IntroductionIdentity and Access Management (I&AM) is supported by a range of widely used and reasonably mature protection technologies, that when deployed correctly, enable organisations to operate efficiently in today’s competitive and often difficult trading environments.
The efficient management of identity and associated access control issues needs to be of pressing concern for all security-conscious organisations, irrespective of their size or business focus.
This report looks at how I&AM protection technology can be utilised to support the operational need of the business and its users.
Business success and the efficiency with which successful organisations drive the delivery of their operational services is empowered by the availability of information – providing the right information to the right people at the right time – but the most significant challenge that all organisations face today is one of maintaining control.
There is a need to build trusted environments where the identity of each user can be proved before access rights are granted.
These must be environments where customers and citizens can gain on-request access to personal and account information, without running the risk of falling prey to identity theft; where employees are able to gain unencumbered access to corporate networks, systems, and applications, irrespective of where their chosen place of work happens to be; and where business partners and suppliers can be provided with certified access channels to collaborative information sources.
Today we have a situation where business needs to improve and more effectively control the way that it manages and protects its information.
From a technical stand-point most of the information that needs to be protected is collected, stored, and made available electronically from within public and private sector computer systems.
A vast amount of this information is openly available on demand, but other more sensitive corporate information, whilst still available to the right requestors, requires more qualified access and protection rules.
In the main, it is this second type of information that must have adequate security and authentication rules and policies applied each time information users demand access.
Therefore, without the ability to streamline, manage, and control identity, organisations leave themselves extremely vulnerable to a wide range of internal and external threats.
Good quality Identity and Access Management (I&AM) acts as a corporate policeman, it determines rights of passage, directs the traffic flow by enabling authorised users to get access to business information, but essentially it provides all the locks and keys to corporate systems and networks.
Our view is that the role of I&AM in support of the business and its users is to effect a balance between systems and information protection and the operational needs of the organisation.
The locks need to be secure enough to make unauthorised access difficult to achieve, but at the same time the keys must allow smooth and easy access when authorised entrants come calling.
Each individual organisation will have its own specific identity-based protection requirements, and in addition, across specific business sectors there will be a number of common systems and information protection issues.
However, I&AM provides a number of core technology components which for the purposes of this report are detailed below: Identity Management: Controls the use of directory (LDAP) and meta-directory management facilities.
Authentication Technologies: Provides support for single- and multi-factor authentication.
Password Management and Systems Synchronisation: Is used to control the frequency, content, and structure of passwords, and to provide self-service capabilities.
SSO: Delivers one of the key integration layers of I&AM.
Access Control: Web and enterprise access control is a key component of enterprise I&AM.
Provisioning and De-provisioning: Provides the capability to deliver role-based provisioning, individual provisioning, group and departmental provisioning, and appropriate de-provisioning capabilities.
Administration and Policy Management: Delivers federated and delegated administration facilities, linking through to policy- and regulatory compliance-based requirements.
Performance and Scalability: I&AM has to be driven by a delivery model that is capable of providing service irrespective of traffic flow volumes.