The Leading Educational Resource for IT Professionals

Identity Management - Why Is the Level of Interest So Low?

by Graham Williamson April 11, 2017 0 Comments

At a time when managing identity information, and leveraging it for business purposes, is becoming increasingly important, interest in the topic of identity and access management is not keeping pace. Not only is there a lot of money to be saved by automating provisioning, it also significantly de-risks access control within an organisation. As more security tools leverage identity stores, getting provisioning right has never been more important.

Technology is advancing so fast that many CIOs have delegated identity and access management to members of their staff. While there’s nothing wrong with delegation, in fact, it’s the mark of a good manager, it’s still necessary for the CIO to stay in-charge; you can’t manage something that you don’t understand. In many companies system administrators are setting policy. They are configuring firewalls, deploying directories and managing encryption keys to their own “best effort” level. The danger is: the system admin often does not have the corporate perspective to allow him/her to perform the functions in which they are engaged. The C-level should be determining access control policy for firewall configuration, they should set the directory strategy to which the architecture should adhere and they should mandate key ceremonies to ensure encryption keys are appropriately generated and managed.

There’s an increasing need for CIOs to understand the business. They should no longer simply manage IT strategy, they need to understand how IT supports the business. They must know enough about business processes so that they can recommend where digitisation can assist and, more importantly, where it’s necessary.

For instance, vendor-managed-inventory is a well-entrenched business strategy; approved suppliers are given access to inventory levels and told not to let the supply of their product run out. To do this suppliers need to be given access to the appropriate system so that they can forecast requirements and ship accordingly. Most companies set-up a generic account for each supplier, which is bad practise. Federated authentication is the preferred approach or a provisioning system with an approval workflow used to provide an approved level of access control. Note: if a password expiry policy is implemented within an organisation, external suppliers should typically be in a separate AD group with no expiry; security should be maintained by periodic attestation reporting and a workflow to disable accounts on expiry.

This series of blogs looks at the major components of identity and access management to encourage discussion and raise awareness. The objective is to assist organisations in managing their identity environment so as to avoid a compromise.

Graham Williamson is the author of “Identity Management: A Business Perspective”.


Graham Williamson
Graham Williamson

Author

Graham Williamson is an identity management consultant in Brisbane, Australia. He has 27 years of experience in the IT industry, with expertise in identity management, electronic directories, public key infrastructure, smart card technology, and enterprise architecture. He is a coauthor of Identity Management: A Primer (MC Press, 2009).



Also in MC Press Articles

Customer (Citizen) Identity and Access Management

by Graham Williamson June 13, 2017 0 Comments

As a major trend in the IDM sector, consumerization has become easier and exponentially more important. Digital transformation will literally put a significant segment of the SME market out of business and propel a significant number of SMEs to new levels of prosperity.

Continue Reading →

Federated Authentication – there is no Plan B

by Graham Williamson June 05, 2017 0 Comments

Federated authentication is essential for businesses. It's the only way to effectively manage external access to business systems and it's absolutely necessary in order to manage authentication to SaaS apps. if you don't want to expose your identity records to potential compromise.

Continue Reading →

Access Control – RBAC & ABAC

by Graham Williamson May 04, 2017 0 Comments

Access Control is the core of the identity and access management task. Once we have correctly provisioned user data into the enterprise’s identity service we need to leverage it for access control. The vast majority of organizations use role-based access control, but increasingly, access control based on attributes is gaining traction.

Continue Reading →