Introduction
There are many technologies that currently exist. These technologies provide protection over sensitive information which people can access. Examples of these technologies include identity and access management, biometrics, certificate authorities, and with newer technologies are likely to arise in the future. But the topic of identity and access management is very broad, and is likely these technologies that protect sensitive information are considered a part of identity and access management.
As stated by the AICPA, identity and access management (also abbreviated as IAM) is the “implementation of physical, technical, and administrative controls that limit access to company resources to authorized persons. A challenge exists with achieving easy access by authorized users while making resources inaccessible to unauthorized users” (AICPA, 2009). Identity and access management “encapsulates people, processes and products to identify and manage the data used in an information system to authenticate users and grant or deny access rights to data and system resources…the goal of IAM is to provide appropriate access to enterprise resources” (Identity, n.d.). These two different sources are both stating that identity and access management is a way to restrict the usage of all sensitive information from people who are not permitted to view that particular information.
Step 1: Define the Framework and Research Questions
Hype Cycle
As of 2005, the analysts from Gartner determined that “most identity and access management technologies are maturing” (Witty, 2005). I believe that this is still the case today. Those same analysts determined that there were seventeen different technologies under the span of identity and access management that should be discussed under the hype cycle of this technology. When looking back at 2005, we see the following curve that exists for the hype cycle of IAM:
Figure 1:
Hype Cycle for Identity and Access Management Technologies, 2005
Note: This graph shows the position of different IAM technologies along the hype curve in 2005. The hype curve displays how companies are adopting these different technologies as well as their maturity along the curve. Retrieved from “Hype Cycle for Identity and Access Management Technologies,” 2005, Gartner.
Now that the hype cycle has been shown for 2005 in association with the IAM technology, let’s discuss how the cycle has possibly changed over the last five years.
Clifford Lynch, an editor of The Coalition for Networked Information, addressed in his discussion draft the feasibility of authentication and access management. The first problem that the technology needs to solve is to operate at a “practical level”. This means “it needs to be sufficiently robust and simple so that user support issues are tractable” or good (Lynch, 1998). He also discusses how biometrics (where identity and authentication is verified using attributes “2D and 3D faces, fingerprints, irises, speech, and keystroke dynamics”) is not easy for every business to operate (Yager, 2010). Lynch reports that any authentication that is “requiring specialized hardware, such as biometric systems or smart card readers, is certainly not going to be feasible on a cross-institutional basis” (Lynch).
However, since Lynch wrote his discussion draft in 1998, authentication has improved a great deal, especially in the area of identity and access management. This leads us to back to the hype cycle. This curve for IAM shows the various technologies that are classified as IAM with their hype and maturity that companies should consider before adopting the particular technology. At this point, four of the technologies, under the scope of IAM, will be discussed. Their location on the hype cycle, as well as their overall position of IAM on the curve, will be addressed.
Federated Identity Management
Throughout my research on IAM, I have seen this topic appear quite frequently and definitely believe it needs to be discussed here. In 2005, federated identity management was declared as a part of the “climbing the slope” stage of the hype curve. Federated identity management is “a new standards-based approach to directory services that streamlines and secures user access to networked resources. It enables a single sign-on” (Kobielus, 2005). This technology is basically integrating directory services in order to share user information amongst different points of login. Gartner analysts believed, in 2005, that this technology was climbing the slope (of enlightenment) where there is increased experimentation and research, as well as case studies. In 2010, I believe this technology is on the verge of entering the plateau of productivity stage of the hype curve. I believe this because the technology has become more available for the public. There are a large number of materials available for companies to research and there are companies out there promoting their services for that technology.
