Vendor Voice: Identity & Access Management
Who's accessing your online applications?
As more applications get exposed to end-users, corporations
need to provide strong authentication, and manage multiple authentication methods.
by Surendra Singh
Corporate and government investment in IT infrastructure is increasing as these
sectors choose IT as the primary platform for conducting many aspects of business.
The growing investment in the IT enablement of business has resulted in a dramatic
increase in access requirements. This is characterized by a growing number of
users with a proliferation of mobile devices being used for anytime, anywhere
accessto an increasing number of applications and resources. The adoption
of Web services on-line activities is at an all time high for application-to-application
transactions. In fact, these factors have compelled corporations to redefine
its security perimetermoving from few security checkpoints at the network
level to many points at the application level.
This ever expanding and changing IT-enabled business model presents Corporations
with many daunting challengesfrom unproductive user experiences and unmanageable
infrastructure to shifting security perimeters. Some of the concerns that customers
are currently experiencing include:
- Cumbersome user experience. Often, users are forced to manage upwards of
ten passwords while authenticating multiple times. As a result, users are
unproductive and less willing to use electronic resources.
- Heterogeneous e-business environments. Today, corporations rely on multiple
applications from multiple vendors to run IT-enabled businesses. Integration
and centralization of technologies has become a growing challenge that significantly
effects the total cost of ownership and threatens the success of e-business.
- Shifting security perimeter and increased risk. With the expansion of e-business,
the perimeter is not well defined, and corporations are looking to manage
security across platforms, and at the application level. Additionally, corporations
are exposing more sensitive data to a growing number of users. This means
that the risk of exposure is high, and so are the stakes.
- Multiple authentication requirements. Many corporations have identified
the need for multiple forms of authentication, but are simply limited to the
one method that their current system supports. This increases an organization's
risk of exposure.
As more applications get exposed to end-users, corporations need to provide
strong authentication, and manage multiple authentication methods. They need
to provide different levels of authorization and a wide range of access rights
for a growing, diverse and dynamic user base. They need to do all this from
one platform that consolidates management and reporting. In short, corporations
need to consider applying Identity and Access Management solutions.
An effective Identity and Access Management platform provides the following
Take stock of your assets
It is necessary to evaluate and develop a plan to secure business against hacking
and other forms of electronic espionage.
As e-business evolves it is important for enterprises to regularly take stock
of its information assets. The objective is to organize these assets into appropriate
categories, to understand those assets and the boundaries. For example, how
valuable is each specific data resource? And how much privacy is appropriate?
Identifying and understanding the nature of your information resources is the
first step toward comprehending the security risks to your e-business.
The next step is to identify areas of vulnerability and to understand the potential
for losses associated with each. Of course, there's more to this than direct
financial loss. One needs to look at indirect losses, such as productivity losses.
In addition, legal liabilities and the ramifications of such exposure need to
be considered. And, last but not least, consider damage to reputation or image.
In a world where brand is everything, this may be the most compelling risk.
By knowing the costs associated with loss, as well as the costs of the risk
mitigation solution, return on e-security investment needs to be evaluated.
Return on Security Investment
While analyzing return on investment (ROI), it may turn out that the cost of
implementing a full-blown security infrastructure simply outweighs the risk.
In that case, it makes good business sense to go with a less expensive security
technique. For example, it may be sensible to deploy certificates or two-factor
authentication devices instead of deploying biometrics or full PKI. Alternatively,
upon completion of an ROI analysis, if risk of loss severely outweighs the costs
and challenges of any conceivable security solution, PKI with two-factor protection
of user credentials may be paramount.
As more enterprise applications and resources are moved to the Internet, (including
a range of Web services that organizations deploy and procure), companies would
require establishing trust among the identities of users who seek to access
them. Further, enterprises would need to manage and control authorized identities
to ensure they are current and are being used in accordance with established
For this reason, organizations would need to assess their own identity and access
management needs, engage in detailed discussions with business partners about
their needs and plans, and explore with a reliable vendor how to implement and
integrate such a solution in their IT environments. The challenges that have
brought the issue of identity management to the fore will only grow and exacerbate
the problems that have stunted the growth of e-business, and contributed to
information security breaches around the world.
An open standard for identity and access managementincluding authentication,
single sign-on and Web access management capabilities--will help organizations
lower costs, accelerate commercial opportunities and increase user productivity
and customer satisfaction.
The writer is Head, South Asia, RSA Security B.V. He can be reached at firstname.lastname@example.org
|Improved User Experience
||Revenue Generation & Cost Reduction
||The right identity and access management
solution will greatly
enhance the user's experience, helping them to control
their on-line identities because they will no longer be required to manage
a hoard of passwords. An integrated identity and access management solution
also enables simplified sign-on.
||Investment Protection & Cost Avoidance
||Seamless integration into an organization's heterogeneous
e- business environment is critical. Identity and access management solutions
will act much like middleware, enabling Corporations to manage digital identities
across its diverse and expanding infrastructure. A standards-based approach
will play an important role in this enhanced integration.
||Cost Savings & Cost Avoidance
||An identity and access management solution is a platform
on which Corporations will be able to manage multiple authentication options
(i.e. tokens, smart cards, certificates, passwords, etc.) from a single
platform, providing choice in any environment. In addition, varying levels
of authorization functionality (course-, medium- or fine-grained) can be
part of the mix.
||Cost Reduction & Risk Mitigation
||The right identity and access management solution
will enable Corporations to simplify the management of digital identities
and security policies with one console.
||Risk Mitigation & Compliance
Identity and access management solutions will ensure
greater levels of security to match the growing risk of exposure and high
stakes involved in e-business infrastructure. The solutions will shift
fluidly with an organization's perimeter protecting the business at the
application level. In addition, an integrated identity and access management
platform will be the cornerstone to security enforcement, providing a
basis for consistent enforcement, audit and reporting of policies across
the e-business environment.