Managing identity used to be a relatively easy task when all activity took place inside the firewall.
These days, things are more challenging. Individuals often access company resources from outside the network perimeter and, in many cases, the relationship between these individuals, the organisation and the resources that they are accessing, has changed.
The “insider threat” is as real today as it's ever been, especially when the “insider” may be working on a tablet connecting to a cloud application from a coffee shop via WiFi; controlling who has access to what needs robust identity management policies and controls.
Companies are moving key computing assets into the cloud. Moving users and resources outside the network perimeter adds complexity when it comes to identity management, authentication and access.
When everything took place behind the firewall, it may have been realistic to tie identity to a particular device. Today, identity must be tied to the individual, regardless of the device they're using.
A governance-based approach to identity management gives an organisation a single view into users and their access privileges and answers the critical questions: who should have access to what; who does have access to what; and how did they get it?
Organisations can outsource the operation of their applications and infrastructure to the cloud, but they must retain control of the process by which users' access rights are granted. Identity governance controls this process, and as such must remain under corporate control.
How can an organisation effectively manage identity for a wide base of users with varying roles and responsibilities, some of whom may not even be directly employed by the company? When Integralis asked IT professionals at the Infosecurity Europe show what their priorities were, more than a third of them highlighted identity governance as a key focus area.
Companies may operate a simple password access or token-based authentication system and assume that this addresses identity and access management. Similarly, a company's view of identity management may be limited to automating the provisioning and de-provisioning of users.
Identity and access management should include appropriate levels of governance as well as full user lifecycle management and access control. Governance is critical – by merely making a provisioning process more efficient you may just be speeding up a potentially toxic combination of privileges.
It is critical that the controls surrounding assignment of privileges are robust and auditable. Auditors are much more concerned about who has access to data than whether the data lives in the cloud or the data centre.
Codifying roles and responsibilities in an identity management system makes it possible to allocate privileges to groups of users based on characteristics that make sense to the company.
Effective implementation of roles-based identity management could involve tagging data, either within databases or document management systems. The metadata in these documents can reflect information such as the sensitivity of the document.
This can then be matched with the role information associated with an individual in the company, that in turn can be used to reference privileges associated with that role in a roles-based management system.
Many organisations will begin managing all of this information manually, possibly with a spread sheet, but as they grow these systems will become increasingly cumbersome and unmanageable.
Putting in place automated systems designed to govern and manage identity more effectively will therefore be a crucial part of any organisation's structured growth. Integration of existing directory systems can be used to help simplify the process. They store information about users and their credentials and can also include information about role definitions.
The ID management system will ideally orchestrate an individual's rights and privileges such that they can use a single set of credentials to log in to any corporate system. This is especially important in cloud environments where applications may reside in a local data centre, a cloud provider's network or dynamically move between the two.
If users have to remember multiple username/password combinations depending on where the application or data resides, this may lead to user angst and inappropriate password management behaviour.
The key is to federate user identity. This makes it possible to pass credentials between different services, operated by different organisations, without giving away personally identifiable information. As companies move further towards cloud-based services, setting up complex connections with multiple providers, this federation will become a critical part of any organisation's identity management process.
Identity management needn't be a headache, as long as an organisation puts the necessary building blocks in place before it grows. In this field, more than any other, a little work earlier on saves a big headache further down the line.
Alastair Broom is solutions director at Integralis