The IAM Gap
The goal that vendors and customers have been trying to achieve in the Identity and Access Management space can actually be described quite simply:
Ensure that the right people have the right access to the right resources…and that they are doing the right things with that access.
Pretty simple, right? Simple to describe, but not at all simple to achieve.
First, there are the complexities of the heterogeneous computing infrastructure. This infrastructure consists of many, many applications, systems and networks. Each of those computing systems has a security model and access control that is optimized for that specific system — and not the whole environment. Bridging those is quite difficult. And the business keeps on changing, which often results in recombination of these varied systems in a single business process. Think the Automated Teller Machine via which the simple business action of transferring money from your savings to checking account requires the integration of funds transfer, passbook savings, demand deposit and account reconciliation applications — all optimized for their specific function, not for you transferring money via an ATM.
And that provides a window into the second major challenge. With computing now the foundation for business operations — whether the business is a bank, a retailer, a healthcare organization, energy concern, an educational institution, etc. — nearly every business action impacts who should have access to what, and what they should do with that access. Whether it is bringing on a new customer, promoting a staff member, releasing a contractor, opening a new office, delivering a new product line…nearly every business action impacts access.
So as a vendor community we have delivered a number of products that help ensure the right people have the right access to the right resources and are doing the right things with that access. How do you achieve this?
1. Get it right the first time
In the User Administration and Governance portion of the IAM market, vendors have provided User Provisioning systems to try to “get it right from the start.” The idea is to directly connect the change of access rights to business processes, such as the hiring process. So when the business action that impacts access occurs, the access is automatically aligned with policy and regulations. This has helped.
2. Verify it is right & Fix it
Vendors have also provided Identity & Access Governance tools such as automated access certification to enable customers to “verify it.” No matter how hard we try to “get it right the first time,” things happen that result in access being out of alignment with policy. IAG capabilities such as access certification enable business and application managers — those responsible for weighing risk and reward for the business — to periodically view who has access to what (and what kind of access they have). As business-driven solutions, they have been built to translate the complexities of that infrastructure into their language of business roles, and business entitlements. This has also helped.
And that very same tool that we used to try to get it right (User Provisioning) can then be used to “fix it.” When a business manager finds that one of his or her staff has excessive access, they can automatically kick off a provisioning process to revert their access to their role, delete it, disable it, etc.
It still isn’t simple to get it right from the start and to be able to verify that access is right as time goes on. But User Provisioning and IAG solutions help customers make great progress in ensuring that the right people have the right access to the right resources and are doing the right things with that access. (If you want to learn how, you can see a replay of a recent Courion webinar on best practices to achieve this.)
However, with all the value that automated User Provisioning and IAG provide, these solutions leave a huge gap in an organization’s ability to ensure the right access. The gap is so large, in fact, that organizations are under significant and growing risk every day that someone will misuse access to harm the organization.
This gap and what to do about it is the subject of my next blog.