Identity management helps organizations meet security and regulatory compliance requirements.
A growing number of regulations are forcing organizations to more tightly restrict information access, and to document the internal processes and IT controls in place to prevent unauthorized access to sensitive information. What’s more, organizations affected by these regulations have to generate an audit trail that proves compliance to internal or external auditors.
These kinds of regulatory pressures are compelling investment in identity and access management (IAM) solutions, which provide a framework for managing users and their access privileges across the enterprise. IAM tools include user provisioning, password management, strong authentication, single sign-on and other technologies, which are increasingly bundled into comprehensive platforms.
The demand for strong identity management has led to a rash of acquisitions that have enabled vendors to rapidly expand their identity management suites. Microsoft, Oracle, Computer Associates, BMC Software and other big tech players have acquired identity management technology firms within the past couple of years.
“Over the past 24 months we have seen a lot of consolidation in the identity and access management market resulting from customer demand for holistic, integrated solutions. The success of these acquisitions is in the execution and delivery of their integration plans, and we are closely watching the vendors in this area,” said Roberta J. Witty, research vice president, Gartner, Inc. “We are also seeing a shift in how identity and access management is being used in the business. Companies are looking to incorporate IAM solutions into their business processes and add business value to assist with business-critical issues such as compliance.”
Granting Permission
Faced with growing numbers of end-users who require access to IT resources, many organizations devote significant time and effort to the task of adding, changing and deleting user information and permissions. In many cases, user identities must be manually updated across disparate applications and resources, leading to data entry mistakes and delays that impact end-user productivity and increase the risk of internal security breaches.
Worse, delays in terminating access privileges when an employee leaves or changes positions can trigger red flags in a compliance audit. Auditors also look for instances where password policies and access controls aren’t uniformly enforced — such as when rights to access the purchasing system enable access to accounts payable.
IAM systems can help relieve these problems and improve the integrity of business processes. They are designed to streamline the creation and maintenance and use of digital identities, integrating business processes with the supporting technology needed to effectively manage end-user attributes, credentials and entitlements.
IAM solutions help organizations assure that users — employees, customers, distributors or partners — have secure and seamless access to the applications and other resources that correspond to their profiles. Such solutions not only aid enterprise security and regulatory compliance but also make it easier to assign privileges to large groups of users and to manage those groups more easily.
Many Benefits
Effective identity management can help organizations automate user management and roll out self-service solutions, potentially saving millions of dollars per year in help desk-related costs. According to Gartner, a 10,000-person enterprise can achieve savings of about $3.5 million in a three-year period by implementing an automated end-user identity provisioning system, primarily by cutting thousands of hours of IT and help-desk time.
IAM solutions can also improve security by ensuring the confidentiality, integrity and availability of IT resources. Given that employees are responsible for more than 70 percent of unauthorized access to information systems — and more than 95 percent of intrusions that result in significant financial losses — organizations are rightfully concerned about controlling access privileges.
Growing numbers of remote and mobile users, as well as contractors, suppliers and others who need access to enterprise systems, have complicated identity management. As access needs extend beyond the trusted network, organizations must utilize federated identity solutions to control which internal resources the external identities can access.
“Interest in identity federation continues to grow as enterprises expand the number of applications that are exposed to external business partners, suppliers and customers,” said Gerry Gebel, senior analyst with Burton Group. “These enterprises should include federation as part of their broader identity management architecture and prepare to support multiple versions and protocols, if required by partners.”
Comprehensive Approach
The ultimate goal of secure identity management is the application of corporate policies onto enterprise systems to ensure that users have appropriate access to the right resources at the right times. But that goal can’t be realized without a comprehensive, strategic approach that considers all aspects of the identity infrastructure.
Identity information across an organization must first be integrated — but with respect for authoritative sources of identity. For example, it’s not realistic to force HR personnel to stop using their internal applications in favor of a centralized identity repository and its associated interfaces. Standards are slowly being adopted within the identity management space, but most implementations still require substantial application integration efforts.
The prospect of implementing a secure identity management solution can be an imposing challenge for many enterprise customers. Not only are there significant technological and political considerations but many identity management offerings are limited-purpose, addressing only provisioning or single sign-on instead of the greater problem. Deploying these “silos” of identity often only makes the situation worse.
On the other hand, a comprehensive approach to identity management ultimately makes the entire network infrastructure more secure and easier to manage. Whether contained internally or spreading across the extended supply chain, identity management is becoming a near necessity for organizations with ever-increasing numbers of end-users, applications and information resources. Many organizations are adopting IAM solutions because of regulatory compliance demands, but quickly realize the benefits of efficiency, security, flexibility and scalability.
