Q&A: Identity and Access Management
What’s driving the interest in identity and access management, and how can you address the challenges the technology presents?
In the data center there's no such thing as too much security. Interest in, and adoption of, identity and access management (IAM) solutions is growing strong. What's behind the push, what benefits does IAM offer, and what are the land mines IT should avoid when implementing an IAM project? To learn more, we turned to Idan Shoham, CTO and founder of Hitachi ID Systems.
Enterprise Strategies: Analysts are reporting strong market growth for IAM solutions, despite the economic downturn. Why?
In a February 2010 report, Market Trends: Identity and Access Management Market, Worldwide 2007-2013, Gartner estimated the growth in IAM budgets at eight percent. It forecasts that the IAM market will grow to $12 billion by 2013, with an average compound annual growth rate of seven percent.
To understand why the demand for IAM systems is growing, you have to first understand the business drivers for IAM investment -- namely, regulatory compliance and IT cost savings. The regulatory pressures are increasing regardless of the health of the economy, putting companies and public-sector institutions under increasing pressure to automate their internal controls. At the same time, especially in a difficult economic climate, everyone is trying to cut costs.
IAM systems fit nicely with regulatory compliance because of these linked considerations:
- Most of the regulations that people worry about -- Sarbanes Oxley, PCI-DSS and others -- either call for stronger privacy protection or stronger corporate governance
- Both privacy protection and corporate governance depend on internal controls
- Internal controls depend on IT security
- IT security depends on the right users having appropriate access to data at the right time -- such as robust authentication, appropriate access rights, and clear audit logs
The use of effective IAM systems can also lower costs by reducing help-desk call volume associated with password problems, streamlining the administrative tasks associated with setting up access for new users or deactivating former employees, and eliminating other tasks that were previously resource dependent. Through automation of processes or the provision of access to self-service options, the resources that were once necessary to carry out these tasks can be devoted elsewhere.
As you can see, it’s a confluence of regulatory and cost pressures in the marketplace that is driving IAM growth.
What are the primary challenges that enterprises are looking to overcome with the purchase of an IAM system?
We see the motivation of organizations purchasing IAM solutions broken down into three core areas: regulatory compliance, cost, and user service.
I just explained the regulatory compliance driver.
Consider cost. In general, but particularly in challenging economic times, organizations must find ways to limit their costs. Those seeking IAM solutions are specifically looking to reduce costs relating to IT support and security administration, costs that can quickly add up without an effective IAM system in place.
Improving user service is a frequent goal for those assessing IAM systems -- both in a day-to-day sense with fewer passwords and single sign-on, for example, and in a change-management sense where it should be quick and easy to set up new access for a contractor. The fact is, passwords remain the chief authentication technology, and users’ lax approach to selecting robust passwords opens organizations up to potential regulatory violations and security threats. By using self-service tools to make the password selection, implementation, and deactivation processes more streamlined, security threats introduced by weak passwords and poor processes are eliminated and cost savings are realized thanks to an effective technology that supplants the need for human intervention.
Here are some concrete examples of what form the solutions to these challenges can take in the real world:
- Access deactivation for employees should be automated; when the HR system says someone leaves the company, the employee’s login IDs should be immediately deactivated.
- Security rights assigned to users should be subject to policy control. For example, a segregation-of-duties rule might specify that a user who can create new vendor records in the financial system cannot also approve payments to those vendors.
- Passwords on different systems and applications should be synchronized so that users only have to deal with one or two, not 10 or 20. Even better, passwords should be automatically filled in when a user starts an application.
- Users who forgot their password or triggered a lockout should be able to access a self-service mechanism, prove that it’s really them by supplying anything other than their password, and get a new password -- all without calling the IT support number.
Is there a one-size-fits-all solution for IAM challenges?
In a word, no.
There are really two or three variables that determine what kind of system an organization needs:
1. Is the plan to manage identity and access for internal users such as employees and contractors, or for external users such as customers? Those are very different problems. Internal users are relatively few but quite complicated. For example, there might be 10,000 employees but with 20 login IDs and hundreds of security entitlements each. External users, on the other hand, are numerous -- there could be millions -- but individually they are pretty simple.
2. Is the primary motivation to manage what users can access -- that is, to automate the administration of users and access rights -- or is it to automatically sign users into applications and control what they can access? The former is identity and entitlement management and includes things such as user provisioning and access certification; the latter is single sign-on, Web access management, and federation. These are totally different product categories.
3. Is the bias in favor of a more product-like solution or more of a development environment? Some products have less flexibility but more built-in features and others look a lot like a development environment, with relatively few features built-in but the ability to develop highly customized business processes and data flows.
An organization that can answer these questions will be well positioned to choose the right product for its business.
What is considered a best-practices approach to selecting an IAM system?
Recent vendor consolidation in this space has left the market unsure of where to turn for a solution that will meet their needs.
In its most recent “Magic Quadrant for Using Provisioning” report, Gartner asserted that customers must respond to the pressures created by vendor consolidation by looking beyond brand and instead evaluating their options based on key differentiators that include:
- Price, including flexibility of pricing for deployment, maintenance and support programs
- Delivery time of projects to meet business needs
- The need for and cost of custom development
- Other customer experiences, including satisfaction with installed provisioning systems
What are the biggest mistakes organizations make in their ongoing use of IAM?
