Gartner: Businesses struggling with ID management

Despite broader recognition of the need for securing access to applications and other IT resources, enterprises are still struggling to come to terms with the issues involved with identity and access management, Gartner has warned.

"We need to have a much more well-defined process for IAM (identity and access management), with architectures, controls and processes," Ant Allan, vice president of research at Gartner, told attendees of a recent conference in London on identity management.

While there has been a tendency to treat such problems as primarily a technological issue, and focus on how to integrate identity management into existing applications and systems, effective access management has a much broader impact, Allan said. "IAM is more and more about business issues as much as it is about security issues. You have to reflect the business controls and processes in your IAM controls and processes."

"(Identity and access management) is not something you can relegate to a low-level administrative task."

--Ray Wagner, managing vice president, Gartner

Another recent challenge has been an increasing emphasis on ensuring that staff members actually are who they claim to be, an issue that is receiving increasing prominence as global employment patterns shift.

"Before you create identities on your information systems for people, you need to establish who they are in the real world," Allan said. "We're seeing an increased focus on identity-based networks."

All this may see identity management shift from a technology manager responsibility to that of higher, C-level executives. "IAM is not something you can relegate to a low-level administrative task," Gartner's Ray Wagner noted.

Merely setting up efficient systems remains troublesome, if the typical queries received by Gartner itself are any indication. In the first quarter of this year, the most common queries from clients related to basic issues of user provisioning and authentication, Wagner said. Provisioning alone accounted for almost a quarter of queries.

One reason for increased interest in IAM is the increasing interest fiscal and legal regulators are taking in the systems used to control information access.

"Regulators want to see controls in place, and they want to see that you can show them you have controls in place," Allan said.

Effectively delivering that will probably require multiple categories of software, with Gartner singling out administration and access, verification, authentication and auditing as crucial roles.

"You don't need every kind of tool there is on the market, but you probably need more than one of each category," Allan said.

Angus Kidman of ZDNet Australia attended the Gartner Identity & Access Management Summit.

[wbenton]

Solution is really simple

Have smartcard authentication with password protection required for anything that warrants the removal of suspicion prior to allowing access.

Whether it be access to a firmware upgrade, reserving a meeting room, even filing a complaint or asking a simple request from the IT department.

With proper smartcard + password management set into place... it's really no problem at all.

Deciding what requires such strict access may be a problem at first, but once ALL of the resources have been defined and whom can access which resource has been layed out... the only thing remaining is periodical confirmation that such access is continually required or not. Once a month or once every three month mandatory re-requesting should allow IT management to take back control of their network.

Walt

[Buck French, Securify]

A movement toward monitoring

I fully agree with this article?s statement, ?Another recent challenge has been an increasing emphasis on ensuring that staff members actually are who they claim to be.? While identity management systems are being ramped up, and even after fully deployed, businesses need to monitor their users and verify they are who they say, post admission.



I think we?re going to see a move toward using monitoring devices to accompany IAM systems. Aside from role-based provisioning and access control, businesses need to track the activity of each user to ensure privileged users are not violating security controls or placing the company at risk. Monitoring will also help with continuous compliance measurement and improve the overall security posture.

[chriswininger1]

I think what they are saying is that this isn?t just a technical problem anymore.

"Another recent challenge has been an increasing emphasis on ensuring that staff members actually are who they claim to be, an issue that is receiving increasing prominence as global employment patterns shift."

If the person was fraudulent from the get go then the identity on their smart card isn?t accurate. Maybe I am an illegal alien or a convicted felon and I forged all my documents. Upon being hired my company identity (smartcard, user accounts, etc) would be created from this fraudulent information. This is where the solution has to be implemented in more than just software and hardware. It has to be implemented in terms of company policy and enforcement.