Identity and Access Management: The Key to Enterprise Security

Anthony Caruana, a writer for CSO Online, has an interesting, and given the nature of this particular site, relevant take on the future of enterprise security from an interview he did with a leading practitioner in the field of Identity and Access Management.

First, Caruana says it is important to note that the current approach towards security of only trying to stop invaders at the borders and no where else is failing miserably. There are many reasons for this, including what Caruana notes is an inability to even know where that border is nowadays, but the result is the same regardless: businesses are pursuing a new “risk-based” approach to thinking about their data and systems’ security.

Caruana then quotes John Delk, VP of Product Management, Marketing and Sales Operations at NetIQ, on the question that companies are asking themselves as they try to solve the problem of security:

“Does the right user have the right access to the right information, and only that? At its heart, it’s an identity powered problem.”

Hence, and Identity and Access Management approach to security might be the solution enterprises need.

Caruana relays that Delk has noticed an important trend in businesses developing proper IAM strategies: heavily-regulated organizations tend to be ahead of their less well regulated brethren. Some of that advantage stems from those heavily-regulated businesses being forced to spend more time and energy determining a proper balance between IT, but that is not to say there are not pitfalls. One pitfall is that large organizations have tried to use an annual audit to ensure that they are compliant, and when everything checks out, those businesses assume that “compliant” is equal to “secure,” when in fact it is not. Silos defeat attempts at security through compliance, as most line of business managers are only considering the compliance of their part of the organization, rather than thinking about security in the more holistic way needed to protect against breaches.

Another challenge is getting IT, business operations and the C-Suite to effectively communicate and coordinate when problem-solving, a task all three parts of an organization have to participate in when dealing with security issues. Getting IT to present problems and solutions in terms that business decision-makers can understand is an important first step. That way, IT can help identify high-risk users to business decision-makers based on behavior or types of applications and data accessed.

Delk also throws some shade on two-factor authentication, according to Caruana:

Delk sees context as being equally important. So, it’s no longer about something you know and something you have. Where you are and what time you are using your credentials become an important element of the identity and access management solution.

Adding context to authentication procedures can therefore add an additional layer of security beyond a solution that only relies on two-factor authentication.

Another problem businesses have to deal with is the ever increasing complexity when dealing with hundreds of different systems with dozens of different roles within each, and then multiplied by thousands of different users. Additional complexity gets added in when you consider the large numbers of third-party contractors, cloned and/or reused credentials, and the distributed nature of modern IT. Now, add to all that the fact that sensitive, even legally protected data is moving around between all these actors and systems, presenting opportunities for loss and breach. A way to simplify that complexity is to rely on correlation to guide your decision-making by asking and answering the following sorts of questions: “How can I take the behaviour I’m seeing and attach some context to it? What thresholds are important? What’s the norm?” Delk cites the Telecommunications industry as one field where this line of thinking and analysis is advanced.

Another partial solution is to stop thinking of access as a binary yes/no type question. Instead, consider gradations of access, what Delk calls a “chunkable” approach, especially as more people use social media credentials from sites like Facebook and Twitter to access services.

The solutions to the problems in achieving enterprise security cannot therefore be found in certifications and audits, even if they have their uses, but only by implementing and integrating a solution that effectively and deftly manages identities and access into your organization.

For Caruana’s piece at CSO Online, click here.