The Power of IdM

Jun 1, 2006 12:00 PM, By Sandra Kay Miller

Organizations are routinely poking more holes through their network perimeters to enable communication with employees, customers, partners and mobile work forces. In an effort to deal with a porous boundary, the security paradigm is shifting from reactionary to proactive, extending the reach of the enterprise to securely encompass customers, partners and employees while fostering a productive environment.

“It's not about keeping bad guys out, it's about letting the right people in,” says Chris Voice, CTO of Entrust (www.entrust.com), an identity management (IdM) vendor who introduced the first commercially available public-key infrastructure (PKI) in 1994.

Defining IdM

IdM is not a defined security product like a firewall, but a term for the comprehensive administration and automation for the identification of individuals within a system and how their access to resources is controlled. Rights to the system are linked to established identities that determine what a user can and cannot do within a particular system.

The adoption of IdM does not mean that the firewall is dead. According to Rob Ciampa, vice president of marketing and business strategy at Trusted Network Technologies (www.trustednetworktech.com), firewalls still serve an extremely important role against network attacks such as denial of service.

Ciampa points out that changing business needs are taxing devices like firewalls because administrators are pushing them to meet the demands for specific individual user-based policies. This results in firewall rules becoming overly complex and the firewalls themselves impossible to maintain, thus raising the risk profile and becoming inauditable.

Perimeter security is relatively blind, making it practically impossible to differentiate between a good packet and a bad packet traversing an approved channel. Even more compelling is the fact that 90 percent of security breaches relate to a company's own employees — meaning companies must protect their perimeter while monitoring behavior and controlling access within the private network. Many organizations are turning to IdM to meet internal security challenges in a scalable manner.

“Both [firewalls and IdM] are still critically important and are becoming more closely linked as part of a full security management strategy,” says Kurt Johnson, vice president of corporate development for Courion (www.courion.com). Johnson says that IdM has garnered more attention than traditional network access control technologies, which have been labeled as ineffective during regulatory compliance audits.

Regulatory compliance

Increasingly, organizations are choosing IdM to both maintain security within the network and to help automate and maintain compliance requirements. C-level executives have been forking over millions of dollars to IT departments to comply with regulatory acts such as Sarbanes-Oxley, Gramm-Leach-Bliley and HIPAA.

“Regulatory compliance is not a one-time effort, it is an ongoing, annual re-certification, and organizations need to be able to show improvement year after year,” says Robert Grapes, senior product manager for Enterprise Solutions at Cloakware (www.cloakware.com).

Unfortunately, many organizations have viewed compliance as a one-shot deal — like Y2K. When year two rolled around and the realization that auditing requirements would have to be met on an annual basis, IdM was quickly pegged as a solution for automating processes with stringent audit controls and enhancing security while remaining agile enough to promote business.

Taking IdM up the ladder

Given IdM's promise of compliance, security, automation and cost-savings, implementing it into an organization is not as simple as hooking a new appliance on the network and using an install wizard.

John Reese, former deputy commissioner for modernization and CIO at the Internal Revenue Service, speaks from experience about the challenges of implementing IdM. “Frankly, the toughest nut of all is how to get the CEO and the board of directors on board.” For Reese, the long-time rift between technology and business needs to be bridged before tackling IdM. “Most security people talk in terms of firewalls, gateways and scanners, but that is not the issue. Their language is not the language of the board or the CEO,” he explains.

“Companies have to think about how to provide secure access — not only on technical level, but on a business level — and that is tied into the identity,” says Dr. Martin Kuhlmann, who oversees the identity management product strategy for the SAM Identity Management Suite of Beta Systems (www.betasystems.com).

Realizing that the world is moving toward an increasingly networked environment — meaning businesses are online and increasingly interactive — the CEO and board of directors are also being asked more often to make technical decisions that will ultimately impact their products, services, customers and other stakeholders. In an effort to engage corporate leaders, Reese says his great passion is getting people to move away from thinking about security and toward thinking about trusted operations. “You want to move away from this notion that when something happens, we will pay for it,” he says, “Instead, security needs to become part of the ongoing business operation. You build it in, you don't bolt it on. You make it part of your basic offering. You have to cook it into your whole system.”

