Taking aim at IAM

Core components of many mainstream Identity and Access Management (IAM) solutions have had to be appreciably enhanced simply to keep pace with constantly changing business and operational demands. Today, as well as providing core user access and protection services, the latest IAM product suites need to be equipped to deal with new identity and access control requirements that include: Web and remote access user communities, federated business relationships, a growing services-led information access culture, and fraudulent activity that can impact all types of information user.

However, a new report just published by Butler Group, Europe's leading IT research organisation, Identity and Access Management - Enabling Secure Access for Web, Enterprise, and Remote Users, points to the importance of enterprises recognising the core range of services that IAM already gives as opposed to being distracted by the latest product news.

"During the two years that have elapsed since Butler Group last published a report on IAM (June 2006), key functional protection requirements remain unchanged. However, what has changed very significantly in the intervening timeframe are the range of business operations and service delivery environments that need to be supported and protected," says Andrew Kellett, Senior Research Analyst at Butler Group and the report's co-author.

"However, before getting too fixated on everything new that IAM is required to address - including the range of additional Web-facing facilities and services that many leading vendors are adding into their platform-based portfolios, it is important to recognise the range of core business protection and continuity services that IAM already delivers."

The use of provable identity-based controls that match up with business and operational needs are essential

The report emphasises that the primary role of IAM is to provide facilities that deliver an acceptable balance between the need for corporate privacy and protection and the demands of the user community for open, uninhibited access to information from wherever and whenever they need it. This mixture of priorities that sets protection alongside the demand for availability is something that each organisation must scope out to fit its own specific risk profile, but in Butler Group's opinion is best served in the working environment using a fully featured, business-focused IAM approach.

For certain, extending access to corporate systems and the information that they hold to an ever-growing range of users adds significant risk to business operations, as does the need to externally collaboration with third-party business associates and supply-chain partners. Fundamentally, organisations must remain responsible for all of the information that they choose to gather in, maintain, and store. Businesses need to be fully accountable for the upkeep and protection of that information and, where it is decided to make that information available to other authorised users, the business must also accept that it remains responsible for the activities that are carried out on its behalf by third-party business partners.

Adoption of Business-to-Business (B2B) IAM Federation increases the speed and efficiency with which identity integration can be achieved

The report recognises that whilst adoption of B2B IAM Federation has been less widespread than was once expected, with a lack of strong business cases being a significant stumbling block, its use increases the speed and efficiency with which identity integration can be achieved, removing many of the barriers to inter-organisational access. Furthermore, the standards basis for federation is now sufficiently mature for it not to have an impact on investment risk.

To be effective, up-to-date IAM solutions have to be able to handle the identity management and access control demands of all types of user and application. Size and operational complexity precludes most organisations from knowing the vast majority of their information users. Therefore, access to business systems needs to be managed using rules and controls that can be fully aligned to the operational requirements of the organisation.

"The average organisation operates business systems that are accessed by many different types of user - employees, customers, business partners, and third-party suppliers to name but a few of the more high-profile groups," says Kellett. "Even within these specific groups, the rights of access to information systems can vary immensely. To maintain any sort of sensible levels of control over who is allowed to access what systems, it is essential to use provable identity-based controls that match up with business and operational needs".

IAM must be flexibly extended to devices of all types

Organisations must also ensure that protection is appropriate to the possible loss that could arise from their assets being compromised or lost, and that security mechanisms align with the need to maximise business advantage. Applications and services are, increasingly, key value centres for organisations, to which greater exposure can increase revenue streams. However, broadening access to functions is potentially also a source of increased risk, so it is extremely important to ensure that the requisite protection is built in.

The number of employees, and users from outside the enterprise, requiring use of corporate IT assets at times throughout the day and night, possibly from diverse global locations, and using different devices and connections, has increased markedly within most organisations. Applications and infrastructures are increasingly expected to support working out of office hours, from flexible national and international locations, by users that may have any of a myriad of connection types to their login accounts.

Security overall must protect corporate IT assets in these circumstances, but IAM specifically must enable identity to be verified and used reliably and securely. Therefore, in Butler Group's opinion IAM must be flexibly extended to devices of all types, and be appropriate to the business needs, as well as the security characteristics, pertaining to each user's situation.

Notes

Butler Group's report Identity and Access Management - Enabling Secure Access for Web, Enterprise, and Remote Users' is intended to provide readers with an informative guide to the subject. It looks at how businesses and their day-to-day operations should be able to benefit from deploying the type of IAM business continuity and protection solutions that are available today. The report considers all key components of IAM and how their use can provide advantages across all business sectors. It reviews approaches, tools, and methods available to business users, business decision makers, and IT. It also contains comparative Technology Audits on eleven of the industry's leading players and Vendor Profiles on a number of others.