Let’s Do More than Mind the IAM Gap, Let’s Close it with Risk-Driven IAM

We, customers and vendors, have a single goal on how identity and access management (IAM) should work. IAM should ensure that the right people have the right access to the right resources, and that they are doing the right things with that access. Sounds simple doesn’t it? But as too many people have discovered, it is easier said than done.

The difficulties of managing end user access are intensifying for a host of reasons linked to specific business, technology and compliance issues.

Firstly, IAM solutions must be applied across more complex infrastructures composed of many different applications, systems and networks. Every computing system has specific individualised and optimised access controls, which makes it difficult to implement one single IAM process across the enterprise, especially considering applications are distributed across business units and geographical locations, on-premise and in the cloud.

The next key major challenge is how to ensure that only the right information is available to the appropriate people at the right time. The issue here is that fairly common aspects of running an organisation can risk exposing sensitive data. For example, onboarding a new customer or employee, promoting a staff member, terminating a contractor, merging companies or departments, or delivering a new product, all require access to sensitive and potentially confidential information. In all these cases, how can you assure that the right person has the right access to right information and uses it correctly?

As evidenced by so many cases where the cause of data breaches can be traced back to a preventable error or bad practice, there are some deep rooted challenges related to understanding and monitoring access risk.

Traditional IAM implementations, for instance, start with user provisioning – an administrative step that ensures user access rights align with business processes from the start. Then companies perform periodic reviews or certifications – say, every three, six, nine, 12 months – to certify that those access rights are in order.

But many things change between the provisioning step and the certification reviews that can pose access risk: business changes, infrastructure changes, regulatory changes, new resources coming on line, new roles, policies, rights changes, hirings, firings, transfers. On top of all of these changes, significant holes can occur in the certification process – for example managers without the necessary time or understanding to correctly complete the process.

Taken together, these factors result in a wide identity and access management gap (IAM Gap) that leaves an organisation’s sensitive company information at risk to internal and external threats. To date, attempts to close the IAM Gap have been ineffective as existing IAM approaches do not offer the needed flexibility and up-to-date view of access risk.

One positive step in resolving this issue is to hardwire the changes of access rights into to key business processes like hiring or firing. When the business action that impacts access occurs, the access automatically complies with policies and regulations.

Identity and Access Governance (IAG) tools, such as automated access certification and remediation, also help organisations achieve this and ensure that access rights are in order. For example, when a business manager finds that one of his or her staff has excessive access, they can automatically kick off a remediation process to revert their access to their role, delete it, disable it, etc.

However, despite the value of User Provisioning and IAG, closing the gap between User Provisioning and Access Certification still remains a significant challenge for organisations due to the lack of a real-time 360 degree view of access risk.

Businesses need to take into account the fact that risk is in fact dependent on the interaction of all elements of access, including: Identity Context (who the people are and what they are responsible for); Policy (what the business policies and regulations are); Rights (what access rights those people have); Resource Context (what types of resource they are trying to access); and Activity (what they are actually doing with their access).

By considering all these elements, businesses will be able to deliver an IAM strategy that holistically addresses access risk. This could be achieved through a dynamic and real-time system that brings together all access risk factors to effectively address access risk management concerns. This will enable businesses to:

• Identify and evaluate risk in near real-time and get a clear view of where the greatest vulnerabilities lie and how access risk is changing
• Dig deep into the analytics to understand what is actually driving the risk so they can drive immediate remediation
• Understand the trending of risk over time and implement more effective preventive measures
• Predict future areas of risk to fix the fundamental business process issue and not just symptom

Identity & Access Intelligence enables customers to identify and evaluate risk, even as elements within the company change. With this approach, organisations can understand access risk and how to control it, while predicting and addressing future areas of risk before data breaches occur.

To learn more about new risk-driven approaches to IAM, attend the seminar session I’ll be hosting at Whitehall Media’s Identity Management 2012 conference at 12.15 am, 6th November at London Russell Hotel.

Marc Lee, EMEA Sales Director at Courion

Lee has more than a decade of experience in selling enterprise software across EMEA, as well as building partner programmes from scratch. Prior to Courion, Lee was responsible for building sales and channel programmes for Imprivata in Northern Europe. He built the company’s pre-sales and sales team, and also helped develop key strategic partnerships with Siemens, VMWare and Connecting for Health.

Prior to his position at Imprivata, Lee served as the EMEA Partner Manager for JBoss, where he implemented that company’s partner program and was responsible for building the channel in the UK and EMEA. He began his career at SilverStream Software, and later transitioned into a role as a sales manager at Novell when it acquired SilverStream in 2002.

About Courion

Courion Corporation delivers software solutions that effectively and securely manage access risk. More than seventeen million users across more than 500 organizations rely on Courion’s access risk management technology to align user access privileges with corporate and regulatory governance policies, identify where access risk exists and settle risks as necessary in real time. Courion’s cloud and on-premise solutions provide a full range of identity and access management functionality so that organizations can enhance security, demonstrate compliance and achieve quick time-to-value. For more information, please visit our website, our blog, or on Twitter.