There are three big mistakes an organization can make when implementing identity and access management (IAM) systems: not conducting a complete risk assessment of the systems being secured, not checking compatibility of the IAM system with current network and IT systems and failing to verify that the system will scale as their business grows.
Before implementing any IAM system, an organization must decide what data it wants to protect, who owns that data and how it fits into the organization's data classification policy. Too many companies implement either too little or too much access management. They end up either putting too much emphasis on securing systems with low risk data, which is overkill, or not putting enough security on high-risk data, which opens the company up to malicious access by hackers.
Creating a data classification policy that defines what is low- and high-risk data is essential to implementing any IAM system. Low-risk data might include marketing information used for sales modeling that describes customer preferences, but can't be tied back to individuals and used for identity theft. High-risk data would include customer and employee information, or details of financial transactions, which could lead to identity theft or monetary loss.
The next priority is to make sure the system meshes with the current IT infrastructure and architecture. Any IAM installation is a major project that touches every piece of an organization's IT plumbing in one way or another. It doesn't make sense to rip out the kitchen sink just to fix the faucet. Consider your platform of choice. If the company favors Linux, then LDAP might be the best choice. If it's mostly Windows-based servers, then Active Directory is the logical choice.
Don't count on an IAM to be the glue to knit together different systems. If the organization features diverse or mixed platforms, figure out how to keep IAM systems and the directory of authentication credentials on an isolated server -- independent of different platforms.
Another part of checking your infrastructure is planning. Active Directory requires a considerable amount of homework in advance to set up groups and organization units and directories before installation of hardware, servers, hosts and software can begin.
The third common mistake, not planning for scalability, can be detrimental if your company is growing. Today, you might have 10 employees. In a few years, if the business is successful, there might be 10,000. Can the IAM system handle the growth, or will performance slow to a crawl because it doesn't have the capacity? What if your company acquires another enterprise and has to absorb whole departments? Active Directory and LDAP can expand for growth, but they still require advance planning so groups can be created.
Basically, failure to plan ahead for growth and infrastructure changes are the biggest mistakes to make when implementing an IAM.
For more information:
- In this tip, which is a part of our Data Protection Security School, contributor Tom Bowers explains how to conduct a data classification assessment.
- In this expert Q&A, Joel Dubin reviews essential components of an access management strategy and reveals how to deliver the plan to executives.
This was first published in September 2007