Today, most organizations face major challenges when it comes to security, compliance and efficiency. On this front, identity and access management can act as a magical key that allows an organization to achieve these objectives.
Tight control over each user's identity is a must for any enterprise's security policy. Today, organizations have to manage thousands of users, who in turn access hundreds of applications. Typically, every user has multiple usernames and passwords with different access rights for each application.
Besides these difficulties, use of best of breed applications from different vendors result in silos which further complicate identity and access management. This is where enterprises can leverage identity and access management solutions to manage diverse identities of individual across the organization.
Several approaches are available when it comes to implementation of identity and access management solutions. This decision depends largely on factors like current IT environment, time required for deployment, cost and complexity of the solution.
A company can opt for a complete suite from a single provider. Alternately, it can use a point solution approach and adopt best-of-breed solutions from different providers.
In the first approach, deployments are often elaborate and may turn out to be multi-billion dollar projects. Identity and access management implementations are similar to large enterprise resource planning deployments, as it touches every business function. Hence it's essential to ensure the vendor's expertise as well as his understanding of your business environment, in such cases.
The second approach tries to deal with identity and access management in smaller chunks through the deployment of one component at a time. When evaluating best-of-breed solutions, you must verify whether these solutions are interoperable with other solutions available in the market.
Intricacies of single sign-on solutions
Single sign-on solutions which allow users to use a single ID and password to access multiple applications have become quite a popular user authentication tool among Indian organizations. A unified directory is a prerequisite to enable single sign-on solutions.
Generally, organizations use various types of directories for different environments (such as Active Directory in Microsoft-based applications or the lightweight directory access protocol for other environments). In such diverse environments, organizations should link these different directories so that when a user is authenticated in all the directories with a single sign-on.
Although single sign-on is considered to further strengthen the organization's security framework, it is not foolproof. Imagine what will happen if a hacker manages to get this single user name and password. He will be able to easily access all the other systems. In order to avoid such incidents, organizations can use two-factor authentication tools like smart cards, tokens or cell phones to create an additional user authentication layer.
Once this in place, a centralized management console is required to manage user identities and individual access rights across the organization. This console allows enterprises to create, manage and remove identities from single point. It also takes care of individual rights and permissions of each application, user provisioning, de-provisioning and re-provisioning. For example, if a person leaves the organization, his user identity can be de-activated using this console. This change will automatically reflect in all systems and applications.
The saying "power tends to corrupt" is true for insider threats and attacks, since privileged users may misuse their access rights. For example, a system administrator who controls the organization's complete corporate traffic can misuse his powers to read the CEO's emails or access other critical information. This is why privileged account management is another important tool used for identity and access management. Privileged account management solutions help organizations to control a privileged user's every activity and capture logs for analysis.
Organizations often forget business politics and human complexity challenges in identity and access management projects. This is because mere technology may not help you solve such complex issues. Such projects are often considered as a threat to position and power by certain individuals. Hence, the chief information officer or chief information security officer needs to build a vision which defines the exact benefits in order to get an agreement from all stakeholders. Involvement from the top management and CEO is critical, as identity and access management projects touch every aspect of the business.
About the author: Krishnan Thyagarajan is the managing director of Quest Software India Pvt. Ltd. Quest Software provides solutions in the areas of performance, compliance and identity management software.
(As told to Dhwani Pandya.)