The IT Security Management Challenge
IT Managers today face a dizzying array of pressures. They must not only ensure a secure environment to protect the company's assets and industry reputation, but they often are being asked to do it at a lower cost than in the past. The pressure on IT to "do more with less" is strong and is unlikely to change significantly.
This pressure to increase IT efficiency and to manage costs exists in the face of increasing demands for more and better applications and services for the user and management populations as a whole. The demands for increased capabilities and services spring from several emerging trends. Among the most important of these trends are:
Increased Need for Regulatory Compliance. The burdens of compliance with current laws and regulations such as Sarbanes-Oxley and HIPAA often fall heavily on the IT security group. Creating effective internal security controls for compliance often places enormous strains on this group.
Increased Merger and Acquisition Activity. As companies grow through acquisition or mergers, the complexity of the IT security challenge increases with each acquisition. Entire new user populations and applications as well as many heterogeneous legacy systems must be integrated into an existing IT infrastructure. The complexity of the resulting infrastructure can increase significantly.
Steadily Increasing User Populations. As companies extend their business applications to their partners, and to increasing numbers of online customers, the demands on IT expand significantly. Managing ever-increasing numbers of users, their profiles, and their access rights to protected applications puts a strain on budgets, and increases the need for an effective way of improving the overall effectiveness and efficiency of IT and other associated organizations (such as Help Desk).
These factors, among others, are driving IT groups to search for solutions to streamline the management of their operation. The competing requirements to reduce costs and increase services present huge challenges. This paper discusses ways of streamlining the management of IT security in order to improve the overall operational efficiency of the enterprise. The focus of this paper is on the cost reductions that can be gained through the use of an integrated Identity and Access Management (IAM) solution.
Introduction to Identity and Access Management
In almost all companies, users' identities and their access privileges are a core element of the e-business strategy. Behind those identities are the employees, contractors, partners, customers and others who drive every aspect of operations. Identity management is a set of processes and systems that determines who should have access to what applications, databases and platforms, and the conditions under which that access should be granted. The key questions that must be answered by the identity and access component of security management are:
Who has access to what?
What did they do?
When did they do it?
How can we prove it?
By answering these questions, you can effectively align security with business goals, protect vital business assets, streamline business operations and achieve regulatory compliance. The key capabilities, which must be integrated together for successful identity and access management, are:
Identity Administration ? Enables the creation and administration of user identities and profile information.
Provisioning Allocates to each user the appropriate accounts and access rights to corporate resources, as well as de-provisioning them at the appropriate time (e.g., when they leave the company).
Access Management ? Helps to ensure that your organization maintains the integrity of its information and applications by preventing unauthorized access. This includes controlling access to all critical resources, including web applications, enterprise applications, systems, critical system services, databases, and repositories.
Monitoring/Auditing Provides aggregation, filtering, analysis, and correlation of security events across all components within the environment. Also, it provides visualization tools to facilitate analysis of this information by system administrators.
In summary, sound identity and access management practices and systems provide a foundation for security management by addressing identity-related system exposures, enforcing consistent security policy across your enterprise and delegating administrative access power. It also helps lower administration costs through integrated auditing and automated management.
Let's now look at specific ways to increase efficiency through the use of an IAM platform.
