Recently there's been a new development in the information security world: content-aware identity and access management (CA-IAM). CA-IAM is the integration of two established, usually separately administered security domains -- identity and access management
Full enterprise deployments of CA-IAM, and the standards and experience they bring, are still years off. So does this mean companies can't do CA-IAM today? Not necessarily.
The first domain, IAM, is used to administer user rights. When security personnel think of tools in the IAM domain, they picture Web access management systems, provisioning systems, portals, Web-based applications and federation technologies. The common theme among these technologies is the configuration of data access based on the adage "the right people, getting the right access to the right information."
However, within enterprises there's another, sometimes darker, domain: data protection. The goal of data protection is to correctly configure data rights for information. The people interested in data protection talk about classification of information (i.e. company confidential, secret, top secret, etc.), data loss prevention (DLP), meta-directories, security information and event management (SIEM), event logging, firewalls, secure communications and encryption. The common theme within this domain is "the right data, getting to the right place securely, by means of the right services." While IAM's focus is to secure communications channels to applications and services for users, data protection's focus is to establish secure communications channels to applications and services for data: the yin to IAM's yang.
So why does the concept of combining these two domains make sense? There are three reasons: compliance, data transformation and intelligent user rights.
Regarding compliance, combining the user access rights of identity and access management with the information protection rights of data protection solves the overarching business issue of compliance. Under the cover of existing regulations around privacy and protection -- whether government (i.e. SOX, HIPAA, GLBA, Basel II) or industry driven (i.e. PCI DSS) -- the auditors expect companies to have implemented controls around both authorized user access and data protection. Since the tools that implement these controls have been traditionally separated, it makes sense to combine their functionality for the common good of compliance.
Data transformation involves scenarios in which new data sets are added, data is manipulated, and old data sets are expunged. Managing the sensitivity and value of information during these transformations is becoming increasingly more difficult due to the volume of data a typical enterprise manages and the fact that external organizations are often managing key pieces of data via outsourcing and SaaS to enhance a company's data management capabilities. Determining access to the newly updated and created data can be a nightmare. CA-IAM promises to identify how these transformations have affected the data and, if warranted, automatically map new protections to the data, and then go on to assign new access rights to the information based on corporate policies. An example of how this can be used is a recent announcement of an alliance between Microsoft and EMC Corp.'s RSA unit in which the vendors plan to develop a tight integration between RSA's DLP suite and Microsoft's digital rights management technology. The goal of this alliance is to take the best features of RSA's DLP automated data classification services and map them to Microsoft's file management technology to ensure data classifications and rights automatically follow the data.
With intelligent user rights, it has become important to understand the roles and responsibilities of an individual when determining his or her access to applications and services. After determining an individual's rights, CA-IAM can be used to give proper access to the data, providing fine-grained access controls beyond the application down to the actual data itself.
So if CA-IAM provides such great benefits, why haven't more enterprises implemented it? There are several reasons. First, both IAM and data protection had their start in different parts of the enterprise. IT traditionally started managing user access as part of its infrastructure provisioning projects. As users joined the company, IT added their accounts to the systems they needed to do their jobs. Subsequently, as users' roles or employment statuses changed, IT was responsible for managing and updating their permissions, eventually taking away all rights when users left the company.
Data protection started in the traditional risk management and IT security departments. The responsibility of the data protection pros was to safeguard sensitive data and ensure it didn't leave the organization through unauthorized channels. While these two groups usually work well together, they've each traditionally reported up to different parts of the organization. The prospect of integrating these two disciplines presents, if not a managerial problem, at least a serious managerial project.
Also, in order to even consider implementing CA-IAM, an organization must understand its user and data classifications and have defined processes for managing them. Many organizations are still in the throws of doing role-based access definitions, finding and classifying data based upon existing policies, and aligning risks across the organization. In addition, DLP and IAM tools are still being implemented. Without a level technology playing field, integration of IAM and data protection technologies will involve a lot of time, effort and money, and probably a few costly mistakes along the way.
Something else to consider is that CA-IAM is a concept, not a product. Today's organizations are working to solve business problems through technology; tomorrow's technologies are still in the hands of enterprise architects and risk managers. Full enterprise deployments of CA-IAM, and the standards and experience they bring, are still years off. So does this mean companies can't do CA-IAM today? Not necessarily. While a formal deployment is not yet possible, an enterprise that already understands its data and access requirements, has classified its data, user roles and responsibilities, and has strong political clout, should be able, through policies and processes, to begin to create a common framework, even if the tools aren't integrated. This is how traditional IAM technologies started and it's the way that CA-IAM will begin.
About the author:
Randall Gamby is an enterprise security architect for a Fortune 500 insurance and finance company who has worked in the security industry for more than 20 years. He specializes in security/identity management strategies, methodologies and architectures.
This was first published in October 2009