By Jose Allan Tan

Months after Joe left his employer there was a major breach of security at his former company. Weeks of investigation identified the culprit as someone accessing the company’s intranet using Joe’s ID and password. Joe was gainfully busy at his new business so he wasn’t aware of the event until he was approached by police detectives piecing the puzzle together.

The fault here lie not so much in Joe’s possible carelessness in letting someone get hold of his network ID and password. It is more a failure on the company to implement policies regarding access to the network for anyone who has (or may have had) access to the system.

According to the “IDC Asia/Pacific Semiannual Security Software Tracker, 2H 2006″, I&AM software market in Asia-Pacific (excluding Japan) is estimated to be about $190 million in 2006.

“Many enterprise I&AM solutions have been built as point products or homegrown implementations. Additional patchwork modules were then added to these implementations, as requirements change over the years. The market is demanding for more holistic I&AM solutions and many vendors are positioning their products to meet this need,” said Willie Low, senior market analyst for IDC Asia/Pacific.

Access denied

Uttam Majumdar, chief of consulting and professional services at Locuz Enterprise Solutions based in Hyderabad, defines I&AM as an enterprise strategy to manage identity lifecycle of its information users and channel their access through secure and policy enforced methods.

The point of I&AM solutions is to limit access to an organization’s resources to those with legitimate access. Without it, an organization is at risk. The larger the organization the more resources are in need of protection, and the more complex the systems and policies become.

As a business expands and adds more users in need of access to the system, whether employees, partners or suppliers, the greater is the need for an automated system of processing applications for access and managing the lifecycle of those users. Delays in providing access to legitimate users will naturally translate to lower productivity and discontent in the workforce. Conversely, the window of vulnerability expands the longer it takes for the company to revoke access rights where appropriate.

Igor Janicijevic, Principal Security Architect at Cybertrust, defines I&AM as an enterprise-wide service that combines business processes, technologies, and policies to manage digital identities and specify how they are used to access resources. Activities include user provisioning, permission management, and password management, as well as synchronization of identities and accounts between different IT systems. “I&AM cuts across different functions within the enterprise, and increasingly in many cases involve external organizations, such as customers and suppliers,” said Janicijevic.

According to Jerry Cox, CA’s Director of Security Solutions Asia Pacific I&AM’s solves the issue of security threats is by linking policy-based access enforcement policies to identities. “Based on an individual’s role, or job description access rights on mainframes, distributed operating systems, web applications and even custom applications are enforced. The business role is tied to the identity and the identity is tied to the access, or authorization policy. Sometimes this is referred to as role-based access control,” says Cox.

Creating I&AM policies and implementing these through a combination of process and technology costs money. But the key issue here is not the cost of having the system but the greater cost of not having one. I&AM can be akin to having an insurance policy. You may think you are giving away hard earned money to someone for providing something you can’t see or touch. But when an accident happens you are glad you took on the policy to cover you.

Selling proposition

One of the challenges CIO faced with proposing I&AM projects is to develop the business case to justify the additional budget. I&AM initiatives are not typical IT infrastructure projects. They morph together business processes, policies and technologies and aim to provide an enterprise wide service that most ROI models cannot deal with. “From the CFO perspective, the issues that need to be taken into account are integration costs over time, provision of service and associated benefits on an enterprise-wide scale across multiple business units and corporate departments,” said Janicijevic.

The right approach

Any I&AM initiative will be complex and involve company-wide processes. At times the challenge is just figuring out where to begin.

Janicijevic suggests that organizations conduct a strategic analysis of critical business processes, and take into account key business drivers and articulate the enterprise-level requirements for access management before considering any particular technology for implementation.

“Too often organizations are lured into a technology-centric approach, which sometimes leads to an attempt to modify the way they do business to suit the capabilities and features of a chosen technology. The technology should be implemented to serve the business needs, not the other way around,” cautions Janicijevic.

It is also important to make sure that there is a good understanding of the strategic direction for the organization. I&AM investments can be large and it is important to have a clear understanding of a company’s business directions to make sure that the chosen model will serve the organization well into the future. Barring that, the strategy and solution must be flexible enough to adapt to new business and market realities in the future.

