Despite broader recognition of the need for securing access to applications and other IT resources, enterprises are still struggling to come to terms with the issues involved with identity and access management, Gartner has warned.
"We need to have a much more well-defined process for IAM (identity and access management), with architectures, controls and processes," Ant Allan, vice president of research at Gartner, told attendees of a recent conference in London on identity management.
While there has been a tendency to treat such problems as primarily a technological issue, and focus on how to integrate identity management into existing applications and systems, effective access management has a much broader impact, Allan said. "IAM is more and more about business issues as much as it is about security issues. You have to reflect the business controls and processes in your IAM controls and processes."
"(Identity and access management) is not something you can relegate to a low-level administrative task."
--Ray Wagner, managing vice president, Gartner
Another recent challenge has been an increasing emphasis on ensuring that staff members actually are who they claim to be, an issue that is receiving increasing prominence as global employment patterns shift.
"Before you create identities on your information systems for people, you need to establish who they are in the real world," Allan said. "We're seeing an increased focus on identity-based networks."
All this may see identity management shift from a technology manager responsibility to that of higher, C-level executives. "IAM is not something you can relegate to a low-level administrative task," Gartner's Ray Wagner noted.
Merely setting up efficient systems remains troublesome, if the typical queries received by Gartner itself are any indication. In the first quarter of this year, the most common queries from clients related to basic issues of user provisioning and authentication, Wagner said. Provisioning alone accounted for almost a quarter of queries.
One reason for increased interest in IAM is the increasing interest fiscal and legal regulators are taking in the systems used to control information access.
"Regulators want to see controls in place, and they want to see that you can show them you have controls in place," Allan said.
Effectively delivering that will probably require multiple categories of software, with Gartner singling out administration and access, verification, authentication and auditing as crucial roles.
"You don't need every kind of tool there is on the market, but you probably need more than one of each category," Allan said.
Have smartcard authentication with password protection required for anything that warrants the removal of suspicion prior to allowing access.
Whether it be access to a firmware upgrade, reserving a meeting room, even filing a complaint or asking a simple request from the IT department.
With proper smartcard + password management set into place... it's really no problem at all.
Deciding what requires such strict access may be a problem at first, but once ALL of the resources have been defined and whom can access which resource has been layed out... the only thing remaining is periodical confirmation that such access is continually required or not. Once a month or once every three month mandatory re-requesting should allow IT management to take back control of their network.
I fully agree with this article?s statement, ?Another recent challenge has been an increasing emphasis on ensuring that staff members actually are who they claim to be.? While identity management systems are being ramped up, and even after fully deployed, businesses need to monitor their users and verify they are who they say, post admission.
I think we?re going to see a move toward using monitoring devices to accompany IAM systems. Aside from role-based provisioning and access control, businesses need to track the activity of each user to ensure privileged users are not violating security controls or placing the company at risk. Monitoring will also help with continuous compliance measurement and improve the overall security posture.
I think what they are saying is that this isn?t just a technical problem anymore.
"Another recent challenge has been an increasing emphasis on ensuring that staff members actually are who they claim to be, an issue that is receiving increasing prominence as global employment patterns shift."
If the person was fraudulent from the get go then the identity on their smart card isn?t accurate. Maybe I am an illegal alien or a convicted felon and I forged all my documents. Upon being hired my company identity (smartcard, user accounts, etc) would be created from this fraudulent information. This is where the solution has to be implemented in more than just software and hardware. It has to be implemented in terms of company policy and enforcement.
The two telecom carriers will carry a next-generation iPad running on the fast, next-generation wireless technology, sources tell The Wall Street Journal.
Google creates an animated doodle that features a boy, a girl, Google's search engine, and a jump rope. But might there be darker, more analytical, more troubling interpretations to this tale?
Hamza Kashgari's tweets of an imaginary conversation with the Prophet Mohammad are viewed as blasphemous by the Saudi Arabian government. Now he faces trial with a possible death sentence.
The Silicon Valley online payments startup grew by 1,000 percent last year and is hopeful it can repeat that level of growth this year. To do that, it's had to move away from its early friends-and-family roots and embrace small businesses.
Chamtech's spray-on antenna uses a nano material to provide a low-power boost to antenna range. The wireless-in-a-can product may some day bring an end to unsightly cell towers.
EnerG2 opens a plant to make an engineered carbon that will improve performance of energy storage devices and make storage for start-stop hybrid cars less expensive.
Whether it be access to a firmware upgrade, reserving a meeting room, even filing a complaint or asking a simple request from the IT department.
With proper smartcard + password management set into place... it's really no problem at all.
Deciding what requires such strict access may be a problem at first, but once ALL of the resources have been defined and whom can access which resource has been layed out... the only thing remaining is periodical confirmation that such access is continually required or not. Once a month or once every three month mandatory re-requesting should allow IT management to take back control of their network.
Walt
I think we?re going to see a move toward using monitoring devices to accompany IAM systems. Aside from role-based provisioning and access control, businesses need to track the activity of each user to ensure privileged users are not violating security controls or placing the company at risk. Monitoring will also help with continuous compliance measurement and improve the overall security posture.
"Another recent challenge has been an increasing emphasis on ensuring that staff members actually are who they claim to be, an issue that is receiving increasing prominence as global employment patterns shift."
If the person was fraudulent from the get go then the identity on their smart card isn?t accurate. Maybe I am an illegal alien or a convicted felon and I forged all my documents. Upon being hired my company identity (smartcard, user accounts, etc) would be created from this fraudulent information. This is where the solution has to be implemented in more than just software and hardware. It has to be implemented in terms of company policy and enforcement.