This article can also be found in the Premium Editorial Download "Information Security magazine: Keeping on top of risk management and data integrity essentials."
Download it now to read this article plus other related content.
|Top Technologies by Industry|
SOX and other security regulations' integrity requirements dictate that enterprises know who's on their systems, who's accessing their data and what they do with that data. This is renewing interest in technologies that provide command and control over the entire identity management lifecycle.
Protecting infrastructure and information share the top spot of this year's enterprise security priorities and are the dominant priorities in several industries. Enterprises are moving beyond the traditional paradigm of "keep the bad guys out, let the good guys in," to one of "security experience management"--what users are allowed to do once they gain access.
"We need to know who the users are, what they're accessing and whether what they're accessing is authorized," says Pamela Fusco, CSO of pharmaceutical giant Merck. "I have to sign off that someone has the right to do what he's doing. And when the user leaves the company, we deprovision his account quickly."
Merck has 72,000 users across its global operations and provides hundreds of thousands of partners, contractors, researchers and consultants access to its systems. Provisioning, administering and monitoring user access are top priorities because of regulatory requirements.
Merck's corporate security department has 20 full-time admins devoted to nothing but identity management issues. Like many enterprises in similar situations, Merck is rapidly adopting automated password reset solutions, account monitoring applications and federated identity capabilities. The goals are to easily maintain regulatory compliance, contain the cost and improve the efficiency of identity management, and improve user experience through simplified sign-on.
"One of the biggest issues is the time you have to spend identifying accounts, and decommissioning accounts and passwords," Fusco says. "If there were a streamline methodology--a lifecycle--you wouldn't spend so much time and resources on identity management."
Many identity management solutions are on rapid-adoption curves, despite the complexity of the technology and its associated processes. According to our survey, 39 percent of enterprises use self-service password systems, while another 35 percent plan to deploy them within the next year. The numbers are nearly identical for automated provisioning systems: Enterprises seem to be banking on point solutions rather than integrated suites, which are only deployed in 21 percent of surveyed enterprise and have a shallower adoption curve.
"Getting identity management into one spot, under more control and to report more effectively is our goal," says Patrick Heim, VP of security at McKesson, a global provider of health care products and systems. "Suites are still very complex because they require agents, strict roles and a significant initial investment to get off the ground. Centralizing identity management procedures and processes--the things that most auditors are interested in--into an automated framework is cost effective."
This was first published in April 2005