The Hindu Business Line : Identity crisis in the security business

INFORMATION is the key to dynamic growth and expansion in today's business environment. Success for an organisation depends on the information leveraging capability between business partners, vendors and its stakeholders. This creates a business need to authorise and secure access to multiple data sources via the intranet, extranet or over the Web.

As an organisation grows, one of the most difficult problems it faces is the availability of updated centralised information. Hence, companies are spending millions of dollars on automation and management information systems (MIS).

The key to success in an MIS is to have

The centralisation of information through the integration of diverse systems.

Information security and identity management (confidentiality, integrity and access, that is, the four As — authentication, authorisation, administration and auditing).

A reduction in the overheads related to deployment, maintenance and administration activities.

Identity under threat

In a business organisation, `identity' defines people's rights and relationships vis-à-vis enterprise resources. It is the key to accessing and using all the systems in a network environment. It is the profile information that tells your company's network who you are, what you are doing and why. Managing identity data ensures that only the right people are granted access to the right resources.

Identity theft accounts for a majority of the information security breaches within the organisation.

Information thieves, disguised as legitimate employees, vendors or business partners, use deceptive tactics to gain access or obtain confidential business information.

Identity theft can be controlled by the efficient e-provisioning and de-provisioning of systems.

In the event of an employee leaving an organisation that is based on a distributed system architecture, the information security manager needs to de-provision the employee from every application where he has had access to.

This is quite a cumbersome process and any delay or inefficiency leads back to identity theft. A secure identity management system denies the de-provisioned employee access immediately and so protects the system from internal information hacking.

Companies use firewalls, intrusion detection systems (IDSs), proxies, pubic key infrastructure (PKI) and secure sockets layer (SSL) to secure data and prevent external hacking and virus attacks. While all these investments help in preventing or recovering from external threats, there is no focus on internal security leaks and hacks.

This, despite the fact that internal threats constitute almost 70-90 per cent of all threats (according to various surveys). So most of these add up as an expense for the company instead of providing any value-addition.

In an enterprise environment, where more employees, partners, and customers are provided access to critical business resources, the challenge is not just in managing a diverse and growing community of users, but managing a community of users that is constantly changing.

New employees, contractors, partners and customers go online daily and they need access to the enterprise resources right away.

Current users' responsibilities change and they need new or different access privileges to do their jobs.

An enterprise faces unprecedented challenges in protecting sensitive data, increasing business process efficiencies, and keeping the cost of identity management under control — all at the same time.

One of the solutions for this is to have enterprise directory services (EDS).

Enter EDS

EDS is a centralised data store that stores information about all the users, their roles and all other details required by the organisation. EDS is implemented using the Light-weight Directory Access Protocol (LDAP), which provides high-speed read access and can scale to any organisation's needs. An EDS provides a unique and centralised administration of resources along with role/group-based access and helps the organisation to centralise the user administration and reduce the administrative burden.

An EDS feeds all the application databases and provides a single user ID or unique ID for every user to log into an application or system in the organisation. Any changes to a user's status are replicated across all the required systems once the information change is made in the EDS. This provides more administrative control and flexibility. HR systems feed employee information/status regularly to the EDS, which then replicates the same across the different systems in the organisation. The administration log of the EDS keeps track of every user's activity, which leads to better security. The user ID and sensitive information can be encrypted and stored. This not only satisfies the current need of all organisations to have standardised security procedures and centralised administration capabilities, but also provides effective tracking for all users.

EDS solutions have successfully helped large international corporations improve their information security efficiencies. These efficiencies have resulted in the following measurable improvements:

Reduction in operational costs/overheads;

Quicker development and deployment of products and services;

Reduced information threats and risks;

Integration of disparate applications, systems and processes;

Reduction in information redundancies and the ability to replicate;

Value-addition in services and processes for stakeholders (employees, clients, investors)

Helps in compliance with BS7799 and ISI7799 standards.

The secret is in effective identity management

The next step a business should move towards is the automated provisioning system. One of the solutions available in the market for automated provisioning is identity management (IDM).

IDM provides a single-point solution for all the aforementioned requirements.

