibbitson.
"We're getting there -- but it is a journey and we have some way to go."
To provide identity management for its cloud and BYOD strategy, Gatwick went with IAM supplier Okta, whose system was integrated with tools such as Box for file-sharing and Microsoft Active Directory, as well as other cloud software being implemented, such as Yammer social networking, WebEx video conferencing and Cisco internet telephony.
Every person who requires access to secure physical areas of Gatwick -- whether employed by the airport or by other companies on the site -- has a security pass. Conducting all the necessary security and identity checks to issue someone with a pass takes time -- so Ibbitson introduced a central identity management system called Mtrust, to accelerate the process and better manage secure identities.
"If people change companies -- say, moving from Menzies Aviation to Virgin Atlantic, but still working at Gatwick - their identities in the Mtrust system stay the same and we can switch them between companies. It not only takes care of our internal Gatwick staff, but also the identities of all 23,000 people who work on the campus, through a central identity management system," he said.
IAM as a business tool
But IAM is not only essential for maintaining security -- it is helping to improve the performance of the airport as a whole.
"The other thing that Okta enables is to create a SaaS applications portal. You log in once with your Gatwick credentials and access a range of single sign-on applications. That means we can federate with our partners -- EasyJet, British Airways, Menzies, and so on -- and, if they have Active Directory Federation Services (ADFS), we can integrate with them, and offer access to our applications via their own Active Directory. We can grant them permission through Okta to access some of our applications," said Ibbitson.
"For example, the Casper system is a map of our airfield with live movements of aircraft. Lots of organisations want to use that around the airport. We also have a tool that gives us real-time predictive metrics for the performance of every ground handler and airline. Now that everyone is looking at the same data, it drives the efficiency of the airport. That will allow us to increase the number of flights we can handle in a day. This capability to share applications with our partners is something that our IAM has helped us to do."
So despite KPMG's Verbree commenting on the challenges of making a business case for IAM in most organisations, Gatwick Airport is one company demonstrating how identity management can become a strategic tool for improving corporate performance as well as information security.