In 2009, with a down economy and some estimates suggesting as much as 17% of the U.S. workforce laid off, IAM technologies and personnel came into the limelight as the means to control workforce access. As 2009 progressed, accounts needed to be disabled or removed, remaining workers had to have their privileges modified to reflect their new roles and off-boarding processes had to be revisited to ensure 100% of exiting employees' access was removed.
Due to the high demands of these activities, many IAM deployments and feature improvements were put on the back burner while organizations put the pieces of their new business structure in place.
The good news for 2010 is that while companies are still making further adjustments, the worst seems to be in the past, and the coming year looks to be a time of rebuilding. Organizational emphasis is shifting from a tactical mindset of coping with a flood of removes and changes to a more strategic goal of improving systems and processes. In addition, since IAM personnel gained unparalleled access to their companies' executive management and HR departments due to the number of layoffs -- something that's always been a challenge -- the value of their services and the interpersonal relationships forged during 2009's downsizing activities have brought a better understanding of the importance of IAM to many companies.
But as IAM personnel get to work in 2010, they'll find the money they need to get back on track will be harder to get and budgets will be less than they expected. Many executives are still in shell shock from last year and will most likely underestimate revenues -- and undercut budges -- rather than face more layoffs. This will mean that there will be greater scrutiny and stronger justifications needed for any proposed IAM projects for the coming year. With this in mind, what IAM technologies will provide the most benefit to the marketplace in 2010?
Provisioning technologies and recertification services
First on the list are improved provisioning technologies. With downsizing and cleanup activities still a reality, and fewer employees to do the work, it will be important to extend the scope and automation of existing provisioning systems. In 2009, many companies found their off-boarding processes were less than optimal and many just didn't work. A lot of effort was put into fixing these problems, and in 2010, on-boarding and employee transformation processes will still need to be cleaned up. In addition, many companies found out they only partially automated their authorization services and many end systems were still manually administered. This means new provisioning connectors for end systems, and help desk systems and account recertification services will need to be implemented.
Speaking of recertification services, what are they, and why will they be important in the coming year? These tools pull authorization information from end systems, then collate and join this data into reports. These "entitlement" or "system access" reports allow line-of-business managers to determine if their employees have the right access to the systems they need to do their jobs. In 2009, when many employees were reassigned to fill in key areas left by exiting employees, entitlements were assigned in an ad hoc manner. This means there is a risk that employees may have access to information they shouldn't have, that old entitlements weren't removed or that separation-of-duties policies were violated. In 2010, efforts should be undertaken to make sure managers have the information they need to ensure correct employee access.
Setting up virtual directories to support developing
With a decreased workforce and more focus on business functions, infrastructure services will need to shift toward providing services with minimal impact to business applications. One key area that's always required business applications to be IAM-aware is enterprise repositories. As more applications depend on enterprise repositories (LDAP, Active Directory, SAP, DB2, etc.) to reduce the amount of locally administered authentication information, and as managers look for greater consistency among applications that use enterprise-wide coarse-grain authorization information, substantial integration activities will need to take place between these repositories and even the simplest of business applications.
Virtual directories have been around for several years, but proving the ROI of these technologies has been difficult until now: The need for a generic repository "service bus" that allows applications to get to enterprise identity information easily will make these technologies invaluable in 2010. For example, the ability to mask which underlying enterprise repository contains the information an application needs (i.e. no longer needing to know if an application's user information is in the corporate LDAP or AD repository) simplifies development significantly; enterprise repositories can even be configured to emulate a local identity store (i.e. a virtual directory can be configured to imitate an application's locally attached SQL database, which is required in order to store authentication information). This allows application developers to concentrate on providing enhanced functionality without worrying about integrating their authentication/authorization services to an enterprise repository.
Update antimalware; consider SaaS
Finally, with so much internal focus in 2009, many external threats that didn't result in direct attacks were ignored. In 2010, with attackers swarming like predators around a wounded prey, attacks will target organizations still reeling from 2009's economic problems. For these companies, renewed investment in proactive security against malware, viruses and phishing attacks will be required. While many organizations looked to purchase and deploy their own services in 2009, the lack of capital funds and reduced workforces in 2010 will shift the focus to appliance and SaaS technology. Existing messaging appliances will also have to be reconfigured, not only to be used for secure message transport, but they'll also need to be tied into emerging data loss prevention (DLP) technologies to prevent successful attacks from sending sensitive information outside the boundaries of the organization.
So, while money will continue to be hard to come by in 2010, IAM personnel should be able to leverage the relationships they forged in times of crisis to fund key areas of their work left on the 2009 drawing board. When communicating with business leaders about the need for more resources, IAM pros shouldn't be afraid to use examples from 2009 when technology or processes weren't as smooth or effective as they should've been. With stronger, automated provisioning tools and recertification of entitlements ensuring proper employee access, as well as generic authentication repositories enabling quicker, smaller application development projects, in conjunction with perimeter protection through appliances and SaaS services, companies can begin to rebuild their IAM programs in hopes of 2011 bringing better budgets to continue their work.
About the author:
Randall Gamby is an enterprise security architect for a Fortune 500 insurance and finance company who has worked in the security industry for more than 20 years. He specializes in security/identity management strategies, methodologies and architectures.
This was first published in January 2010