Identity Management - Why Is the Level of Interest So Low?
At a time when managing identity information, and leveraging it for business purposes, is becoming increasingly important, interest in the topic of identity and access management is not keeping pace. Not only is there a lot of money to be saved by automating provisioning, it also significantly de-risks access control within an organisation. As more security tools leverage identity stores, getting provisioning right has never been more important.
Technology is advancing so fast that many CIOs have delegated identity and access management to members of their staff. While there’s nothing wrong with delegation, in fact, it’s the mark of a good manager, it’s still necessary for the CIO to stay in-charge; you can’t manage something that you don’t understand. In many companies system administrators are setting policy. They are configuring firewalls, deploying directories and managing encryption keys to their own “best effort” level. The danger is: the system admin often does not have the corporate perspective to allow him/her to perform the functions in which they are engaged. The C-level should be determining access control policy for firewall configuration, they should set the directory strategy to which the architecture should adhere and they should mandate key ceremonies to ensure encryption keys are appropriately generated and managed.
There’s an increasing need for CIOs to understand the business. They should no longer simply manage IT strategy, they need to understand how IT supports the business. They must know enough about business processes so that they can recommend where digitisation can assist and, more importantly, where it’s necessary.
For instance, vendor-managed-inventory is a well-entrenched business strategy; approved suppliers are given access to inventory levels and told not to let the supply of their product run out. To do this suppliers need to be given access to the appropriate system so that they can forecast requirements and ship accordingly. Most companies set-up a generic account for each supplier, which is bad practise. Federated authentication is the preferred approach or a provisioning system with an approval workflow used to provide an approved level of access control. Note: if a password expiry policy is implemented within an organisation, external suppliers should typically be in a separate AD group with no expiry; security should be maintained by periodic attestation reporting and a workflow to disable accounts on expiry.
This series of blogs looks at the major components of identity and access management to encourage discussion and raise awareness. The objective is to assist organisations in managing their identity environment so as to avoid a compromise.
Graham Williamson is the author of “Identity Management: A Business Perspective”.
Graham Williamson
Author
Graham Williamson is an identity management consultant in Brisbane, Australia. He has 27 years of experience in the IT industry, with expertise in identity management, electronic directories, public key infrastructure, smart card technology, and enterprise architecture. He is a coauthor of Identity Management: A Primer (MC Press, 2009).