Password Management
In 2005, Gartner classified password management as the “entering the plateau” stage of the hype curve (Witty, 2005). The plateau of productivity stage of the curve is where “organizations begin to fully realize the benefits of the technology” and the “risk associated with adopting the technology has been reduced” (O’Leary, 2008). Password management is the “automation of password” and was placed in this position, because it is “a typical first phase of an identity management implementation” and “often integrated with the help desk toolset” (Witty, 2005). I believe in 2010, password management has entered the rapid growth phase, because not only does large corporations have this capability but so does the government, industries, non-profit organizations, and every day Internet users. They are able to automatically change their password without the help of a specialist.
Virtual Directories
Virtual directories is a technology that was considered to be “sliding into the trough” in 2005 and was declared as such by the Gartner analysts (Witty, 2005). Virtual directories are a type of software that creates “a logical (virtual) view of a…directory by combining data from multiple repositories” (Witty, 2005). The Gartner analysts determined in 2005 that it was currently on this stage in the hype curve based on the increase in usage. I believe that this particular IAM technology has remained stable on the curve. This technology is still in its adolescent stages, in which more users need additional understanding of how virtual directories are utilized before implementing them in their IAM structures. In researching this particular topic, there was very little information available. With limited information for potential users of virtual directories, it remains in the trough of disillusionment stage.
Biometric User Identification
Biometric user identification was stated to be at the peak of inflated expectations stage of the hype cycle in 2005. Biometric user identification is the “use of unique physical features (such as fingerprints, face, and iris recognition) or, less often, behavioral traits (such as voice, typing rhythm, and signature dynamics) as a form of user authentication” (Witty, 2005). This technology is ensuring a user’s identity through the use of the person’s physical features instead of the mental features of remembering a certain code. I believe that this technology is no longer at the peak of inflated expectations stage of the hype cycle in 2010, and is now at the trough of disillusionment stage. As with the previous stage (at the peak), just like its name, the technology had very high expectations that it could not meet. Its inability to meet those expectations has led it into its next stage. Since the biometric user identification technology did not meet up to its expectations, due to inaccuracy and integration issues, and caused low adoption rates, I believe it belongs in the trough of disillusionment stage of the hype curve.
IAM’s Overall Hype Curve Position
As stated earlier, identity and access management was declared to be a maturing technology by analysts. The Gartner analysts also stated that the “vendor hype concerning IAM technologies needs deflating” (Witty, 2005). In 2010 IAM is currently entering the plateau stage of the hype curve, and for some of IAM’s technologies, they may be entering the rapid growth phase. At the plateau of productivity stage of the hype curve, the “real-world benefits of the technology are demonstrated and accepted” (O’Leary, 2008). During the plateau of productivity, about 30% “of the technology’s target audience has adopted or is adopting the technology” (Witty, 2005). It is obvious that IAM has evidently reached more than 30% of their target audience. It is also obvious that the benefits of this technology are very well accepted.
As of 2005, it was relayed through the analysis that most of the main functioning technologies under IAM were pretty much matured and entering the plateau, except from some technologies such as biometrics, IAM/NAC integration, and contactless proximity cards. Also, if you look at many organizations from non-profit to large corporations, you see several instances of IAM being performed. Employees at the Center for Families and Children (CFC) are able to change their passwords without the assistance from the technology help desk. Everyday Internet users are also able to see IAM in action when accessing their online banking accounts or logging into their school’s academic suite. However, yes, there still needs to be numerous improvements in order for all companies (large and small) to have effective IAM technology accessibility. For instance, the non-profit organization, the CFC, users must contact the help desk if their passwords are forgotten. They also have to use various passwords to access different applications after logging into their computer.
Maturity Level Framework
The maturity level framework is different from the hype curve as it just visualizes and determines the way a technology is changing over time. But I believe this framework ties into the structure of the hype cycle. As indicated several times earlier, Gartner analysts have determined that identity and access management technology is in its maturing stage. A technology that is considered maturing, is a “robust (healthy) technology and there is not much evolution in vendors or technology” and “several dominant vendors” provide this product or technology (Witty, 2005). What analysts are describing here is that a maturing technology is utilized by a majority of its targeted users as well as a virtually established technology with minor glitches. At this level there are still developments to further improve the technology. When there are no new developments, the technology is considered a legacy system and begins to die off.
