alt =""
Showing posts with label Identity and Access Management. Show all posts
Showing posts with label Identity and Access Management. Show all posts

Thursday, 3 March 2016

Transforming From Traditional IAM to Business Driven IAG

Providing the right people with the right access at the right time is critical in any organizational environment, irrespective of its size. In this age of explosive growth in network communications, increasing collaboration and policies like BYOD it is challenging for enterprises to determine who all have access to what resources and what they are doing with their access. A comprehensive governance control is essential to reduce the risks relating to unauthorized access, mishandling of sensitive data which can take a toll on the reputation of the organization. It is also critical to comply with governance regulations that mandate access controls.

Traditional IAM (Identity and Access Management) is focused on access management, provisioning and de-provisioning related compliance. Enterprise still struggled to meet compliance, since this is not an all-inclusive solution. It focusses more on automation of the user life cycle. Traditional IAM implementations are IT driven rather than business driven. Provisioning driven approach rarely achieve expected business value. Traditional IAM is not involved in user access review or periodic user access certification. The classic example is a user requested and granted accesses for a critical application for a temporary time period, in this aspect zero visibility on unwanted access and its usage. Governance driven IAG gives you real-time visibility into access changes.

Historically, IAM systems are used in IT organizations for managing the life cycle of user accounts in multiple systems. These systems are connected to user directories to get the user for their authentication and basic profiles such as name, title, department etc. With this information, IAM can tell who the user is, but it cannot give you information about a user’s entitlements- which is key to an application as it will decide what each user can do with application and data. The challenge with provisioning driven approach is – for e.g if a user request and get access for an access for a CRM application. If the access is controlled using a group or entitlement, traditional IAM will provision the user to entitlement, but it doesn’t provide the visibility to what the user exactly can do in CRM using this entitlement.

IAG (Identity and Access Governance) systems help business people to determine what a user can do within an application. It collects information about user identities, entitlements and roles from all applications. In addition, IAG will provide more visibility of an entitlement in applications and it will present information about each entitlement in a business context rather than technical context. This will help business managers to understand the entitlements that the users request for and this will enhance the compliance to applications.

Governance driven IAG is more concentrated on a risk driven approach. Also it is more focused on entitlement management and this can provide a more granular level of visibility of user access. This approach will enable periodic user access review and certification of user access. Governance driven IAG focusses more on the fast integration of applications across multiple platforms and provide more visibility of user access. This model ensures appropriate access for all users and ,\ automate user access review process and also simplifies the provisioning and de-provisioning problem.


In today’s complex IT landscape where solutions are dependent on multiple heterogeneous platforms and enterprise applications extend their presence into mobile and cloud space, tighter regulatory controls are required to protect the enterprise data from unauthorized access. Governance driven Identity and Access management allow organizations to review, audit and enforce policies for fine-grained access privileges across the IT environment. It can also bring in end-to-end visibility and control across all critical systems and applications – a breadth of coverage that is more efficient and reliable than traditional IAM solutions.

Monday, 26 October 2015

Choosing the best IAM Suite for your Organization: Criteria Checklist

Choosing the best IAM Suite for your Organization: Criteria Checklist

An Identity and Access Management solution (IAM) can make or break your organization’s security posture. There is no one ‘right’ solution since the solution that you choose will depend on any number of factors: the size of your organization (will decide the scope of the solution); the level of granularity you need (will decide how feature-rich you want it to be); your budget, etc.

Some criteria to consider when evaluating IAM solutions:

On-premise or cloud-based?

This choice depends on your business objectives. On-premise solutions are perceived as more secure, and allowing the enterprise greater control over the location of data. However, a cloud solution can be implemented faster, is flexible and scalable, and cheaper to deploy. Many solutions in the market today are a hybrid of the two, and may best suit your needs.  

How interoperable is the solution?

Look for a solution that can be easily integrated with various types of directories, any third-party authentication systems that you use, as well all the applications that your employees, customers and vendors need access to.

A point solution or full IAM suite?

The initial payout on point solutions may be lower, but deploying a full IAM suite confers long-term benefits that outweigh the higher upfront investment. A full-features suite covers all aspects of identity and access management, doing away with the need to invest in multiple point solutions; thus reducing complexity as well as resulting cost of integration.

