Balancing an organization’s security risk, productivity and security technology investment has been the archetypal IT security challenge. However, with costs now spiralling as a result of a plethora of new regulatory compliance requirements and the need to support federated identities, organizations need to embrace automation and ‘self-service’ Identity Management technologies to attain the required levels of security, without tying the organization in knots and sucking it dry of profit.
Investing in security has traditionally been a trade off between cost and risk. However, with the increase in compliance legislation and exponential growth in users and systems that need protecting, both within and outside an organization, many companies are finding day to day security management costs spiralling out of control.
Furthermore, with help desks spending an estimated 40-60 percent of their time on password problems, the knock on effect on user productivity and dilution of core support services is creating a significant business impact.
Despite the increasing adoption of smart cards and other identity tokens, passwords are here to stay. If organizations are to control spiralling security management costs and minimize user downtime they need to introduce a significant degree of automation and self-service, while meeting compliance objectives.
Security has always been a play-off between the desire to protect the corporate identity and infrastructure against the need to be able to run the business uninhibited. With compliance topping the agenda for virtually every organization, the traditional balance of risk versus investment versus user productivity has become somewhat skewed. Organizations have no choice but to implement solutions that can deliver clear audit trails of user activity across the organization.
However, achieving this visibility of user activity is far from simple with the plethora of systems and extended user populations now found in many companies.
Over the past few years the adoption of new matrix based management techniques, corporate structures and tight customer and supplier relationships has created a highly complex and constantly changing hierarchy of user information requirements. The federated identity is now a standard component of global commerce – and ensuring that this is securely managed within an increasingly compliant focused environment, is creating pressure on both IT resources and budgets.
How can organizations across all vertical sectors manage a multiplicity of users – internal and external? How can they ensure secure access to an ever wider number of systems, from ERP to CRM, and respond efficiently to project-led demands for targeted access to specific systems?
How many organizations are struggling to manage the complex user access policies that are prompting an escalating volume of password related calls to the help desk? Not only is this creating a major overhead for IT but, as users are regularly locked out of their systems, also undermining corporate productivity.
The escalating demands of day to day security management are beginning to actively damage business performance and add untenable costs to an already stretched IT budget.
When you consider new and emerging requirements to address compliance legislation, the old cost versus risk equation becomes a distant memory. The tight management of identity has moved from being simply good business practices to a mandated requisite of corporate operations.
How can an organization attain a clear view of which users had access to systems at a specific time and date? To comply with these new mandates, you must be able to provide a complete audit trail of user activity across all these systems. Manually comparing system-by-system audit trails is massively expensive, and automating it is not practical unless your identity data is synchronized across applications and platforms.
It is this pressing compliance requirement that is driving the adoption of Identity Management solutions. By providing a centralized, cross system platform for monitoring and managing user access to systems, Identity Management technologies are delivering that key organizational wide compliance information.
Furthermore, the adoption of Identity Management technologies will also enable organizations to support new business practices, by providing users with access to systems, often on a temporary or time sensitive basis, in a flexible, dynamic and time sensitive way – something that simply cannot be achieved effectively with a system-by-system approach.
Indeed, it is estimated that it takes up to three weeks to provision a new user onto all relevant systems. While, in many cases, this takes place prior to their employment, instances of new starters using temporary accounts and sharing accounts with colleagues are far from unknown. And for existing users who need access to a new system – as a result of job change or a new project – waiting several days is simply unacceptable.
At the other end of the scale, it is far from uncommon to find user accounts still open several months after an individual has left the company, due to the complexity of the de-provisioning process. This lax internal security leaves clear opportunity for breaches, a process made so much simpler in these days of online hacking advice, guidance and support.
Streamlined provisioning and de-provisioning is one of the core concepts of Identity Management. Leveraging email and web interfaces the authorization processes are streamlined. Provisioning a new user across a range of systems from mainframe or Unix to Windows or the web can be achieved in hours, if required; while de-provisioning is automatically achieved across all systems simultaneously to leave no tempting security loopholes.
In addition to improving security, the automation also enhances the productivity of both administrators and end users, ensuring no time is wasted spent waiting for critical system access.
Furthermore, Identity Management solutions also address the other key productivity inhibitor: password problems. Using shared secrets or personal identification information, such as mother’s maiden name, users can take a self-service approach to resetting forgotten passwords. Not only does this reduce the workload of the help desk by up to 40 percent, allowing the resource to be focused on business critical systems, but it also enables users to be back into systems within two to three minutes, far quicker than the typical twenty to thirty minutes it can take via a help desk.
This combination of improved productivity, timely provisioning and reduced help desk calls deliver significant business benefits and cost savings that can provide a return on investment within 12 months for most organizations.
Passwords remain the primary tool for user authentication and access services, increasingly used in tandem with tokens and smart cards. And password management for increasing user populations and broad system access, will only become more complex, time consuming and expensive to manage – for users and IT services alike.
Does Identity Management change the risk/productivity/investment argument? Essentially, yes. By delivering user self service and streamlining the provisioning and de-provisioning processes organizations not only reduce costs and improve productivity but the risk associated with, for example, failing to de-provision a user that has left the organization are completely removed. And, critically, identity management provides a platform for meeting compliance security demands.
The author is senior director of Product Management at ASG