I agree with Gartner analysts with the fact that this is a maturing technology. Obviously, IAM has changed over the years making it increasingly important. “Ten years ago, IAM was tackled by relatively few leading-edge companies” while “today; it has become an imperative for almost all enterprises. Regulations such as the Sarbanes-Oxley Act and the Statement on Auditing Standards No. 70 now require that companies and their officers be accountable for lack of proper data security” (IBM, 2007). When looking at technologies that are under IAM, such as user IDs with passwords, it is pretty much a standard protocol in every day society. A vast majority of operations on a network needs some type of password. This particular technology is generally a requirement in a business or educational setting. Many of the main functionalities of this technology are maturing and very well mainstream. Yes, there are other technologies under the scope of IAM that have not yet reached this mature mainstream level, but these are just additional technologies in order to improve the security behind IAM.
Of course, there is room for improvement of identity and access management.
Several technologies including biometrics are under the scope of IAM that will continue to improve the technology. Biometrics has been mentioned a great deal during this research paper, but it is important to note that this is a type of IAM technology. Obviously, biometrics is currently not a maturing technology nor anywhere near mainstream. Biometrics needs a great deal of research and development before it can become matured. However, this is just an additional improvement for the betterment of the already established IAM. If there were no improvements with IAM, IAM would become that previously discussed “legacy” and begin to move towards becoming extinct. This is unlikely to be true for a while, because more and more companies need to protect individuals’ identities from criminals. Below includes two tables that summarize what was determined above with identity and access management as well as the four technologies discussed that are under the range of IAM.
Table 1:
The Progression of Technologies under the Span of IAM
IAM Technology Discussed Technology Trigger Phase Peak of Inflated Expectations Phase Trough of Disillusionment Phase Slope of Enlightenment Phase Plateau of Productivity Phase Rapid Growth Phase Maturity Framework Level
Virtual Directories *2005
*2010 Adolescent
Biometric User Identification *2005 *2010 Emerging
Federated Identity Management *2005 *2010 Emerging
Password Management *2005 *2010 Mature Mainstream
Note: The table above reviews the four technologies discussed earlier in this paper and how they have progressed over the past five years.
Table 2:
Overall Identity and Access Management Position
Overall Technology Virtual Directories Biometric User Identification Federated Identity Management Password Management Overall Hype Cycle Position Overall Maturity Level
Identity and Access Management Adolescent Emerging Emerging Mature Mainstream Plateau of Productivity Mature Mainstream
Note: The table above describes where identity and access management stands completely on the hype curve and maturity level framework.
Research Questions
The purpose of this paper is to discuss this technology (identity and access management) and its application to the business and accounting world. As with any business setting, IAM is important to be implemented. In order to understand why the implementation of IAM is important, the following research questions that were derived during the establishment of the two previous frameworks (the hype curve and maturity level framework) must be addressed.
1. How does identity and access management assist with the operation of a business?
2. When and why should companies invest in IAM? What are the benefits of implementing IAM?
3. What is the functionality of identity and access management? How does it work?
4. What are the risks and concerns of implementing this technology?
5. How does the future outlook appear for IAM?
6. What is the role of auditing in regards to IAM?
Step 2: Data Collection and Analysis per “Research Question”
How does identity and access management assist with the operation of a business?
With the increase in transactions over the Internet (e-commerce), the probability of an individual’s or company’s information being stolen increases. Identity and access management helps prevent sensitive information from getting into the wrong hands. IAM helps productivity to increase in addition to giving control over issues such as the termination of employees and security of sensitive information from unauthorized individuals internally and externally. Next will be the discussion of each of these main reasons why IAM is important to a business operation.
