This article can also be found in the Premium Editorial Download "Information Security magazine: Why business managers are a breed of security professional."
Download it now to read this article plus other related content.
Finding a comprehensive identity and access management architecture requires leadership to navigate the technology and implementation labyrinth.
No need to beat around the bush—passwords stink. No one—users, administrators, security pros—likes them, and for good reason.
Despite password policies, users persist in repeating poor password choices— their dog's name, birthdays, favorite colors. Getting them to apply fixed alpha-numeric combinations at least seven characters long is a security fantasy, but shops trying to enforce strong password policies often discover that passwords aren't free. Heck, they aren't even cheap.
According to recent statistics, 25 to 30 percent of all help desk calls are password-related, the average cost per call is $25, and the average user makes roughly four of these calls per year. Then, there are the omnipresent dangers of skilled social engineers who are able to con even the savviest of users into revealing their passwords.
It's time to place authentication in its rightful place as an important component in a comprehensive identity and access management (IAM) architecture.
But, since IAM goes beyond security, it should be approached with a holistic enterprise perspective and not just focused solely on authentication.
After years of languishing on the back burner, IAM will become a major enterprise focus area in the next 24 to 36 months, driven by new business initiatives, regulatory compliance and the need for process efficiency.
Security managers must seize this opportunity and provide IAM leadership on four levels: building a planning team, mapping access requirements, designing an access control architecture and implementing the solution.
The IAM Team
When embarking on an IAM project, security managers must gather a team of application, systems, access, network and directory managers and administrators from various business units across the enterprise. Of course, each department's security should have strong representation within the IAM team.
This team's purpose is to define the IAM business requirements—not to architect a technical solution. Each participant must represent his department's needs while collaborating to address overall business requirements. The team's ultimate goal is threefold:
- Assess current problems by developing a list of IAM financial, operational and organizational issues. The team members will define the business risks, operational overhead and organizational issues associated with each problem so the IAM solution can be aligned with overall business goals.
- Define goals by prioritizing short- and long-term objectives based on business value. The team will address tactical operational and security issues, but think strategically about business and regulatory requirements. Will the company outsource any business processes in the next few years? Will the organization need to create roles and access policies for "extended enterprise" applications to service outsiders? Are there any pending or anticipated deadlines for regulatory compliance? A model solution should enable business flexibility, improve security and cut operational costs.
- Pool funds from various business units. While the IT department can certainly build and manage the technology, all business groups should invest in the process. Enterprises may allocate money to IAM projects, but it's quite common for business departments to contribute from their budgets.
During this initial phase, the security group's job is to help the organization fully appreciate the business risks associated with current IAM architectures—weak passwords, poor controls and multiple identity stores. Security managers should avoid the temptation to play "Chicken Little" with constant warnings about security breaches and identity theft that don't amount to much.
Rather, security managers should balance paranoia with hard operational facts—the process of managing and monitoring multiple RADIUS servers, VPNs and network directories requires loads of financial and human resources and is strewn with costly inefficiencies—both human and technical. Quantifying security inefficiencies, loses as a result of breaches and future savings—or as some call return on security investment (ROSI)—will be important and well-received input.
This was first published in June 2005