There is a lot of talk recently about Identity Management (IM) solutions not only within enterprises that have teams to assess the variety of technology solutions available, but also by industry analysts whose job it is to size up the IM market space, including vendors. Increasingly, IM is also becoming a key focus of discussion at industry and analyst conferences on IT security.
There are a variety of reasons for the growing interest in IM, each of which can stand on its own merits. But when examined holistically, these present a strong and compelling case for enterprises. IM has gained enough attention within many IT organizations. While the spectrum varies in terms of the acceptance of IM within the enterprise, some companies have created a specific entity, typically within the umbrella of their security organization, focused on identity management.
The business drivers for IM generally fall within the following categories: operational efficiency/service excellence and operational risk management, including legislative requirements such as the Sarbanes-Oxley Act. When properly addressed, these drivers can contribute to improved IT governance and business performance.
With budget cost cutting and limited resources, organizations are looking at tangible Return On Investment (ROI) and reduced complexity. IM solutions automate manual administrative processes for provisioning, de-provisioning and managing user credentials throughout their life-cycle. This can be done on a centralized and distributed level, thus reducing the need for administrative staff. It also reduces the wait time to provision a new user from days and weeks to minutes. The self-service capability can allow users to reset their own passwords and update their own attributes, reducing the need for help-desk or other administrative support and intervention. Less wait time means improved productivity and together these work to contribute to improved customer service.
Driving Business Value
Implementing IT solutions can drive value for the business by creating competitive advantage, reducing administrative costs and improving overall effectiveness. All of these can contribute to IT governance. Many organizations use ROI as a means by which to guide decision-making for IT investments.
Reducing losses, errors and omissions is a primary concern for many CIOs. IT security is a component of operational risk. Risk management requires an adequate framework to guide organizational control and management of IT risks. This framework should include policies, standards, control objectives, and clear accountabilities.
With IM solutions, organizations can implement a consistent policy for the administration and management of user identities throughout their life cycle. This policy can be applied consistently, across all platforms and applications that manage and control user-ID access. The security policy can be applied to audit logs which serve as record keeping of access requests and changes to identities and identity states. Having a holistic view and consistent policy based-approach to the management of user credentials improves overall security and safeguards critical business information.
Deterring the Problem from Within
One of the top risks auditors often cite is dealing with the issue of terminated employees or contract staff having system access once they leave the organization. Internal theft is one of the largest threats facing organizations today, more so than hackers or cyber-terrorists. According to the US Department of Commerce, one-third of all employees steal from their employers. Other studies have shown that two thirds of IT–related losses are due to errors and omissions by internal employees. Further in a recent CSI/FBI study, 90 percent of corporate respondents reported they had detected computer security breaches within the year. Of all breaches, the most serious financial losses occurred due to theft of critical business information.
Another concern is the large number of users that have "superuser" authority. The superuser is often a privileged user who has unrestricted access to the whole system, all commands and all files regardless of their permissions.
IM solutions can address these weaknesses by mapping user-IDs in the system to a common identity and facilitating the automated de-provisioning of privileges, sometimes in real time. IM solutions enable a controlled delegation of administrative rights with appropriate approvals and checkpoints designed into the system. This reduces manual processes and the risk of human error dramatically. Consistent, automated and repeatable processes that eliminate human intervention provide a higher level of assurance and a lower level of risk to a company.
Identity Management and Compliance
New legislation such as the Sarbanes-Oxley Act requires a system of solid corporate governance to be in place and working effectively. It also requires good, ethical business practices. Section 404 of the Sarbanes-Oxley Act requires organizations that are registered with the Securities and Exchange Commission (SEC) to assess the effectiveness of their internal control over financial reporting and to annually report the results of their assessment. Many significant financial processes are supported by and dependent upon IT systems and applications, therefore, information technology controls play a major role in ensuring the reliability of financial reporting. In particular, general IT controls within the platforms and infrastructure that support the financial applications are relevant controls for Sarbanes-Oxley. General IT controls for security administration are pervasive and can have an impact on the achievement of many of the required control objectives and on the overall integrity of financial results.
To comply with Section 404 (assessing internal controls), it is important to understand where the centralized and distributed components of security administration lie. Particularly important are those that relate to critical data and applications and have an impact on financial processes. It is important to understand how these security administration functions are controlled and managed. For example, consistent policies are implemented governing creation, maintenance and timely deletion of accounts. Implementation of automated, consistent and policy-based IM solutions for security administration eliminate the risks of human error and ensure consistent application of corporate policies for the provisioning, management and de-provisioning of users.
Summary
IM solutions address a relevant business need from operational efficiency to risk management. From reducing the risk of internal theft and data compromise to ensuring regulatory compliance, the organizational risks associated with not having an identity solution in place are significant. Success requires support of senior management from the IT organization, the lines of business and stakeholder groups, in addition to a well thought out and orchestrated plan of implementation.
Rosa Caputo is Chief Marketing and Business Development Officer, Blockade Systems Corp.
