Keeping organisations safe

Prosenjeet Banerjee, head of security services at HCL Technologies explains how identity and access management can be used as weapons to secure business and keep danger at bay.

  • E-Mail
By  Prosenjeet Banerjee Published  June 22, 2009

More and more enterprises today are opening up their ‘information gates' to their customers, partners, vendors, suppliers and employees. In this fast changing business environment, the dynamics of the information security organisation and its structure have been deeply impacted and transformed.

One area that has taken a position of eminence in this context is enterprise identity access management (IAM) which has become a critical component of the security function within an organisation. IAM as a technology has evolved over the last few years and is now aligned to bring in more business benefits and organisational operational excellence. It has truly emerged as ‘manna from heaven' for chief security officers across the world in the face of the various identity and access challenges that they try to resolve.

Challenge 1: Identity management in the face of growing scale of users

Many organisations are swamped with massive amounts of security event information, contained within multiple log files generated by independent system components. This raises the risk that an event will go undetected.

In any business enterprise, it's critical to ensure all users have only the appropriate level of access rights to all protected resources, and that those rights are enforced appropriately. This is also required to meet and manage regulatory compliance by enforcing security controls, and responding to compliance audits.

No wonder the ongoing management of user identity information is a huge challenge for most enterprises. The growth in the number of users, their need for identities on multiple systems has become an administrative nightmare. The management of these identities needs to be centralised, and to the extent possible, automated in order for IT to efficiently provide the services that the business requires in order to function optimally.

The key questions that must be answered by the IT department in any organisation are: who has access to what, and who approved that access? What did they do, and when did they do it? What was the result? Can we prove that we are in compliance?

Challenge 2: Who and how to provide access to?

IT is responsible for protecting the integrity of a wide range of IT resources and information, including platforms, applications, web services, files, and other data. Centralised access management across all platforms not only helps to protect these disparate resources, but can also make compliance audits less painful. Effective access management also demands very flexible and granular access policy enforcement capabilities.

However many access management solutions today do not provide the level of granularity required for today's complex and dynamic business transactions - such solutions will fail to meet the expanding needs of most enterprises. As part of an overall IAM solution, enterprise single sign-on (SSO) improves the user experience and increases security through the reduction in the number of passwords that must be remembered. As applications and their passwords proliferate, this problem will tend to get worse.

Challenge 3: Meeting compliance auditing and reporting standards

Many organisations are swamped with massive amounts of security event information, contained within multiple log files generated by independent system components. This greatly raises the risk that a significant event will go undetected, and therefore constitutes a serious impediment to effective security and compliance. Automated and centralised security log management allows organisations to understand and address the full contextual risk of an event to their enterprise. Finally, as organisations seek ways to cope with regulatory issues and the ongoing need for proof of compliance, a security event data and audit log management solution helps meet those data collection, reporting and audit compliance requirements with reduced, predictable costs.

Moreover organisations need to have a single view across their enterprise that allows them to proactively identify compliance problems and take corrective action through an automated certification and remediation process. This is key.

The solution to all these requirements is identity and access management. These business issues are all aspects of the same challenge: How do I deliver in the most cost-effective manner? While the business issues described earlier may seem disconnected, upon close examination it becomes clear that they have a common thread-identity and access given to each identity

Every decision about granting people access to business resources or delivering services and content is based on who the people are-their business relationship to the organisation and their role in that relationship. When it is known who the authorised users are and can apply that knowledge across all the systems, people can be securely connected to the tools and information they need to work productively and conduct business efficiently and manage cost effectively.

What is Identity?

Users' identities are at the core of any business. Identities are required for all users, including employees, customers and business partners. As online operations become the standard of today's business model, identity is also becoming a key asset to all levels of business operations.

To securely manage the end-to-end identity life cycle while protecting corporate resources, organisations must adopt a complete, integrated, modular approach to identity and access management in order to fully manage their environment and integrate with their business processes. This approach must take into account the existing systems that organisations have already invested in. In today's world of increasing risk, we need tools that aggregate information about an employee, customer and/or partner.

The process view can also be split another way; the user's perspective versus the administrator's viewpoint. While users are focused on efficiency of the experience (one ID and sign-in, many applications) and apparent security, administrators are focused on efficiency of management (user to administrator ratio), service level (user administration turnaround time) and actual security. These are important distinctions to keep in mind during any identity management initiative, lest the scope widen uncontrollably.

The actual scenario organisations need to manage relationships with multiple and distinct populations of "identities." These may include employees, customers and business partners. Every type of population requires identity and access management, but has its own unique user requirements.

Employee populations need a traditional, inward-facing security management solution that focuses on users' access to physical resources and IT systems, and protects internal systems. Customer populations need an outward-facing security management solution that enables secure web access to customer services. From a business perspective, the focus is on customer acquisition and enabling new customer services. From the customer's perspective, the focus is on ease of use and providing confidentiality of personal data and transactions.

Business-oriented identity and access management (also known as business to business, or B2B, such as partners) is focused on cross-organisational transactions. It depends upon legal frameworks, which allow transactions to securely occur between independent entities. It supplies a secure web services infrastructure to address the issues associated with cross-company authorisation and provides implementations of applicable standards.

HCL Methodology for IAM Deployment

HCL follows a structured methodology when engaging with a customer for an identity and access management engagement. HCL understands that deploying an identity and access management solution within an enterprise is a complex and time consuming task which results in significant changes to the operating processes and application deployment methodology followed by the organisation which in turn impacts the way the organisation deals with its employees, contractors, suppliers, business partners and customers. The different phases that HCL follows for an IAM deployment are the due diligence phase, consulting engagement phase, implementation phase and finally the post implementation support phase.

HCL can help enterprises to go through the entire lifecycle and build up the overall framework for the IAM within the specific organisation or company.

Case Study: IAM Solution Design and Deployment for Asia's Largest Stock Exchange

Customer Requirements

• Designing a single sign on and access control solution across a large number of critical applications.

• Provide a solution for ongoing monitoring and maintenance of the deployed solution.

HCL Solution

HCL followed its unique IAM methodology and approach for this customer which consisted of Due Diligence phase, design phase, implementation phase followed by the ongoing maintenance phase.

Benefits to the organisation

• 20-22% reduction in IT Administration costs.

• 45% reduction in user lifecycle management effort. A single user-id and password was to be memorised.

• More secured authentication mechanisms for different groups of users.

• More layer of protection for for accessing sensitive applications.

• Tamper proof logs and audit trails for compliance.

Advantages for all

• Cost reduction

• Improved security

• Reach compliance

• Simplified management

• Tamper proof auditing

Add a Comment

Your display name This field is mandatory

Your e-mail address This field is mandatory (Your e-mail address won't be published)

Security code