James Thew - Fotolia
“Many organisations still do not see IAM as a necessity for implementing security and policy or as an enabler of business models requiring customer or partner interaction,” Reinwarth told Computer Weekly.
KuppingerCole believes IAM should be embedded in business processes and the underlying policies, and should constitute a stable and continuous process.
“Typically, however, IAM is seen as being part of IT and not business, and investments tend to be aimed at mitigating one-off incidents such as a segregation of duties violation,” said Reinwarth.
This is particularly true in traditional, established industry sectors such as manufacturing, banking and insurance, he said.
The business role of IAM, he said, tends to be better understood in modern industry sectors that are more customer-oriented.
“We consider access rights reviews and re-certifications to be the duty of the business rather than IT, which is what is beginning to happen in the more mature organisations,” said Reinwarth.
One of the most common IAM failings identified in assessments by KuppingerCole in the past year is the failure to apply a risk-based approach.
Read more about identity and access (IAM) security
- Why identity and access management is taking centre stage in companies’ access policies.
- Companies should consider their identity and access management (IAM) systems as a likely point of attack, according to SailPoint.
- Identity and access management of employees is so complex that many companies have faltered when it comes to securing programs for trusted partners.
Managing privileged users' rights
“Organisations need to conduct a risk analysis of the core entitlements, to understand which systems have the highest risk in terms of impact and probability, so they can adjust their access controls and mitigation mechanisms accordingly,” said Reinwarth.
Another common failing, he said, is that even if organisations are fairly mature in managing the access of general users, they tend to fall down on managing the access rights of privileged users.
“These users can be systems administrators as well as ordinary application users with extreme privileges to perform actions such as changing the access rights of other users,” said Reinwarth.
However, he said the EU’s General Data Protection Regulation (GDPR) – due to come into force in early 2018 – could have a positive effect on organisations’ approach to IAM.
“The GDPR will be a massive game-changer for many organisations because they are currently not fulfilling many of the new requirements – particularly organisations doing customer identity and access management,” said Reinwarth.
“Done properly by embedding it into the enterprise business processes and policies, and involving the relevant stakeholders in the organisation, IAM will be a great help in ensuring that organisations have the systems and processes in place for GDPR compliance,” he said.
The workshop will outline KuppingerCole’s methodology for assessing IAM maturity and look at the results of applying the methodology to real-world organisations.