Identity and Access Management-Technology Briefing

Tuesday, March 2, 2010:

This paper was an assignment for my advanced accounting information systems course that I am currently taking this semester (Spring 2010). Each paper was written on their particular assigned topic which mine was Identity and Access Management. I received a 90% on this technology briefing. References are listed at the bottom.

Identity and Access Management

There are many technologies that currently exist. These technologies provide protection over sensitive information, as to which people can access. There are technologies such as biometrics, certificate authorities, identity and access management, etc., with newer technologies still to come. Throughout this brief, the topic of identity and access management will be discussed through its definition and purpose, centralized management, automation, and its future predictions.
What is Identity and Access Management?

As stated by the AICPA, identity and access management (also abbreviated as IAM) is the “implementation of physical, technical, and administrative controls that limit access to company resources to authorized persons. A challenge exists with achieving easy access by authorized users while making resources inaccessible to unauthorized users” (AICPA, 2009). RSA the security division of EMC also refers to identity and access management as all of the “…policies, processes, procedures and applications that help an organization manage access to information” (RSA, n d.). What the AICPA and RSA is stating in their definitions is that identity and access management is a way to restrict and constrain access to all sensitive, important, and destructive information to people that should not have any contact with it.

Luther Martin discusses identity and access management technology by discussing the three categories that make up IAM. IAM technology is divided “into three general categories: a directory services infrastructure, and the identity life-cycle management and access management applications that rely on it” (Martin, 2007). He describes directory services infrastructure as a single source of identity and confirmation information. The identity life-cycle management and access management applications provide information to, or utilize information from the directory services infrastructure. These categories are important to know how IAM technology is designed and operated. These three categories are able to manage users with their digital credentials (identity life-cycle management), as well as control user access to resources (access management applications) (Martin, 2007). They also further explain how IAM technology helps companies control user access to their resources.

Companies also need to periodically check to determine if their IAM technology controls are working properly. Therefore, it is a need for IAM controls to be tested. In order to “determine the effectiveness of an IAM strategy, periodic audits, reconciliation, and reviews are recommended” (Bi, 2008). By auditing and reviewing these controls, companies will be able to determine if there are any weaknesses within their system that could threaten their security. In the end, IAM is a way to protect a company’s private and sensitive information. However, IAM should be more effective if it is centrally managed.

Centrally Managed

It has been determined that most companies do utilize some form of identity and access management controls to protect their information and applications. But of these companies, most of them do not centrally manage these controls (Greenemeier, 2007). Centralized management is the “management practice in which all or most decision makers (who have the authority, control, and responsibility for the entire organization) are located in one central office (the headquarters)” (BusinessDictionary.com, n.d.). As for centralized management and IAM, this means that IAM controls should be protected and controlled by one management and in one location. However, if a company does not have their IAM controls centrally managed, then that company will not know who has access to their information technology system, which could lead to a security breach (Greenemeier, 2007). Therefore, companies need to put their IAM controls into centralized management to protect information from being released into the hands of criminals, or individuals who do not need to have access to that particular information.

There are also other reasons why it is important to have IAM centrally managed. The first reason that Larry Greenemeier states is that it gives “the ability to track temporary or contract employees who have access to sensitive or confidential data” (2007). This is a top reason for the usage of centrally managed IAM, because companies are able to determine who has access to restricted information. Thus, if there is a security breach, the company will be able to determine who may have potentially caused that breach.

Centralized IAM also allows for the “cut down on the number of names and passwords that users need to access different applications” (Greenemeier, 2007). This is important because this prevents users from having to remember different passwords to log into different applications throughout the company. For example, Bowling Green State University (BGSU) students log into MyBGSU with one password. With this one password, they are able to access their courses, Bursar bill, grades, degree audit, financial aid, etc. But what if each student had to have a separate password to access each of those previously listed items? That is a significant number of passwords for each student to remember, which could lead to users forgetting their password, or the possibility of having to write down those passwords. With centralizing identity and access management, it limits the usage of making requests to the help desks or technical support in relation to password assistance. “Rohm & Haas, a maker of specialty polymers and other compounds, found that its employees on average have 15 different user names and passwords to access the systems they need to do their jobs. This has contributed to the more than 14,000 password-related help-desk calls last year. ‘This in reality actually reduces security because users write these things down,’ says Scott Megill” (Greenemeier, 2007). If all of BGSU students had to have different passwords to access Blackboard, grades, Bursar bill, degree audit, etc. then you will see students constantly carrying around a piece of paper with all of their passwords on it. Thus, if these passwords are lost, they give access to all of their private information to anyone who finds that piece of paper, an unauthorized user. Below you will see a diagram that exemplifies IAM.

