With users accessing systems from ever more obscure points of entry, how do you keep control of access privileges? We look at the software that may have the answer.
The problem of offsetting data security against accessibility has proved a ubiquitous problem of the last decade. As the range of software that users have to work with has broadened and security's remit has become enlarged, IT administrators have struggled to keep control of system and application access without complicating the login process. Identity access management (IAM) software has emerged as an important tool for administrators trying to regain control.
Research firm Gartner has estimated that companies are spending roughly 8 per cent of their data security budget on IAM tools. These encompass many elements: user provisioning, Web access management, role-based access, and single sign-on tools are the most popular, with privileged account and entitlement management perhaps the most critical.
The project-led model for many ICT implementations, and the rise of the 'mobile enterprise', have also contributed to the picture. IAM software has compelled IT strategists – and software engineers – to revisit the issue of user identity and the integration of access procedures from new directions.
Although it has something to offer the IT functions in most enterprises, IAM is particularly useful in larger organisations providing systems access for thousands of employees or associates. Identity and security management vendor Lieberman Software, for example, estimates that its clients have an average 70,000 users, with around 30'per cent of its business coming from the US national defence industry.
Another IAM vendor, Pirean, says its main body of customers comes from the financial services industry, followed by public sector and government organisations which are often separated into multiple departments that require federated identities to access each other's systems.
The case for implementing IAM is straightforward. It is anchored in cost and time savings for the IT department, allied with the need to guard against growing identity fraud and corporate sabotage. This is topped off by corporate governance and regulatory compliance demands that require constant auditing of all user activity.
'IAM addresses problems like having too many IDs and passwords for people to do their job, responding to regulatory compliance requirements quickly and accurately, and securely opening up corporate IT applications to broader audiences through better access options,' explains Gartner vice president Earl Perkins.
The threat of unauthorised data or system access from internal staff, or ex-employees, remains a threat. Research conducted by IAM specialist Quest Software in the US found that 51 per cent of IT departments were concerned about insider threats; perhaps unsurprising given that one in ten said they still had accounts from previous employers' systems long after leaving the company. Perhaps more alarming was that 52 per cent of all employees polled admitted they had shared work log-ins and passwords, although not necessarily for felonious purposes.
Lieberman Software recently teamed up with Q1 Labs to integrate its application with that company's open security intelligence protocols, log event enhanced format (LEEF), and asset exchange information source (AXIS). The aim is to help companies reduce security threats and anomalies coming from individual staff using shared accounts.
'IAM provides a smoking gun – there are lots of companies where users have shared passwords across the infrastructure, and where people who have left the company years before can still log in to administrative accounts,' says the company's president and founder Phil Lieberman. 'By linking it to security information event manager (SIEM) software, when a password is checked in or checked out, those become SIEM events and we can export them into RSA,Q1 Labs or whatever SIEM software they are using with the individual name of the user next to the event.'
IAM software can reduce the administrative burden for the IT department by getting new employees registered for access to services and applications more quickly. Reporting tools can provide statistics regarding which applications have the most users, or biggest turnover of registered users, which usefully inform IT planning.
'When you bring somebody on board, how long does it take to get them up and running when you have to manually provision new accounts?' asks Pirean managing director Stuart Wilson. 'It is unreliable, time-consuming and cost-intensive.'
According to the Quest survey, 25 per cent of IT professionals spend more than 30 minutes a day logging into different websites and databases using different credentials as part of their normal working operations, and 65 per cent of employees contact the IT department help desk at least once a month to sort out data or application access problems.
In recent years, with the ICT function becoming the most regulated department in most enterprises, an increased focus on risk-management, compliance, accountability and transparency has expanded IAM's remit. You can only show accountability and transparency with a proper audit trail that details who accessed what and how, and this type of monitoring is being an increasingly important element of every IAM solution.
'People think it is just about giving people access and auditing, but it is also about what they are doing with those systems and where they are accessing them from,' adds Pirean's Stuart Wilson.