Creating a starting point

As ideal as Reese's advice sounds, the reality of transitioning to an IdM-based system poses challenges. “We always counsel our customers to avoid the ‘boil the ocean’ approach,” says Simon Vining, product market manager for security and identity solutions at Novell. “If you are looking to shift from perimeter security to injecting IdM into the enterprise, pick one line of business, one office, one division and do it right, because there is a lot of learning that needs to take place. Once the technology is in place it scales really quickly.”

The majority of organizations are still dealing with application-specific information security and access management. A good practice is to pick the mission-critical applications to monitor from a compliance standpoint — because not all applications require auditing.

Vining says that Novell's customers typically start with simple access management, move to course-grained access control and then on to fine-grained access control. Only after they gain control of their basic identities within their network can they start thinking about automating processes. An added bonus is realized when organizations are finally able to examine business processes outside of security and compliance — where they often find ways to save money and be more productive.

“Start small, see where you are today, integrate your most important systems, automate the most important security and compliance processes and then ask where can you get additional productivity by looking inside and getting a view of the network,” Vining says.

Similarly, Kuhlmann has Beta Systems customers focus on two or three core systems for IdM implementations — first creating a road map, a project plan and finally guiding them through the process of implementation. “Customers want IdM but they also want to guarantee project success,” Kuhlmann says.

Prior to any deployment of new technologies, organizations want to know if they are opting into a viable solution. Andy Osburn, president and CEO of Diaphonics (www.diaphonics.com), sees IdM moving toward full maturity. “There is a demonstrable business case in terms of IdM. In terms of a customer base, there is a fully developed market for that technology already,” he says.

Future bright

Voice and online identity are contributing to the growth of IdM. Grapes points out the telltale sign that IdM has become an accepted technology — small, private, pure-play companies being snapped up by the major players, including Computer Associates recently acquiring Netegrity, and Oracle's acquisition of companies like Oblix and Thor Technologies — both identity-based security products. “This brings credibility that IdM is a marketable product,” Grapes says. “Those large organizations realize it adds a value to their products.”

But Johnson views IdM still as an emerging market. He estimates that less than 10 percent of organizations have deployed IdM. “Many current projects have not been completely successful,” he says. Johnson adds that users should look for a solution that requires minimal data and requirements up front, that can leverage the existing infrastructure and can show a track record of results.

A number of security practices and products have emerged over the last 10 years that fall under IdM — single sign-on, access control and authentication, password synchronization and federation. Within these practices, assorted technologies like biometrics, security tokens, Service Oriented Architecture (SOA), Extensive Name Service (XNS), Secure Socket Layer (SSL) and Public Key Infrastructure (PKI) are being used to enable IdM.

Further pushing the concept of IdM are organizations like The Open Group (www.theopengroup.org) and the World Wide Web Consortium (www.w3c.org) who focus on developing technology standards, including those for IdM.

“Today, people talk about restricting access, but I want to promote access to my network — I want to promote secure access,” Reese says.

Some organizations are experimenting with scrapping their traditional perimeter controls altogether in favor of IdM. But Reese does not see the death of perimeter security, as of yet, citing the security mantra of defense-in-depth, “What we have realized is that you really have to do both.”

ABOUT THE COMPANIES

For information, circle the Reader Service number (listed below) or visit securitysolutions.com

Beta Systems	17
Cloakware	18
Computer Associates	19
Courion	20
Diaphonics	21
Entrust	22
Novell	23
Oracle	24
Trusted Network Technologies	25

Want to use this article? Click here for options!
© 2008 Penton Media Inc.

This month in Access Control

• Opening Up About Door Closers
• An Enterprise Approach
• The Framework For Open Systems
• On A Higher Plane
• More from April's issue