Organizations rely on identity and access management (IAM) systems to streamline the administration of identities, entitlements and credentials and to enforce controls over access to critical systems, applications and data.
This document is an introduction to modern IAM systems, to help organizations plan for, prioritize, deploy and manage IAM process automation. It covers:
- Business drivers -- reasons to deploy an IAM system.
- Process optimization and automation -- the kinds of processes that can be automated and advice regarding best practices rather than automating existing processes.
- Data cleanup versus process automation -- clarifying that cleaning up identity and entitlement data or defining roles are not pre-requisite to IAM process automation.
- Architecture and integrations -- the integrations between the IAM system and other systems and applications and the variables that should be considered to scale the system up.
- Organizational impact -- staffing required to deploy and operate an IAM system successfully.
- Selecting a vendor and product -- advice for how to select a suitable product from a helpful vendor without having to read thousands of pages of RFP responses.
- Program, not project management -- a long-term commitment to implement and expand the system.
- Incremental deployment -- prioritizing deliverables and expanding the scope of the often, rather than trying to implement all possible processes and integrations at once.
- Ongoing system management -- roles and responsibilities for the IAM program team once the system has been deployed.
The first step in an IAM project is to understand the problems that automation is intended to address.
The business drivers for deploying an Identity and access management (IAM) system include:
- Internal controls and regulatory compliance:
- Reliable access deactivation when users leave the organization.
- Ensure that new access is granted in accordance with business need and in compliance with policy.
- Enforce segregation of duties policies.
- Periodically review security entitlements and eliminate any that are no longer business-appropriate.
- Control access to privileged accounts and elevated privileges more generally.
- Eliminate weak passwords and other credentials.
- Require strong authentication wherever possible.
- IT support cost:
- Lower IT support call volume and help desk staffing.
- Reduce the volume and cost of manual access administration.
- Reduce the burden placed by auditors on system administrators.
- User service:
- Provision required access promptly.
- Simplify access requests.
- Reduce the number of passwords users must manage and enter.
Linking IAM to regulatory compliance
Regulatory compliance with legal requirements such as SOX, HIPAA, GLB, FDA 21-CFR-11, GDPR (EU) and PIPEDA (Canada) have created significant challenges for many organizations. At the same time, many organizations wish to implement standardized security controls, such as ISO27001/27002. While the focus of each of these is different, they share common threads: strong internal controls -- especially in relation to access to sensitive systems and data and privacy protection. While it is organizations, rather than software products, which must comply with these regulations, Hitachi ID Identity Manager provides a variety of capabilities that help organizations to meet these objectives.
Both corporate governance and privacy protection depend on strong security in applications and IT infrastructure. Without such security, internal controls cannot be relied upon and regulatory compliance cannot be assured.
IT security depends heavily on an infrastructure of user authentication, access authorization and audit, commonly referred to as AAA. AAA, in turn, depends on accurate and appropriate information about users -- who are they, how are they authenticated and what can they access?
It is in managing these entitlements where organizations have problems. There are too many users, accessing too many systems and they keep moving as a result of hiring, transfer and termination business processes. The result is that users sometimes have inappropriate access rights or weak credentials - which undermine the AAA infrastructure in systems and applications.
Identity Manager helps organizations to more securely manage identities, entitlements and credentials, so that AAA systems (embedded in systems/apps or shared infrastructure) can enforce the right rules at the right times, in support of security, corporate governance, privacy protection and ultimately regulatory compliance.
IAM process automation
An IAM system addresses the challenges of cost, security and user service through:
- Automation: grant or revoke access based on changes in trusted data (typically HR).
- Requests: users request changes to identity data or access rights -- for themselves or for peers.
- Certification: stake-holders review the status and access rights of other users, to identify access which is no longer business-appropriate.
- Workflow: users are invited to approve requests, implement approved changes or perform access reviews.
- Analytics: examine trends, access rights, data consistency and policy compliance to identify and remediate problems.