A broad range of regulatory requirements, everything from data protection and Basel II rules in Europe to Sarbanes-Oxley (SOX) legislation in the US, proprietary acceptable usage policies (AUPs), or just a desire to implement best-practice, is sufficient motivation for some organisations. And IAM can also be rolled into risk management policies to help organisations predict how technology changes will affect their operations from a security and compliance perspective. This holds appeal for IT directors keen on marshalling more ways to demonstrate the contribution made by 'back office' IT to general and specific business efficiency.
Online consumer protection
IAM principles can also be applied to external users, such as customers, partners, and other stakeholders. In some respects, the most interesting use of IAM is not to safeguard data within the corporate firewall, but to facilitate and protect consumer online activity in the e-commerce sector.
Says Pirean's Stuart Wilson, 'If you are going to publish anything to the end user – in e-commerce activities, for example – people are now very savvy about the look and feel of a website, and they want the right mix of credentials without having to go into multiple secure structures. If my bank uses a cloud computing service, and white labels that service to me as a customer, I would not want to log-on with different credentials, for example, rather a single sign-on using the trusted details that I have already.'
Lieberman Software, meanwhile, deals with credit-card companies looking to detect fraudulent usage of their customers' cards by providing identity-management software that tracks the IP address of online transactions looking for deviations from the norm in any way, for example. In situations where online banks deal solely with customers through Internet access, such intelligence augments standard information security provision.
'When things go wrong they have no way of knowing who was responsible – either the user or the application, for example – and the biggest issue is the inability to respond in real time meaning a breach can continue indefinitely,' says Phil Lieberman at Lieberman Software.
IAM moves into the cloud
Some IAM applications, including Pirean's, are now provided as hosted platform and software as a service (PaaS/SaaS) delivered through a cloud-computing model, as more organisations look to transfer both the grunt-work and onus of responsibility for security management onto another party.
Arguments about the relative security and performance of all cloud-based services continue to rumble on, and Wilson admits that putting identity details in the cloud does make them twice as exposed to exploitation as before, if only because it involves replicating a private data store. Perkins agrees that extending management requirements for identity and access outside the corporate firewall does open up more potential vulnerabilities simply because more people are involved.
'There are more participants in management and use, from administrators now responsible for provisioning enterprise users to cloud-based applications to administrators that must manage access to the cloud applications,' says Gartner's Perkins. Which is to say that outsourcing may appear to remove the burden of some tasks, but introduces new levels of access administration that complicate the model.
Lieberman's software helps cloud service-providers manage millions of their own customers' identities. He argues cloud-based enterprise IAM may face more practical barriers beyond security: namely issues with handling data feeds from multiple sources combined with the sheer scale of the data kept in security information event manager records – which can run into terabytes and petabytes in some cases – means this type of software is generally better suited to running over local-area networks (LANs) rather than wide-area networks (WANs). All commentators agree there is still much work to do in evolving access requirements for cloud-based IAM, with both providers and their customers needing to find ways of better integrating their respective systems, both local and remote, to guarantee security and access performance. The best approach, according to Perkins at Gartner, is to take things slowly and carefully, adopting a hybrid and integrated approach between enterprise-based IAM and cloud-based resources.
That integration presents a significant challenge nevertheless, not least because the IAM software has to process data from the various different security applications it is called upon to manage, often across different networks. Single sign-on requires that the software be able to substitute a single username and password for multiple security systems for example, and has to use many different software protocols and transaction languages in order to do it.
At the same time, 'You are never certain things are going to integrate properly, despite all the development work that has been done,' observes Pirean's Stuart Wilson.
'Third-party platforms and processes have been with us in IAM for some time through hosted-managed services, so there is experience in the area in doing so,' adds Perkins, 'but the further up the complexity chain you go in IAM, the harder it becomes. Simple services begat simple platforms and processes, wherever they are managed.' *