The best policy

CA’s Cox believes that one of the benefits of I&AM is the ability to externalize both identity and access management policies. He notes that policies can be tied to business processes vs. just specific systems or applications. “This allows policy to be defined around business needs and risk management objectives instead of being implemented haphazardly by a myriad of system and application administrators that may or may not understand the value of the data,” he adds.

Policy at a minimum should encompass those systems and applications that are critical to the business success of the corporation or data that is sensitive and can not be compromised.

The I&AM enforcer

Having policies in place is one thing. Communicating and enforcing these is another. I&AM policies protect a company’s most important assets and must be defined and implemented at the highest levels in a corporation. Corporate governance is becoming mandatory across many parts of Asia. What started as a US franchise is now spreading throughout the rest of the world. Governance includes the protection of corporate data assets from compromise and a regular review of implemented security controls is mandatory. We may not have seen the high profile jailing of senior executives as those in the US but certainly we are starting to see local executives making headlines in their own way. What is certain is that accountability is becoming a fact of corporate life.

The challenge for Asia is the delegation of responsibility for the company’s corporate data. Today, this is still left in the hands of system administrators who have traditional day jobs for which they were hired and are accountable to.

The role of a Chief Security Officer (CSO) is underdeveloped and under addressed. Cox believes that things will change. Security needs to be seen as a critical business issue, not as an afterthought.

The CSO needs the power to both define and enforce security policy. If a new system or application does not meet a corporation’s security policy, the CSO needs to have the authority to prevent the system from going on-line until security concerns are addressed. This is one of the reasons a CSO should not report up through the IT line of command, but directly to the CFO or President of a corporation.

“They are the watchdogs that ensure company resources are adequately protected and should not be influenced or allow systems to be compromised to meet development deadlines or other pressures,” says Cox.

Identity and access management best practices

Different companies have different priorities and likely will have unique approach to developing their I&AM strategy and executing it. The path may be slightly different but the similarities begin below.

Identify and address key business needs and objectives, including both “hard” and “soft” benefits in the business case. Explain the initiative in business terms, and explain clearly what the proposed business benefits are. Unless you are presenting to a bunch of IT geeks, avoid the technical elements of the proposed solution. Remember I&AM initiative is not an exercise in technology alone.

In any complex undertaking, the business processes often present much bigger hurdles for any successful implementation. So test the proposed business process not just the technology. Often technology becomes easy to implement once the business process issues have been ironed out.

Don’t let sales people fool you into a sense of false expectation. Each business is unique and any complex solution requires customization as you integrate the new solution into the business process. It is important to implement a robust and effective exception management process. Your organization may have existing legacy applications that may not act very well with the new solution. Some of the systems may not be integrated in a cost-effective manner so the appropriate exception management process may be required.

Technology and business processes change dynamically as businesses integrate into the global economy. The added uncertainty should not deter you from implementing the right solution today. The best way to protect against obsolescence is to implement consistent management practices across the enterprise. Standardizing business processes is the best way to protect any investment and offers a roadmap for future, as yet undefined, changes.

The guide post for any complex undertaking, including I&AM, is the company’s business direction. If you stay true to this course, your identity and access management strategy should deliver value throughout the entire organization.

I&AM is not a point solution. It is a strategy. And the most successful I&AM strategies are those that take a holistic approach to strategy creation. You can implement in phases but the goal must have the entire enterprise in mind.

Definitely outside parties will need to be brought in to help. The choice of vendor Best practice is to evaluate a company’s business objectives and a company’s ability to implement an I&AM solution in the context of those objectives.

Cox offers a I&AM twist to an age old advice: Look for a vendor that has the ability to provide a complete solution — identity management (or enablement), access management (or enforcement) and auditing all the way through.

“The company should be able to provide these functions from the mainframe all the way down through distributed operation systems to custom applications and web services. Also look for a company that is not using software to try and sell more hardware and has a diverse enough solution that they can focus on your business need and not just selling their product. There aren’t very many of these,” adds Cox.

Access, Deploying, Network, Secure