Explaining how to build an identity management and access control program from scratch could easily stretch beyond the scope of these few short paragraphs. But, generally speaking, there are four broad steps to implementing an access management system: asset inventory, risk assessment, architecture review and implementation. These steps should flow from your information security policy, something that your company should already have drafted.
Before you begin an implementation, you have to know what you want to protect. Start with a complete inventory of all of your IT assets. The first thing that comes to mind when thinking about what to protect is hardware -- servers, routers, and workstations, for example -- but other assets include data and information hosted and stored on your hardware, so don't forget to include databases. Beyond that, there's also software, applications and more specific data, like customer and employee information, proprietary company statistics and transaction records.
It sounds pretty complicated, but it can be simplified in the next step, the risk assessment phase. The data classification scheme from your information security policy should drive risk assessments. First, take your inventory and break it down into categories based on risk. Data, for example, should be classified somewhere on a three- or five-point scale that ranks low, moderate and high risk. Risk can be determined by assessing the value of the data and figuring how much damage its loss or alteration could cause. Risk assessment is a broad field, but there are online resources available from the National Institute of Standards Web site. This site provides templates and procedures for conducting assessments.
The important point to remember is that your access control policy should be based on your level of risk. High-risk assets need stronger controls, and low-risk data can get by with less strict ones. For example, you wouldn't implement an expensive two-factor authentication system for access to publicly available marketing information. You might, however, for access to a customer database, where the risk of identity theft is great.
The third step is the architecture review. Simply put, what systems are you running? Are they Windows- or Unix-based? For Windows, Active Directory might be the access management system of choice, since it's primarily designed for Windows architectures. For Unix and Linux systems, the answer might be LDAP. There are no cut-and-dried answers; it depends on your architecture, and there are options for many diverse platforms.
Lastly, you'll need an implementation plan, which will be driven by the size and distribution of your staff and IT assets. Another issue to consider is how many different applications will need to be accessed. If there are multiple applications, each with their own user ID and password systems, an enterprise single sign-on (SSO) system should be considered. SSO options range from IBM's Tivoli, a package meant for large companies, to Imprivata, a hardware SSO product for small and midsized companies.
This barely scratches the surface of choosing and implementing an identity management and access control program, but this should give you a high-level framework to get started.
This was first published in December 2006