Identity and Access Management — The Security Minefield for Enterprises

Passwords are the weakest link to enterprise security, with more than 52% of security incidents linked to the user, account or password. To get your hands around the issue if Identity and Access Management (IAM), one needs to take a holistic view that covers organisational management aspects as well as technology. For many organisations, single sign-on is the reason, why they would want Identity management — however, as you will see below, single sign-on is just one of the effects of IAM. Here we provide pointers to some of these issues that cause the best of IAM projects to fail or the simplest of innovative solutions to solve some long standing corporate issues.

Challenge 1: Legacy systems

If the organisation was born today — or GreenField as most of us prefer to call it — the deployment of IAM becomes so much simpler. However, knowing that your organisation will not be brand new, your first challenge will be to identify the legacy applications that you need to cover in the ambit of centralized IAM architecture. Legacy systems were designed with security groups in isolation. You may find it to be a normal practice that the accountancy package has its own userbase, the payroll package and proxy authentication their own. The first issue to stare at you would be the ability of the legacy systems — to be able to use an external userbase/password (a directory). The second issue is the ability of the application to provide role-based access to owners of those rights. In a sales channel application — the access may need to be provided to the sales team, but the ability to set targets and to view organisational levels may be different. The question to ask would be, does your application allow such an access segregation?

Challenge 2: Disparate/missing role definition

While this appears to be common sense, deploying an IAM essentially means a policy level documentation for each of the roles in the corporation. This is then mapped to the people (or access set) on one side and the resources (or the application profile) on the other. Defining a matrix of who can get what all functions or rights in which resources (applications). This is one of the most tedious tasks, as technology can only play a limited role. The will of the organisation to undertake such a granular level of documentation is something that may start with gusto, but is normally soon lost. Most times, one finds that these definitions exist, but in people's minds only and not in any documented copy. However, building a role framework is the first crucial building block in putting together a IAM infrastructure.

Challenge 3: Roles lifecycle

management

Role life cycle management transcends process and technology domain — this will test your management skills throughout its life. Provisioning is required everytime a new role gets introduced. Either a new employee has joined the organization or he has change in roles — provisioning comes into play. Periodic attestation of the role, if not undertaken company wide -will soon result into loose and thus dysfunctional IAM management. Maintenance of the roles profile on an ongoing basis — process and event based revoking end suspension forms a critical part. Keeping up pace with all the changes in your organisation — some significant; like resignations etc, some non-significant but yet important — new assignment given to one of the employees, or assignment completed by employee and keeping it mapped to the role map is what will look like unsurmountable actions.

Challenge 4: Unscalable design

philosophy

To keep pace with business growth, one needs to build a framework that uses scalable design philosophy. However, in day to day terms it also needs to be balanced with judicious business efficiency. For instance, if you 'intend' to give access of your internal resources to ONLY the employees, then a design architecture 10 times your employee size today, can possibly take care of 4-5 years growth. However, the business logic can change anytime and access to resources may be needed to be given to say — your dealer network or retailer network. A small product distribution company may very quickly require tens of thousands of dealers connecting to its network — maybe over phone or 3G — but with one business decision change — your design may be rendered in-effective. On the other hand, designing a 10,000 user (and associated data AND associated role for a 400 employee organisation is in no way efficient use of resources today.

Challenge 5: Plethora of access points

While the devices that need to connect to the resources are not new, the technology has played both a solution provider as well as challenge provider. With the proliferation of the web, more and more applications are now moving into the web space. This allows a significant consolidation of your applications and thus the ability to introduce single sign-on on these are simpler, faster. The user terminals have caused a bit of challenge, in terms of evolving to mobile, tablet, cloud and so on. However the good news is that most of these are based on web access and/or being new developers have built into it authentication and profiling abilities; to authenticate from a centralized database.And by the way, the types of devices that will need access is not limited to computing devices on which you are accessing the net. Shortly, it will be your vehicle that will integrate seamlessly with the office application, to generate conveyance bills. It will be your tablets, that you use to access office mail, while on the move. It will be your home mobile medical equipment — that will need to be integrated with the hospital records.

Challenge 6: Choosing the right identity token

What is the simplest and the most convenient way to identify your employee. This debate has raged since the dawn of technology and will continue for a very long time. Some of the common login tokens used in real life is email id. This seemingly solves your uniqueness problem to a large extent, but does not resolve the need for multiple user ids that the user carries, when he has multiple functional role to play. Many large corporations use employee id as the identifier — this works extremely well within the organisation but starts to break down in a situation where you need to authenticate into a system that has multiple organisations collaborating.

