RSA: Intelligence-driven identity and access management

The way organisations manage access to their critical applications and data is quickly becoming unwieldy and overly complicated. That’s because traditional identity and access management (IAM) solutions, which were supposed to help organisations guard their IT systems and networks against unsafe access, were built on outdated assumptions to meet outdated requirements. First, the user population is no longer just made up of on-premises employees, but also includes partners, vendors, customers, and clients – all of whom require access to corporate applications. Next, devices are no longer just corporate desktops, but also include corporate and personal laptops, tablets, and mobile phones. Finally, this increase in the number and types of users and access methods has created an “identity crisis” at many organisations – where their systems are unable to manage and unify this disparate information, resulting in fragmented user profiles and multiple digital identities.

First, the user population is no longer just made up of on-premises employees, but also includes partners, vendors, customers, and clients – all of whom require access to corporate applications. Next, devices are no longer just corporate desktops, but also include corporate and personal laptops, tablets, and mobile phones. Finally, this increase in the number and types of users and access methods has created an “identity crisis” at many organisations – where their systems are unable to manage and unify this disparate information, resulting in fragmented user profiles and multiple digital identities.

networks-unlimited-156-03-2016-fig1http://www.ee.co.za/wp-content/uploads/2016/02/networks-unlimited-156-03-2016-fig1-768x385.jpg 768w, http://www.ee.co.za/wp-content/uploads/2016/02/networks-unlimited-156-03-2016-fig1-620x311.jpg 620w" sizes="(max-width: 580px) 100vw, 580px" style="border-style: none; border-width: initial;">

Fig. 1: Implementing a single, integrated intelligence driven IAM solution provides visibility and control across all areas of business.

These assumptions, combined with ever-increasing expectations for usability and flexibility often causes friction between users, the IT staff, and the business. Users don’t want multiple and inconvenient sign-ons, and without a unified user profile, the prospect of losing rich insights into how users behave across different networks, applications, and devices is truly a missed opportunity for InfoSec teams.

Finally, the regulatory and compliance landscape is increasingly burdensome. Many compliance projects are driven by audit events, with teams often unprepared for the effort required to collect and report on compliance information. This event-based approach requires manual intervention and with the growing number of users, systems, and access methods, costs to maintain compliance can quickly escalate.

All users need easy-to-use, secure access to both internal and external systems, which house the information and applications necessary to do their jobs. Ultimately, the lines of business require agility and flexibility, to increase productivity and enable innovation. IT and security teams want an easy way to meet these business needs while balancing resource and enterprise security constraints. Most current enterprise security models focus primarily on prevention of security threats but an intelligence-driven security framework equally balances prevention, detection and response by emphasising visibility, analysis, and action to detect, investigate, and respond to threats, confirm and manage identities and prevent fraud. Simultaneously addressing user, business, IT, and security requirements will mean elevating the enterprise security framework to incorporate intelligence driven identity and access management. Intelligence-driven IAM combines visibility of user context and activities, analysis that leverages this context, and enablement of appropriate and timely actions to mitigate any threats.

Visibility – more than meets the eye

Intelligence-driven IAM provides a unified view of identity information spanning different applications, business units, and cloud services. This allows increased visibility into the who, what, and where of users accessing systems – whether on-premise applications, IT-approved cloud applications, or the all-too-common “Shadow IT”, where users bypass IT altogether. Intelligence-driven IAM also ensures that organisations have policies in place to ensure appropriate access, and risk-based authentication that balances security with a compelling user experience.

Automate gathering of identity intelligence

Intelligence-driven IAM solutions automatically collect and combine information on user identities from across the organisation. Anything with a user account, such as directories, email applications, or business applications can be used as a data source. The diverse data collected on individual users is stored in a single database, where identity context is created by correlating user, account, role, business unit, and entitlement information.

This automated collection process enables security teams to bring user privileges under a unified, automated control framework. And it gives organisations unprecedented visibility into who has access to what information, how they got it, who authorised it, and whether an employee’s entitlements are aligned with job roles and group affiliations – all from a central location.

Single integrated IAM provides visibility and control

Once identity information is collected and correlated from multiple repositories, intelligence driven IAM solutions provide the advantage of a single identity point for visibility into user activities. By aggregating and normalising this information from across the enterprise, standardised processes and workflows using that information can be integrated, streamlined, and automated, simplifying the management of identities and policies. The unified platform reduces the expense of maintaining multiple systems while creating a versatile platform for providing enhanced capabilities in security, compliance, and workflow automation.

Context- and risk-aware user management and authentication

Intelligence-driven IAM covers users across different applications and IT environments, ensuring visibility of and access to corporate data regardless of whether it resides internally or is externally hosted. To assess whether user behaviours pose unacceptable risks to the organisation, IAM systems must be aware of context. For example, if a senior accountant based in Chicago suddenly appears to be accessing finance servers from an eastern European IP address, the IAM system could prevent access until additional identity verification is completed. Providing the contextual information to make accurate risk assessments is a hallmark of intelligence driven IAM, whether it’s applied to identities, websites, end points, or networks – at authentication time, runtime or during business processes.