Diagram 1: Identity and Access Management Model (Internet2 Middleware Initiative, 2007)-Image Currently Not Available.

The above diagram is similar to the structure that is utilized at BGSU to log into MyBGSU. When someone reaches the login screen for MyBGSU, the user will input their user name and password. The system then reads the user’s login information and pulls up the information that they should access. When a student logs into their MyBGSU account, they are only able to access their personal information, such as their Bursar bill, grades, and courses. On the other hand, when professors log into MyBGSU, they are able to reach all of the courses they are teaching and are able to change information that is inputted into that course community. They are also able to access every student’s grade in the courses they are teaching. Depending on the person’s role (identity) in the college community they will have a different MyBGSU access and result. Logging into MyBGSU is an example of how IAM is used on an everyday basis.

Therefore, it is important for identity and access management to be centralized. It is important because it reduces the risk of a security breach of sensitive information by limiting the amount of passwords needed.

IAM Controls Automated

As stated by Aldhizer III, there are five processes to identity and access management which are the following: new-user access, succeeding modifications to existing users, ending user right of entry, password changes or resets, and third-party admission. It is imperative that these IAM controls, along with other control processes, be automated or programmed. With the large amounts of data that flows through a company, the automation or programming of controls will provide for the enforcement of organizational security policies, as well as improved operational efficiency and increased user productivity (Aldhizer III, Juras, & Martin, 2008). Next there will be a discussion of why the five previously listed IAM controls should be automated.

The first IAM control listed is new-user access. Obviously, new-user access is for example, when a company hires a new employee, or intern, they will have to provide them admission to their network for email and applications. When this IAM control is automated it “can substantially increase user productivity, reduce help-desk overhead, enhance information security, and allow internal audit to provide more value-added services” (Aldhizer III, Juras, & Martin, 2008). As an intern with the Department of the Treasury this past summer, this new-user access control was not automated. All new employees and interns had to fill out paperwork, turn that paperwork into their supervisor, which was then forwarded to the help desk. This process took approximately two weeks for me to be able to have access to the Treasury’s network, as well as access to Oracle. If this process were automated, this would have allowed for the interns and employees to be able to start working sooner and assist with the daily tasks in the department.

The next IAM control that should be automated is the succeeding modifications to existing users. It is important to have these controls automated, because if this process was manual it could take several weeks to make revisions to user access, based on promotions and assignments to new project teams (Aldhizer III, Juras, & Martin, 2008).

The termination and ending a user’s right of entry, due to end of employment, also involves identity and access management automation. As with manual controls over employee termination, these employee’s accounts are still active for a time period after the employee has left the company. If those employees were involuntarily fired, or quit because they were angry at the company, this could lead to material being taken from the company’s database, due to their account still being accessible (Aldhizer III, Juras, & Martin, 2008). But when this process is automated, it substantially reduces the amount of time that the account remains dormant, but open after the employee leaves the company. This in return reduces the risk of an angry employee stealing sensitive information from the company.

The change and reset of passwords due to required password changes, or because someone forgot their password, is another example of an automated identity and access management control. Most companies and educational institutions have automated controls over password changes. If everyday users had to constantly submit paperwork or contact technical support in order to change their passwords, who would they want to change their password? If passwords were not changed, this would enable hackers to easily enter into systems, email accounts, online banking accounts, etc. But when the changing of passwords process is automated, it allows for users to easily change their passwords instantly without the hassle of technical support or paperwork. For example, when someone changes their password to their Key Bank online banking account all they have to do is click change password under their Self Service Security settings. But if every Key Bank online user had to call a phone number and talk to a technical support representative in order to change their password, who would want to go through that hassle?

The last IAM automated control is third-party admission. Third-party activities involve transactions, such as selling to customers or to other businesses, or sharing of controls because of a company department being outsourced. However, it is unfortunate that “many organizations do not have a consistent method for monitoring closely related third-party activities because they do not maintain separate third-party system records” (Aldhizer III, Juras, & Martin, 2008). This is a problem because vendors or customers have access to sensitive data that could easily be stolen. But when third-parties have access, “centralized and automated IAM controls can ensure that separately tagged sensitive data are not uploaded” (Aldhizer III, Juras, & Martin, 2008). This once again ensures that important and private information is protected from getting into the wrong hands of criminals.
As you can see, it is important to have identity and access management controls automated. Many places, such as Bowling Green State University and the Center for Families and Children, utilize automated IAM technology controls because it reduces idle time and provides for efficiency and productivity. But there are still companies and businesses, such as the US Department of the Treasury, that utilize manual identity and access management controls. This delays the time for new employees to become useful on the job and could leave their systems at risk for a possible break in security.