There are quite a few common mistakes, unfortunately.
The big-bang approach: Some organizations try to deliver every conceivable feature or integration in one go. The trouble is that both the business and technical landscapes are constantly changing, so by the time you finish a big-bang project, if you finish at all, you have delivered something that nobody cares about anymore.
The headless project: IAM systems impact a lot of stakeholders, including application owners, infrastructure people, IT security, the IT help desk, auditors, and regulatory compliance officers, among others. It’s very hard to get them all to pull in the same direction. Without an actively engaged project sponsor, these projects quickly stall.
The implementation SWAT team: Some organizations like to have one team of people implement new systems and a different team maintain them. That may work well for systems that don’t change much after they are deployed, but it’s disastrous for IAM systems, which constantly evolve. The sustainment team in these cases usually doesn’t have adequate skills and is not sufficiently invested in the success of the system to keep it running for more than a year or two.
What should an organization do to improve the outcome of an identity and access management project? What best practices can you recommend to avoid common mistakes?
Phased implementation: At Hitachi ID Systems, we are big proponents of the phased implementation approach. We encourage our customers to think of their IAM system as a program, not a project. They may well have an initial deployment project, but as soon as that’s done, they will start their second-phase implementation, then the third phase, and so on. A successful IAM system is a living system, with new features, integrations, business processes, and versions being implemented indefinitely.
Under investment: IAM systems are complex, touching a lot of infrastructure and a lot of business process. Because of these numerous interaction and integration points, considerable work is needed to build them and then still more work is required to keep them running and evolving alongside the organization. As part of the sales process, some vendors will set unrealistic expectations about both deployment and ongoing maintenance. When customers accept those assurances, often made only to secure the sale, they do not assign enough people or budget to the system and this leads to failure.
The long list of common mistakes may paint a gloomy picture, but the good news is that these are actually rather simple problems to address. Organizations that dedicate the appropriate budget to a program, that have strong and active project ownership, that break up their deployment into manageable phases, that assign an IAM program management team, and that invest in the long-term success of their system get great results for their effort.
What does the increased adoption of cloud and software-as-a-service applications mean for IAM users and vendors?
First, let’s define what we mean by "cloud." The two cloud computing approaches that apply are "public clouds," where you can provision new servers in minutes, not months; and software-as-a-service (SaaS).
Cloud computing is certainly the big trend these days. It promises to substitute operating expense for capital expense in IT spending, and maybe save a few bucks on the way. Users need to select a vendor that has tools that consider this trend. Vendors need to offer systems that take into account this changing reality and offer ongoing support for and integration with cloud and SaaS applications.
As far as technical implications, there are few, if any. Really, there are just two broad scenarios that we have to think about:
1. The IAM system stays inside the corporate perimeter, but some of the applications that users have access to move out to the cloud.
2. The IAM system itself moves out the cloud, but some of the applications that it manages remain inside the perimeter.
The perimeter is a key concept here, because in both cases, you have to establish communication and control that skips over it, that is, over corporate firewalls.
In the first instance, vendors need to provide connectors in the traditional IAM system capable of managing users on the particular cloud-hosted application such as SalesForce.com and Google Applications, for examples.
In the second instance, what you really need is a vendor that you consider a trusted partner. It’s imperative that you can trust your partner to implement your IAM system, to host it on their infrastructure, to integrate it with your applications and your processes, and so on. You also need an IAM system that can "reach back" behind your firewall to manage your internal systems such as Active Directory, SAP, and the mainframe.
Although a few managed security service providers are just starting to market this type of offering, it’s really a fledgling business because they generally don’t have the consulting teams required to implement IAM integrations and to automate IAM business processes.
On the technical side, the IAM system installed at a SaaS vendor’s facility needs to have a proxy server inside your network that talks to your applications on its behalf.
Another impact of cloud computing is that it is already driving wider adoption of federation, which means that users don’t have to manually sign into SaaS and other cloud-hosted applications manually. I think that’s a great use case for federation, but it’s relatively straightforward -- in other words, go ahead and do that, don’t worry about it, and instead focus your energy on how you manage users, passwords, and entitlements in the first place.
What products does Hitachi ID Systems offer enterprises looking to overcome their IAM challenges?
We recently streamlined our product offering into just three applications. Hitachi ID Management Suite’s components can be purchased individually or together.
Hitachi ID Identity Manager offers user provisioning, role-based access control, segregation of duties, and access certification; it handles user on-boarding, deactivation, approvals workflow, identity synchronization, role-based access control, and more.
Hitachi ID Password Manager can synchronize and reset passwords and can manage enrollment of security questions, reset PINs on smart cards, or help users unlock their PCs if they have hard-disk encryption and forgot their password.
Finally, the newest part of the suite is Hitachi ID Privileged Password Manager, controls and audits access to privileged accounts by randomizing passwords regularly (e.g., daily); it stores passwords in a secure, encrypted, replicated vault, and controls access by a variety of means.
We developed all of these products in-house, and they share a lot of infrastructure, such as connectors, workflow processes, reports, and user interface screens.