Indian Govt., in a bid to rationalise this quandary has launched a project called 'Adhaar' or Unique ID management for all citizens. No doubt, this database will be the basis of any public access systems, but for enterprise, it fails to cater to needs of MNC, where many employees may transcend international borders.

Biometric signatures are expected to break the impasse for many, however today's retina scanner, finger printing devices attached on each access device is still far too expensive a proposition.

Challenge 7: The avatar

Gone are the days, that counted number of employees as equal to the number of computing devices. With the advent of Mobile smart phones multiple avatars of same user now connect to your environment. Tablets — with such power and low cost are going to add to this mayhem. Same user is now using multiple devices to be connected to the same resource. Each of them have to be authenticated, each of them needs to be secured. Add to it the complexity that you may not want same Id on each device — so here comes a situation — where one person will need to hold many Ids — or many avatars.

Challenge 8: Single or federated IAM

Technically, the simplest architecture to deploy an IAM would be a single database, single owner scenario. Sadly, as a CIO, we know that is never going to be true. Even if you start with a single database — let's say your employee base in HR database. And presto, your management decides the need to integrate dealer network as well. Or for that matter your technology principal wants to integrate their procurement process to yours. Suddenly you have to authenticate and/or exchange profiles in real time, with databases on which you have absolutely no control. This is the time to federate your database and use a combination of databases. This requires you to use a standard, such as SAML (Security Assertion Markup Language) to inter-operate within the databases. SAML is an OASIS supported initiative to build a common framework for applications that partners in a Federated Identity Management (FIM) system depend on. That allows, for example, a sales representative to update an internal forecast by pulling information from a suppliers database, hosted on the suppliers network. (See box for OASIS details)

Challenge 9: Virtualisation, meta directories

While the above challenge spoke of inter-company challenge, the in-company contention for the userbase management goes on. For example, the HR system is typically authoritative for the user object, such as name, date of birth, employee number etc, however, the telephone address book is an authoritative owner for telephone, extension number etc. Likewise, email address book for email addresses. To your applications and other access queries, you may need to provide an integrated view, which may be extracted as explained above through a virtual manager — this helps in keeping the authority owner of the different databases.

Challenge 10: Resting is not an

option

Now that you have done your part, deployed the IAM architecture and your management has just announced the award for your team — award for a job well done. Well we can pack our bags and go home. Wrong. Your work has just begun. Before you know, your system will come crumbling down or bring the entire organisation to its knees if the modules do not keep up with the organisation and business rule changes.

Way forward

To many the above related organisational challenges may sound unsurmountable. So how does one go about stitching this piece together. Experience has shown, that attempting to 'make every right' is setting your self for failure — will not happen. It won't happen today, and it would not happen for a very long time. Legacy systems cannot be wished away, some business critical COTS application will never be compliant with the IAM infrastructure. But is ok, pick what you can win.

Conversely it is not true that you do not NEED to do anything. Not doing anything will only make matters worse and all the more difficult to turn around. You need to setup architecture design standards today, establish a standard for your organisation that needs to be fulfilled for any new system to enter. The ability set it must have. This will atleast ensure that all your newer deployment starting today, will be compliant to your standards. Focus on low hanging fruits. Web based applications are the simpler targets to convert on to your company wide IAM platform — go for them. Most of the horizontal applications — such as email, proxy access, database access, etc are also fairly compliant — plan an integration strategy for them. Leave the others for next phase. Prepare the organisation at a management level, technology will solve only a bit of the problem, get organisation to adopt role life cycle management practices. The processes need to be ingrained in each of the organisation functional towers. This we have seen will take most of your time, but also the most effective way to make your IAM work for you. Last not the least, ignoring technology progress will only cause more pain at a later date. Adopt tablets, mobile access, social network and their access management. Machine to machine access of tomorrow. For you never know, when the business will ask you to authenticate users against the facebook userbase. For your information, access authentication against gmail account, yahoo account already exist — matter of time, when some one wants to use them in your organisation.

OASIS (Organization for the Advancement of Structured Information Standards) is a not-for-profit, international consortium that drives the development, convergence and adoption of open standards for the global information society. OASIS promotes industry consensus and produces worldwide standards for the Smart Grid, security, Web services, XML conformance, business transactions, electronic publishing, and other applications. OASIS open standards offer the potential to lower cost, stimulate innovation, grow global markets, and protect the right of free choice of technology. OASIS members broadly represent the marketplace of public and private sector technology leaders, users and influencers. The consortium has more than 5,000 participants representing over 600 organizations and individual members in 100 countries. http://www.oasis-open.org