Information Lifecycle Management

Matt Johnston (North America) - Eight Best Practices for Identity and Access Management

The trend of consumer-based technology driving enterprises is increasing as organisations continue to adopt traditionally consumer technologies like the iPad and Windows 7. This changes the way businesses operate and manage desktops and applications.

There are considerable opportunities for organisations to leverage these technologies to increase productivity and efficiency, especially in highly mobile working environments. Despite the benefits, they can provide a challenge for IT managers in creating new security and access management policies.

There is also the possibility of third party hosted "stores" being used for provisioning line-of-business applications, which again brings security and access management to the forefront of the way businesses interact with and manage technology.

A recent study of 10,000 information security professionals by Frost and Sullivan found that threats from mobile devices, the cloud, social networking and insecure applications, has led to information security professionals reporting that they are only just coping with the additional workload needed to maintain a secure environment.

The study also found that 70% of respondents reported having security policies and technology in place of mobile devices, but mobile devices were still ranked second on the list of security concerns.

The fact is organisations must ensure they have an on-going identity and access management (IAM) system in place to keep up with the proliferation of consumer devices and applications in the workplace.

Quest Software has developed these eight best practices to help organisations cope with the consumerisation of the enterprise.

1. Define the workforce
An organisation's workforce is managed by the human resources (HR) department. They also have to manage information about non-employees; such as contractors, most of whom require access to company resources.

Use the HR systems as much as possible as an authoritative source of data for the IAM system to avoid repetitive work, errors, inconsistencies and other problems as the system grows.

2. Define identities
Implement a single, integrated system that provides end-to-end management of employee identities and retires orphaned or unneeded identities at the appropriate time.

Organisations typically have a primary directory service, a messaging system, and an enterprise resource planning system, which can all be integrated into the overall identity management architecture. Each disparate system will have its own user accounts but the integrated system maps most identities to these accounts.

3. Provide knowledge and control to business owners
Regularly answer the question, "Who has access to what?" IT coordinates the inventory of identities and permissions and provides that information to business data owners and custodians.

Let business data owners manage access to their data and provide central reporting and control over those permissions. Determine who has root access in the data centre, as not every person needs full access rights to every system.

4. Implement processes to manage IT changes
Although technology is about embracing change, unmanaged change causes problems. Implementing a ‘request and approval' workflow provides an efficient way to manage and document change.

5. Automate provisioning
New users, users who leave the organisation, and users who move - or are promoted or demoted - need to be managed. Provisioning, de-provisioning and re-provisioning are often time-consuming manual tasks. Automating them can reduce overheads, reduce errors and improve consistency.

6. Become compliant
Many companies are affected by one or more industry or governmental regulations. IAM can play a central, beneficial role in helping an organisation become and remain compliant.

Focus on clearly defining and documenting the job roles that have control over data, as well as the job roles that should have access to auditing information.

7. Check and re-check
In a well-designed IAM system, permissions are typically assigned to job roles not individuals, but organisations are still likely to assign permissions as needed and never review them again, inviting security risks.

Permissions require periodic re-certification. Organisations need to review who has access to what and determine whether or not they should still have those permissions. Define job roles within the organisation that can recertify permissions, such as system owners, managers and information security officers.

8. Manage roles
Permissions are best assigned to job roles not individuals. Making those roles correspond to real-life job tasks and job titles is a powerful way to manage identities and access over the long term.

By Matt Johnston, Regional Director of Product Management (Asia Pacific & Japan), at Quest Software.




« Eric Arcese (Latin America) - Why Latin America, Why Now?


Prof John Walker - (Europe) Close Encounters with Information Leakage »

Recommended for You

Trump hits partial pause on Huawei ban, but 5G concerns persist

Phil Muncaster reports on China and beyond

FinancialForce profits from PSA investment

Martin Veitch's inside track on today’s tech trends

Future-proofing the Middle East

Keri Allan looks at the latest trends and technologies


Do you think your smartphone is making you a workaholic?