A Few Predictions of the Future of IAM

It is obvious that technology is always changing. In the year 2000, there was no such thing as a MP3 player and now it seems like everyone owns an iPod that may be able to connect to the internet. Just like all other continuously changing technology, identity and access management technology will also continue to change. Gartner, Inc. (a leading technology research firm) analysts identify some predictions that should occur with identity and access management beyond the year 2009.

One of the predictions is that “by 2011, 30 percent of large corporate networks will become ‘identity aware’ by controlling access to some resources via user-based policies” (Stevens & Pettey, 2009). What the Gartner analysts are saying here is that more companies will advance their security by ensuring that the right users are accessing the right resources. Therefore, more and more companies will begin implementing the IAM process similar to what was discussed earlier, which included giving the appropriate access to the correct users, increasing security, and increasing productivity. Gartner analysts suggest that in order for companies to implement this effectively, they “recommend that network managers and others responsible for IAM projects develop strategies for making networks identity aware” (Stevens & Pettey, 2009). Similar to the increase in popularity with the MP3 player technology, the popularity will begin to increase in IAM by companies.

Gartner also mentions three other predictions that will not be further discussed. See the list below:
1. “By 2011, hosted IAM and IAM as a service will account for 20 percent of IAM revenue” (Stevens & Pettey, 2009).
2. “Through 2011, 20 percent of smart-card authentication projects will be abandoned and 30 percent scaled back in favor of lower-cost, lower-assurance authentication methods” (Stevens & Pettey, 2009).
3. “By 2010, approximately 15 percent of global organizations storing or processing sensitive customer data will use OOB authentication for high-risk transactions” (Stevens & Pettey, 2009).
As shown above, through these analyst’s predictions and ease of use, the usage of identity and access management by companies will continue to increase in the future.

Conclusion

In summary, identity and access management as stated at the beginning of this paper is a particular control technology that limits access of resources to particular persons. It has been determined that not only should identity and access management or IAM technology be implemented, but they should also be centrally managed as well as automated. When IAM technology is used in the most efficient way, this increases productivity, decreases idle time, and increases user access security. “IAM solutions employ password synchronization to allow a user to enter just one password to access many different resources across systems and the internet…This saves money and resources as a vast percentage of help desk calls are password related” (Bahlmann & Martz, n.d.).
 
Works Cited

Aldhizer III, G., Juras, P., & Martin, D. (2008). Using Automated Identity and Access Management Controls. CPA Journal, 78(9), 66-71. Retrieved from Business Source Complete database: http://0-search.ebscohost.com.maurice.bgsu.edu/login.aspx?direct=true&db=bth&AN=35654420&loginpage=login.asp&site=ehost-live&scope=site.

AICPA (2009). 2009 Top Technology Initiatives and Honorable Mentions. Retrieved from http://infotech.aicpa.org/resources/top+technology+initiatives/2009+top+technology+initiatives+and+honorable+mentions.htm.

Bahlmann, B. & Martz, C. (n.d.). IAM – Identity and Access Management. Birds-Eye.Net. Retrieved from http://www.birds-eye.net/definition/acronym/?id=1160863505.

Bi, L. (2008). Identity and Access: How to Protect Your Business. Journal of Corporate Accounting & Finance (Wiley), 19(5), 9-13. Retrieved from Business Source Complete database: http://0-search.ebscohost.com.maurice.bgsu.edu/login.aspx?direct=true&db=bth&AN=32840432&loginpage=login.asp&site=ehost-live&scope=site.

BusinessDictionary.com (n.d.). Centralized management. Retrieved from http://www.businessdictionary.com/definition/centralized-management.html.

Greenemeier, L. (2007). Security; Know Your Users Well—Centralized ID and access management is fundamental to securing networks. Information Week, 51. Retrieved from LexisNexis Academic database.

Internet2 Middleware Initiative (2007). Identity and Access Management. Retrieved from http://www.internet2.edu/pubs/200703-IS-MW.pdf.

Martin, L. (2007). Identity-based Encryption: From Identity and Access Management to Enterprise Privacy Management. Information Systems Security, 16(1) 9-14. Retrieved from Business Source Complete database: http://0-search.ebscohost.com.maurice.bgsu.edu/login.aspx?direct=true&db=bth&AN=24581860&loginpage=login.asp&site=ehost-live&scope=site.

RSA (n.d.). Identity and Access Management (IAM). Retrieved from http://www.rsa.com/glossary/default.asp?id=1025.

Stevens, H. & Pettey, C. (2009). Gartner Reveals Four Identity & Access Management Predictions for 2009 and Beyond. Retrieved from http://www.gartner.com/it/page.jsp?id=911212.