A successful implementation of identity and access management requires forethought and collaboration across departments. Companies that establish a cohesive identity management strategy—clear objectives, stakeholder buy-in, defined business processes—before they begin the project are likely to be most successful. Identity management works best “when you have human resources, IT, security and other departments involved,” says Shaw.
Often, identity information may come from multiple repositories, such as Microsoft Active Directory (AD) or human resources applications. An identity management system must be able to synchronize the user identity information across all these systems, providing a single source of truth.
Given the shortage of IT people today, identity and access management systems must enable an organization to manage a variety of users in different situations and computing environments—automatically and in real-time. Manually adjusting access privileges and controls for hundreds or thousands of users isn’t feasible.
For example, de-provisioning access privileges for departing employees can fall through the cracks, especially when done manually, which is too often the case. Reporting an employee’s departure from the company and then automatically de-provisioning access across all the apps, services and hardware he or she used requires an automated, comprehensive identity management solution.
Authentication must also be easy for users to perform, it must be easy for IT to deploy, and above all it must be secure, Abousselham says. This accounts for why mobile devices are “becoming the center of user authentication,” he added, “because smartphones can provide a user’s current geolocation, IP address and other information that can be leveraged for authentication purposes.”
One risk worth keeping in mind: Centralized operations present tempting targets to hackers and crackers. By putting a dashboard over all of a company’s identity management activities, these systems reduce complexity for more than the administrators. Once compromised, they could allow an intruder to create IDs with extensive privileges and access to many resources.
Are IAM platforms based on open standards?
Authorization messages between trusted partners are often sent using Security Assertion Markup Language (SAML). This open specification defines an XML framework for exchanging security assertions among security authorities. SAML achieves interoperability across different vendor platforms that provide authentication and authorization services.
SAML isn’t the only open-standard identity protocol, however. Others include OpenID, WS-Trust (short for Web Services Trust) and WS-Federation (which have corporate backing from Microsoft and IBM), and OAuth (pronounced “Oh-Auth”), which lets a user’s account information be used by third-party services such as Facebook without exposing the password.
Feel free to contact E-SPIN for identity and access management infrastructure and application security, infrastructure availability and performance monitoring solution.