Access control is a fairly broad category that includes identification, authentication and authorization. These three areas need to be covered but with the growth of the enterprise and the blurring of the perimeter other considerations impinge on the simple act of controlling access to systems, data and applications.
For example, we see greater emphasis on access to applications that are, themselves, internet-facing. In days past we had simple architectural ways to craft a network that let a few authorized users gain access, however indirectly, to backend data stores. Today we have perimeters that range from semi-permeable to almost non-existent. Rafts of relatively unknown users seek legitimate access to sensitive backend data and we must provide that access – safely, efficiently and easily – if we are to remain competitive in our businesses.
Add to those, the challenge of provisioning huge numbers of users – many of whom are completely unknown, but important nonetheless – with access controls that work, are easy to use and effective, and you have a set of Herculean challenges. What is most important, however, is the very strong emergence of access control as much of a business challenge as a technical one.
As we move the user closer to the application and, thus, the data, we find that business issues not only drive but complicate the mechanics of access control. Now we must determine who should access what and why. That is as it always has been to a point but now there is an added dimension of complexity brought on by widely dispersed locations, users at all levels (from employees to customers), access directly to applications without any firewall to intervene, and the need to protect critical and sensitive data while allowing this extremely granular access.
The answer – as is quite common now – is to move to the cloud. Access control and many other security functions, as we will see, may actually work best in a SaaS environment. Centralized control of a very decentralized process used to feel like an oxymoron, but with SaaS we can achieve it and manage it well. That is the type of innovation that this year's access control Innovator has brought to bear on a very tough challenge.
RSA Identity Management and Governance
Flagship Product: RSA Identity Management and Governance
Cost: Varies widely depending upon implementation.
Innovation: Managing identity as a key threat vector across the entire enterprise.
Greatest strength: RSA has re-written the book on identity management making it far broader than traditional models allowing greater security, control and ease of deployment. Recognizing the importance of identity as a threat vector and managing it as a business construct is a very strong part of the product.
In years past, this company was RSA Aveksa and we liked it the first time we saw it. The differentiator for this Innovator is the approach it takes in managing identity. For RSA, identity and access management (IAM) is a matter of business, not just a matter of technology. Their rationale is that tech folks do not understand the underlying business model any better than the business folks understand the technology. So close collaboration is necessary and Identity Management and Governance (IMG) is designed to provide exactly that mix of business-driven technology.
Deploying this rationale as a product is their second innovation. They may be the original “have it your way” IAM product. You can get IMG as software, a hardware appliance or an SaaS deployment. How do they do it? When I asked, the answer was that SaaS is all about standardization. Once you get that under control, different delivery platforms become practical and, from the user perspective, whatever deployment they chose is the right one because it just works.
The access space is complicated. There are lots of people with lots of accounts – so creating a business view of access simplifies the complexity. IAM often makes use of business roles and the mappings for those roles can be complicated. As SaaS takes over, there are many other applications that do not understand all of the roles or that have their own special ones. So IMG uses attribute-based access control. The attribute has entitlements. One way to make this work cleanly is to use standard tokens and they can contain tokens that Active Directory can understand.
The addition of governance to the mix allows organizations to bring business processes, technology and training all together in a holistic package. Starting from strong identity management it becomes more practical to detect fraud, apply data analytics to identify data breaches in real time and provide the appropriate governance to manage, report and stay in compliance. All of this points to RSA's key innovation: managing identity, recognizing that it is the key threat vector across all platforms in the enterprise. When identity is compromised the enterprise and all it contains is compromised.