Does the solution offer a high level of automation?

An automated IAM solution reduces effort around provisioning and de-provisioning. For instance, the identity and access components will be integrated such that a change in job role (hence, user identity) will automatically change associated access rights. The automation of provisioning, re-provisioning, and de-provisioning reduces time and effort spent, as well as human error.

Does the solution cover reporting and auditing requirements?

The complex nature of compliance necessitates a tool that goes beyond identity and access management to aggregate and track audit logs. Such tools monitor events and alert users to possible compliance violations.
Does the solution offer self-service features?

Self-service features enable productivity. Features such as password resets and unlocking accounts, when available through a secure and self-service portal, take away the necessity for a fully functioning help desk, driving down costs and increasing the efficiency of employees.

Does the solution have a friendly, customizable user interface?

A solution with sophisticated dashboards offers a high-level overview that is of great value to business users.

Finally, look for a solution that is scalable and highly available, especially when it comes to key functions such as provisioning, authentication, and access management. Additionally, it should not just answer your current needs but also have the potential to evolve and scale up to meet planned future needs.

Last Word

As important as the solution is the implementation team that you choose to deploy it. A good implementation partner can ensure quick deployment with a rapid return and minimum business disruption. To determine the right implementation partner for your needs, consider:

·         Location (single point or multiple) and geographical reach of the company
·         Skill base and service offerings
·         Managed Services capability (if that is what you are eventually heading towards)
·         Agility and flexible pricing models
·         Expertise in the chosen solution
·         Ability to offer round-the-clock support
·         Service Level Agreement

Look for an implementation partner with the necessary expertise, resources, and capabilities to help you with a complex implementation and post-implementation support. Do not forget to ask around and listen to what the market has to say about the company.




Monday, 21 September 2015

Identity and Access Management

With organizations increasingly focusing on access governance (as they should!), it would be foolish to underestimate the importance of Identity Management. Data on the what, why and when of information access must be complemented by the knowledge of who accesses datain other words, the identity of the person accessing data. Identity management refers to the process of creating and implementing policies that define roles for every member of the organization (employees and vendors), and their associated privileges and access rights. The level of access that a user enjoys to applications, data, and different parts of the network,are defined by his role and responsibilities, and what he needs to perform his job.
 Identity and Access Management
An identity management system helps to automate provisioning, re-provisioning and de-provisioning of users as well, reducing time and effort spent, as well as human error.
Identity management is more than simply governing user access rights. It includes: a) defining enterprise-wide access policies; b) designing reporting mechanisms; c) defining rules-based alerts for when there is an unusual request or when a user tries to access information outside the scope of his role; and d)the regular monitoring of role assignments and changes (when employees move out of the organization, a particular role, or to a different function, and their identity within the organization changes accordingly).

Best practices in implementing an identity management system that can enhance security and compliance

  • Establish a single virtual directory of identities that consolidates the multiple directories spread across the enterprise. This is essential to facilitate both the standardization of authentication systems as well as access management and governance.
  • Assign access permissions to job roles rather than to the people in those roles.Linking permissions to people who may change their job roles (and thus, responsibilities) or quit the organization could result in privilege creep or orphan accounts if access governance is tardy. Linking permissions to job roles allows for easier long-term identity management.
  • Establish a workflow that automates the processes of requesting for and approving access rights. This can make the identity management more efficient. Such a workflow should be complemented by a self-service user interface that offers employees, data owners and business decision-makers a detailed view of identities and associated access rights.
  • Since identity management is so closely linked to compliance initiatives, it is imperative to consider the impact of regulatory compliance requirements on identity management systems during the planning stage. Essentially, these requirements will inform the scope of the system.
  • It is not advisable for IT to be overly involved in identity management; instead limit their role to developing and implementing the appropriate tools and infrastructure. Essentially, when IT is enabled to grant access based on requests, without the benefit of business context, it will be unable to take an informed call on whether that level of access is appropriate for that particular role.
  • Have a strong review process in place. Identities are dynamic, and it is imperative that the organization engage in frequent recertification to ensure that the right people have access to the right data. Continual reviews of identities and their assigned permissions reduce the enterprise’s exposure to risk.
Finally, remember that just like any other aspect of security, identity management too is an on-going, iterative process that does not end with the implementation of a solution.