A means to an end – analysis

Achieving broader visibility with continually updated information creates new opportunities for identity analytics. Organisations can leverage identity context to better spot abnormal or inappropriate access, automatically detect compliance policy violations, and quickly identify a security threat.

Centralised identity platform for building new security and compliance capabilities

When identity information becomes centralised, organisations gain new opportunities to enhance security and user experience. For instance, they obtain a richer context with which to make user authentication decisions. Analysis tools can be applied to an organisation’s centralised identity data to help detect and deny fraudulent users from gaining access. Also, organisations can more easily merge access and privileges across disparate applications and IT environments, even if they are externally hosted cloud services. Federation of identities and entitlements enable convenient benefits such as single sign-on, so end users will have fewer passwords and can thus access various applications and web-based services more easily. The centralised identity management database can also simplify compliance reporting, because auditable evidence is available from one authoritative system of record.

By creating a single authoritative source for identity information, organisations enable new forms of workflow automation. They can integrate and automate processes for provisioning, certifying, and revoking user entitlements. Changes affecting users, such as internal role changes or termination, will automatically cascade to all accounts in all applications.

Rich identity context

Creating the intelligence to distinguish good behaviour from bad will require IAM solutions to ingest and analyse vast volumes and varieties of user-related data. With a centralised model, an intelligence-driven IAM framework provides a rich context to determine a user’s validity, moving beyond accounts to capture entitlements, roles, job functions, business policies, and the dependencies among them. The ability to share this broader context extends security functions beyond simply identity management, to management of the entire identity lifecycle. This enables a quick determination into what is normal access, and what is inappropriate and potentially risky access.

The growing use of mobile devices and cloud-based applications creates an even bigger challenge in managing identities. An intelligence-driven IAM model brings these devices and users under a unified view to enrich user profiles and enhance behaviour modelling.

Easy scalability and integration with applications

Traditional identity and access management solutions cannot readily scale to accommodate new applications. These legacy solutions are constrained by their architecture: they typically combine the business logic that encodes governance policies with application- specific integration logic. Because the logical layers are fused together, extending these systems to new applications requires writing considerable amounts of application-specific code – a costly, time-consuming process.

Intelligence-driven IAM systems are built to be scalable and easily extensible to new applications. They achieve this flexibility by separating business logic – presented in a user-friendly interface with policy-driven workflows – from the application-specific integration logic. This dramatically reduces the effort required to integrate with all key enterprise applications.

An intelligence-driven IAM framework also needs to incorporate the ability for IT to rapidly roll out new applications that maintain a high level of security. Pre-integrated applications and out-of-the-box integration capabilities ensures users have fast access to the applications they want, business leaders can improve operational efficiency, and IT is able to reduce business risk and cost.

Policies set by the business for the business

With intelligence driven IAM, the access policies set by business managers and the risk, audit, and compliance teams can easily be incorporated into the IAM systems. Configuration of policies within intelligence driven IAM solutions enables various stakeholders to fulfill their respective, diverse requirements. For example, business managers can set access privileges for employees based on roles, not individually. This saves time as each role comes with a default collection of privileges defined by the business. Employees occupying similar roles get similar privileges, unless their managers opt to customise them.

For audit, risk and compliance teams, setting policies in intelligence-driven IAM platforms enable them to institute controls and tracking measures to ensure compliance with their requirements. As for information security teams, they gain visibility and control over how access policies are implemented to ensure a secure outcome. Once access policies are instituted, they are applied automatically. Violations are automatically identified, and remediation workflows and alerts generated as necessary.

A course of action

An intelligence-driven IAM model needs to be user-centric, easy to use, and nondisruptive, limiting users only when necessary to protect businesses from danger or damage. Likewise, identity solutions need to automate processes to make it much faster and easier for business managers to set access rights for new employees and to manage user entitlements as people move within the organisation, or partners or customers are added to the system.

Regain control of cloud services

Intelligence-driven security extends enterprise-grade IAM capabilities to the cloud. Organisations can preserve important capabilities such as customised access policies and setting of fine-grained application entitlements while gaining the time-to-value and scalability benefits of cloud-based solutions. In addition, a single authentication interface for all applications enables convenient single sign-on, while ensuring that enterprise IT departments can easily maintain centralised control of these applications.

Achieving coverage of both cloud-based and on-premise applications with a single IAM platform can simplify the integration of new software services. It can also make it far faster, easier, and more cost-efficient to deploy enterprise-grade security for user identities.

