Identity and access management (IAM) is arguably the broadest issue in IT security. There are few other single concepts that impact as widely on so many areas as that of managing identity in an enterprise business context. From enabling employees to access the internal resources they need to fulfil business aims, through companies outsourcing functionality and hardware to consumers seeking to bank, trade or buy goods remotely, all are dependent on secure, reliable identity and access management.
In addition to enabling secure access to relevant resources of all kinds, well-structured identity management provides the lever to make huge efficiency savings that can grow exponentially over time. Badly-implemented projects, however, will not only soak up precious resources, but will merely automate existing problems, leading to a more costly cleanup exercise in the future. Such are the basic risks and benefits of IAM.
Alan Rodger, senior research analyst, Butler Group, said: "It's certainly a mistake to look at IAM and see it as a series of technical implementations - business needs should be the key driver here. There is a huge scope of products available in this field, from single sign-on through authentication to federation, and any IAM implementation needs to map onto business needs explicitly - there are no hard and fast rules here."
Tim Farrell, CEO and co-founder of FutureSoft, agreed: "Any enterprise looking into this area must first have a very clear idea of its goals, so that it can match protection to its environment. Far too many enterprises try to implement a whole range of security widgets, which are ultimately self-defeating. The key is to identify the 20 per cent of data that is business-critical and protect that, rather than trying to protect everything."
Farrell also believes that mapping essential data is vital: "It's key to know and map exactly where your data is stored, and this is often not as easy as it sounds. Local machines can cache data for performance reasons, and this needs to be acknowledged and analysed. It's important not to get too paranoid and set your security levels too high, though, as it's perfectly possible to step back ten years in performance terms by encrypting all your storage and disabling caching."
Simon Godfrey, director of security solutions, CA, believes that IAM can be the most complex project going. "It's without doubt one of the most challenging projects a business can undertake, and people really are the key to this one. Technology is very much in second place. It's all about ensuring you have strong methodology and have best practice policies in place, as well as keeping the complex process on track with a high level of project governance. Ultimately, IAM is less of a project, more of a programme."
Many businesses will have begun an IAM programme some years ago, and often in single departments or for individual groups of users, such as secure sign-on tokens for remote workers or finance department staff. As demands and technology change, many large enterprises find they are operating several overlapping systems. The integration of these can be a headache, but will bring in extensive cost savings in the future.
This is one of the key benefits of IAM, explains Godfrey: "Often, identity management processes are either manual or semi-manual, and automating these can offer genuine cost benefits. A simple example here is password resets. These soak up huge amounts of helpdesk time, and deploying single sign-on can cut costs drastically. One implementation we did for BT ended up saving it $4.5m per year. And federating new services, such as web services, can cut rollout times and increase flexibility hugely."
The broadening scope of federated management systems makes the task of deployment more complex, but also far more rewarding. Once authenticated identities can be used in a portable fashion across autonomous security domains, administration efficiencies can be driven enormously. However, cross-domain B2B deployments are even more complex, and strict adherence to standards is critical to success.