It has i) resource provisioning and de-provisioning; ii) password management; iii) access management and delegation; and iv) activity monitoring, auditing and reporting.

An LDAP/EDS performs as the base for an effective IDM implementation.

Identity provisioning: The advantages

Automated user provisioning: An identity manager enables the automation of previously fragmented, manual processes for managing the full user lifecycle process. It greatly reduces the time it takes to get users up and running productively, to change their access privileges as their roles change, and to instantly and securely revoke their accounts when their relationship with the company ends.

Role- and rules-based provisioning provides the flexibility to set provisioning rules on users, organisations, resources, roles, or groups, which ensures that policies are enforced. An identity manager also provides complete visibility into and control over user access privileges.

Synchronisation services: An identity manager automatically synchronises identity data across a wide range of heterogeneous applications, directories, databases, and other data stores, improving operational efficiencies by eliminating the need for data to be synchronised manually.

An identity manager accommodates the transformation rules, data-flow mapping, and data joints, so that dissimilar schemas can be mapped to any type of data source, thereby protecting the existing infrastructure investments in the enterprise.

Auditing and reporting: An identity manager provides comprehensive audit and reporting of profile data, change history, and enterprise-wide user permissions, ensuring that security risks are detected so that the administrators can respond proactively. The ability to review the status of access privileges at any time improves audit performance and helps achieve compliance with governmental mandates. Reporting on the usage of self-service password resets, and the time to provision or de-provision users provides visibility into key operational metrics and operational improvements. Reports can also be scheduled to be automatically sent to managers for reviewing on a regular basis.

Delegated administration: An identity manager provides a highly granular model for delegating administrative capabilities to departments and organisations, off-loading the burden from central IT groups. This makes it possible to keep pace with the rate of change without incurring an unacceptable increase in cost. Self-service, the ultimate in delegated administration, enables users to request access privileges and manage their own identity information from an easy-to-use Web interface, without outside assistance.

Password management: An identity manager enables secure, automated password reset and synchronisation across enterprise systems, as well as easy self-service access to password management services through a Web browser, telephone, or network login, replacing costly, error-prone manual methods. An identity manager enforces the password policy across resources, enhancing enterprise security. In addition, the administrators can track and measure password-related activities through integration with leading helpdesk systems.

Cross-platform support: Cross-platform support for heterogeneous environments is led by an identity manager. It runs on all of today's leading platforms and also manages user accounts across legacy systems, business applications, Web applications, security control products, and databases.

IDM helps with SOX compliance

At the beginning of this millennium, investors in the US stock market lost $35 billion due to the illegal manipulation of corporate financial reporting.

This resulted in a continual parade of C-level executives through various criminal courts and the passage of the Sarbanes-Oxley Act of 2002 (SOX). Because SOX compliance has been made mandatory for all the private sector companies operating in the US, companies with multinational operations need to implement SOX not only in the US, but wherever it operates. Also, companies dealing with US companies also require to be SOX-compliant, since the operation of those companies put the US operations at risk too. Hence, most of the Indian companies need to understand the importance and significance of SOX compliance.

To meet SOX's objectives all the processes need to be standardised and well-documented. Although SOX does not mandate the automation of any of the processes, it is not likely that many companies use human resources to manually improve the existing process. They would rather go for software tools to enforce standardised processes and provide audit reports for all the actions carried out in these processes. Hence, most companies can easily justify the cost of software management and data security tools that provide accountability and verifiability.

In today's competitive world, most companies look for an application that can help them with regulatory compliance, reduction of cost, and increased productivity.

IDM is ideally suited to meet all these requirements. By combining the processes and the internal security policies through IDM, an organisation can get a highly efficient and cost-effective technology framework to make a process SOX-compliant. This may also result in increased organisational effectiveness and process simplification, without compromising security.

The bottom line is that organisations need to have strict internal controls in all the processes that are executed — but at the same time these controls should not jeopardise their activities. EDS-based IDM provides cost-effective, efficient, and strict internal controls, and standardised and centralised processes, resulting in SOX compliance and savings to the organisation.

(The author is Country Manager, SDG Software India Pvt, Ltd)

Article E-Mail :: Comment :: Syndication :: Printer Friendly Page