Continuous compliance

An intelligence driven IAM model is designed to be easily configurable and automate compliance through polices, minimising costly manual intervention. Traditional IAM manages compliance through manual data collection and consolidation, which then uses manual reporting and documentation to ensure the organisation is actually meeting its compliance requirements. During a typical audit, extensive effort is required to bring systems into compliance and document the changes under intense time constraints. Inevitably, after the audit, things return to “business as usual”, and the organisation immediately falls out of compliance. At the next audit cycle the process is repeated. This results in high costs, disruption to the business, and unsatisfactory audit results.

In contrast, an intelligence-driven IAM system makes compliance a byproduct of “business as usual”, since compliance policies are automatically enforced during the execution of business processes. This results in continuous compliance, virtually eliminating audits’ impacts to the business.

networks-unlimited-156-03-2016-fig2http://www.ee.co.za/wp-content/uploads/2016/02/networks-unlimited-156-03-2016-fig2-768x313.jpg 768w, http://www.ee.co.za/wp-content/uploads/2016/02/networks-unlimited-156-03-2016-fig2-620x253.jpg 620w" sizes="(max-width: 580px) 100vw, 580px" style="border-style: none; border-width: initial;">

Fig.2: An intellligence driven IAM strategy centralises intelligence about users and information resources and is driven by policies instead of manual activites to provide continuous compliance.

User-centric authentication

Traditional password-based authentication is no longer an acceptable practice to secure access to organisations’ digital assets. An intelligence-driven IAM model recognises that security cannot trump convenience anymore. Authentication requirements need to be integrated, not interruptive. A wide range of authentication methods must be available to balance the needs of various users and the value of the information being protected.

A risk-based approach to access

Identity intelligence powers authentication decisions by providing the context to determine risk levels of every access attempt. An intelligence-driven IAM model takes into account the device fingerprint, behaviour analytics, location information and more to create risk profiles that are dynamically updated and transparent to the user. A risk-based approach allows low-risk users to be quickly authenticated while high-risk users would be prompted for additional proof of identity. Introducing multi-factor authentication based on a risk profile allows increased security without interfering with the user experience.

Access management for the business

Identity management, once seen as purely an IT function, is now transitioning to a business function that uses IT applications. That’s because IAM is about conferring users access to enterprise information, resources, and privileges – a responsibility naturally suited to the people managing employees, not to IT personnel unfamiliar with employees’ specific roles and requirements.

As IAM transitions from IT to the business, however, the pressure is on for identity management tools and processes to become user-friendly. IAM software designed for IT personnel will not be satisfactory to non-technical users needing to address identity-related governance problems. IAM solutions must adapt to support the business’s workflows, not expect the business to force-fit their existing processes within software constraints.

Intelligence driven IAM provides processes and tools that are purpose-built for business. They use compliance and business context to create processes that are easy and intuitive for end users to follow, and allow them to easily define roles and privileges that apply across multiple applications and IT systems. And they enforce security and compliance without compromising the quality of the end- user experience.

Automated lifecycle management

IAM solutions also automate many identity management workflows to make them fast and easy for business users. For example, when HR adds a new employee to the company, the IAM solution detects this, and puts multiple procedures into motion: A new user account is created for the employee. The account is automatically populated with access to applications that the employee will likely need in her job. The employee is also added to relevant internal groups. Access rights and memberships are suggested based on what has been conferred to existing employees holding similar job titles and organisational roles. The IAM system alerts the new employee’s manager to review and approve the proposed access profile and privileges. These automated processes not only simplifies onboarding for new employees, it also gives the new hire faster time to productivity.

With intelligence driven IAM, every part of the identity life cycle is covered. Provisioning and change management, revocation of privileges – everything that a business manager might need to do to manage employees’ access during their tenure in the organisation has workflow facilitation and process automation behind it, with automated enforcement of access policies.

Configurable identity management controls and workflows

Easy-to-use, graphical interfaces enable IAM teams (in collaboration with the line-of-business) to configure processes for provisioning, reviewing, approving, changing, and cancelling user accounts and entitlements. This configurable, business-process-driven approach lets IAM teams modify settings for particular roles and policies without involving IT. It not only simplifies the process of managing access and privileges, but it also automates enforcement of the organisation’s security and risk management policies governing users and entitlements. In addition, business managers are only permitted to change user access privileges in conformance with the organisation’s business rules. Before changes are made, intelligence-driven IAM solutions check all change requests against existing policies and controls, preventing the fulfilment of inappropriate requests for access.

Conclusion

An intelligence-driven IAM strategy can protect your organisation’s critical data and applications while ensuring users have convenient access, business units can make access decisions and IT can efficiently and effectively manage the process. Incorporating increased visibility and context of centralised user information, the ability to analyse various metrics in real time and take the appropriate action to mitigate threats enables a highly secure way to link users anywhere and anytime while meeting compliance rules and regulations.

For more info: enquiries@nu.co.za

 

Tags: Security Solutions, RSA,, access management,