Ask the Expert

How to begin identity management and access control implementation

If my organization is starting from scratch, having almost no identity management features and only very traditional access control coded on the legacy mainframe systems, how should we begin to implement an identity management program?

    Requires Free Membership to View

Explaining how to build an identity management and access control program from scratch could easily stretch beyond the scope of these few short paragraphs. But, generally speaking, there are four broad steps to implementing an access management system: asset inventory, risk assessment, architecture review and implementation. These steps should flow from your information security policy, something that your company should already have drafted.

Before you begin an implementation, you have to know what you want to protect. Start with a complete inventory of all of your IT assets. The first thing that comes to mind when thinking about what to protect is hardware -- servers, routers, and workstations, for example -- but other assets include data and information hosted and stored on your hardware, so don't forget to include databases. Beyond that, there's also software, applications and more specific data, like customer and employee information, proprietary company statistics and transaction records.

It sounds pretty complicated, but it can be simplified in the next step, the risk assessment phase. The data classification scheme from your information security policy should drive risk assessments. First, take your inventory and break it down into categories based on risk. Data, for example, should be classified somewhere on a three- or five-point scale that ranks low, moderate and high risk. Risk can be determined by assessing the value of the data and figuring how much damage its loss or alteration could cause. Risk assessment is a broad field, but there are online resources available from the National Institute of Standards Web site. This site provides templates and procedures for conducting assessments.

The important point to remember is that your access control policy should be based on your level of risk. High-risk assets need stronger controls, and low-risk data can get by with less strict ones. For example, you wouldn't implement an expensive two-factor authentication system for access to publicly available marketing information. You might, however, for access to a customer database, where the risk of identity theft is great.

The third step is the architecture review. Simply put, what systems are you running? Are they Windows- or Unix-based? For Windows, Active Directory might be the access management system of choice, since it's primarily designed for Windows architectures. For Unix and Linux systems, the answer might be LDAP. There are no cut-and-dried answers; it depends on your architecture, and there are options for many diverse platforms.

Lastly, you'll need an implementation plan, which will be driven by the size and distribution of your staff and IT assets. Another issue to consider is how many different applications will need to be accessed. If there are multiple applications, each with their own user ID and password systems, an enterprise single sign-on (SSO) system should be considered. SSO options range from IBM's Tivoli, a package meant for large companies, to Imprivata, a hardware SSO product for small and midsized companies.

This barely scratches the surface of choosing and implementing an identity management and access control program, but this should give you a high-level framework to get started.

More information:

This was first published in December 2006

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: