When people think of identity and access management, they think of things like biometrics and iris scanners. Surely there’s more to it than that?
Biometrics is the sexy end of security identity management, because authentication is very visible. Biometrics and iris scanners are how you log into an application. But that is just the entry point into a system or network – what happens after that is the decision point on what you can do once you’re inside the door.
I liken it to the analogy of a hotel. The authentication event is purely your credentials to get into the hotel room, but the authorisation allows you to go into individual rooms and determines what you can do in those rooms – like a repairman being granted access in order to fix something. The area that we’re really concerned about is what someone can do once they have authenticated themself into a system.
What does an effective and mature enterprise-class IAM programme look like these days, and how big a project is it to deploy?
I’ve seen the market transition from simply viewing identity and access management as a one-time project into an ongoing programme with its own budget and staff – because for most customers, managing access is a never-ending problem. And the universe that they are to be concerned about with respect to identity and access management continues to expand.
Case in point – the adoption of mobile devices used to access these applications, the expansion of the enterprise footprint into the cloud, and the adoption of software-as-a-service (SaaS) applications are causing companies to deal with an ever-expanding universe of applications that they need to incorporate within their identity strategy. Our customers now recognise how very strategic IAM is to their operations, and that’s going to continue into the future.
One of the challenges associated with a project like this is that you have to attach information from a number of different types of applications.
For example, one of our financial services customers is still using the mainframe as the backbone of its applications, but also adding client-server applications, web applications and now SaaS applications. They’ve got a very diverse set of resources that they have to pull information from, and usernames often differ across these systems.
So evolving all of those individual usernames into a single computer identity is sometimes a challenge in these environments. There is a lot of data to be mined and correlated before you can actually get a bigger picture of what an individual user has access to.
Organisations have a lot on their plate when evaluating their security strategies these days. Where does IAM rank on their list of priorities compared to where you think it should be?
I think it ranks very highly – in the top three. Over time, we’ve seen numerous security breaches that can be traced back to a lack of identity management, which has led it to become a very high-level priority.
In addition, governments around the globe are trying to ensure that companies are doing a good job of protecting financial information, credit card information and healthcare records, and organisations are being held to a higher degree of accountability with respect to how they are managing identity and ‘who has access to what’.
There are audit committees that are alerted whenever there is a deficiency. IAM is getting a level of visibility throughout the enterprise, and it’s a very hot topic.
2014 was widely described as ‘the year of the data breach’, and 2015 doesn’t look to be any less prolific. How often do you think the lack of a good IAM programme results directly in these data breaches?
It’s hard to quantify that exactly, because often there are multiple contributors to breaches, which tend to happen across multiple factors. But I would say of the well-publicised ones that we could track it to some lack of due care.
If a company is lacking in that area, they’re generally lacking in most areas. They either have a good security programme and are on top of things, or they don’t. Some of the well-known, published breaches can certainly be tied back to a lack of visibility and control, either from insights retrospective – an insider who is abusing their privileges – or an external hacker who is hijacking accounts that are dormant.
Business users want to access information easily and quickly, and could find IAM solutions inhibitors to productivity. How can IT ensure this doesn’t happen, and that staff don’t see them as the enemy?
This is the age-old tension between convenience and security. It’s that whole analogy of why cars have brakes – so that you can stop, yes, but also so that you can go fast. If I didn’t have good brakes, I’d be very reluctant to bring my car up to a high level of speed. The same can be said for security.
A good security programme actually enhances a journey and let’s you go faster because it helps you understand where the risk is. So good security is like having good brakes on your car because it makes you more confident to go faster. Having a good IAM will improve the journey because you can go faster in the areas that usually slow you down.
Technology is only one piece of the puzzle in defending against cyber attacks. The people and process element seems to be the bigger struggle, with many organisations requiring a complete culture shift.
Is it true to say that your solutions won’t be of maximum effect if the correct processes are in place?
Absolutely. We see this in a lot of the companies that we work with, and so we often help them re-engineer their processes as a result of their undertaking an IAM project. It’s something we highly recommend because people need to take more notice of how they are doing things internally and who is participating in those processes. Therefore, companies often take the opportunity during the implementation of an IAM project to re-engineer and improve those processes so that they are effective in terms of what is required. Identity and access management touches many different areas mof a company, so having good processes in place is very important to allow collaboration across an organisation – across business and IT.
It’s not just about technology, but also the people and the organisation. A high level of organisational buy-in with top-down sponsorship is very important to the outcome of a project.
What do you think is the future of IAM in the enterprise?
The IAM market is the hottest it’s ever been. We are now seeing a world where the security perimeter is no longer locked down, but rather dispersed.
Historically, organisations were able to lock down their organisation by simply focusing on the mainframe. However, with the introduction of mobile and SaaS apps, there are multiple new access points. In fact, there are numerous use cases where an end-user can access corporate data in a SaaS app via their mobile device without ever touching the network. The best way to get a handle on this new era of security is by focusing on identities, which means that IAM will only grow more critical to the business.
Another area that is shifting is how IAM is delivered. Currently, the most adopted IAM solutions for the enterprise are on-premise. But we are already seeing some organisations show a larger appetite for having an enterprise-wide IAM solution delivered via the cloud. This IAM-as-a-service (IDaaS) approach continues to evolve, with the same capabilities as on-premise solutions, and must be able to manage on-premise and SaaS applications within a single governance view. I don’t believe we’ll ever see an IDaaS-only world, but we will definitely see a significant tipping point.