Before the implementation of IAM controls, “WellSpan employed one individual who was primarily responsible for decommissioning terminated employee system access on a timely basis. Shortly before termination, the employee’s supervisor completed a manual form intended to identify all of the applications and data that this individual had access to” (Aldhizer III, 2008). The problem with this manual form being filled out is that this employee’s account could possibly still be active after the employee leaves. If the employees wanted to seek revenge on the company, they could easily access the company’s records to release to the public, start their own company, sell the information to someone else, or give away information to a competitor. Computerized or automated IAM controls “eliminates orphaned accounts that linger in IT environments long after an employee has moved on” (Greenemeier, 2007). It is important to have computerized IAM controls to allow for faster and reliable closure of the account and prevent information from being stolen from the company.
With the implementation of IAM in a business, the productivity (where the output or final product increases with less labor) increases. Productivity is achieved when the output or final product increases with less labor, and is very important since companies are not able to hire as many people as they were in the past. If a problem needs to be addressed in the system, such as the change of a password, or to the change of files and/or applications accessible to a user, IAM allows for less “staff needed to maintain the solution” (Aberdeen, 2007). The “highest usage of end-user self-service password reset solutions, and, as a result, claim the shortest turnover time for a password reset request” (Aberdeen, 2007). When IAM controls are centrally managed, the productivity of these IAM controls increase. Centralized management of IAM controls “allows organizations to manage multiple directories from a unified management console and addresses the integration of identity information across systems and applications” (Aberdeen, 2007). Let’s look at an example. Consider an accounting firm that wants to hire a new intern to access their application and prepare taxes. If IAM was not implemented, it would take longer for the intern to access this application. As a result, the productivity would be lowered, because the intern will not be accomplishing any of their tasks.
Lastly, this technology decreases the chance of private information about the company or its employees being stolen. CA Inc., one of the world’s largest information technology software companies state that IAM “ensures that only properly authorized users gain appropriate access to your critical resources. Users are entitled by their role in your organization, and receive only the appropriate levels of access to protected resources and/or other non-IT resources to perform their job functions” (CA, 2006). This includes the elimination of lag time after the termination of an employee. An IAM security control also prevents an outsider from hacking into a system and eliminates the need for several passwords, while continuing to ensure the correct identity of the user on the other end of the network.
These examples show how identity and access management assist with a business in its day to day operations. Key issues discussed here on how IAM operates in a business will parallel the research question on investing and benefits of implementation.
Table 3:
IAM in the Operation of a Business
Termination of an Employee Productivity Security
IAM in the Operation of a Business Reduces or eliminates lag time preventing ex-employees from stealing secrets. The amount of labor time needed to solve the problem is reduced which ultimately reduces costs. Confidential company information such as prospective clients and current client information are protected.
IAM not in the Operation of a Business Lag time is created due to employee information still be accessible after the exit of an employee which risks information being stolen. Reduced efficiency do to it taking longer for a problem to be fixed which causes work to not be completed in a timely manner. Security is lowered significantly; increasing risk of identity theft and the exposure of a company’s sensitive information.
Note: The table above displays the differences between how a business operates with IAM and without IAM.
When and why should companies invest in IAM? What are the benefits of implementing IAM?
“Companies and organizations are increasingly investing in identity and access management’s products and procedures to enforce strong controls and avoid potential data-breach incidents” (Wong, 2010). IAM protects two of the most important access areas within a company, the logical access and physical access areas.
Logical access is where the firm’s network may be breach by a hacker. Software such as firewalls, are utilized to prevent unauthorized users from taking over the system. As in a CPA firm, key elements “that your firms should consider when implementing access policies is all possible points of entry to your resources and assets” (Wong, 2010). On the other hand, physical access is basically where someone either inside or outside the company goes to the actual source (i.e. using a computer already logged in) on the company’s premises. Companies should invest in IAM to protect assets, financial resources, and client and prospective client information from getting into the hands of wrong individuals. IAM helps companies do this by a simple two-step process: “1) establishing user identity or authentication to establish user accountability and 2) ensuring the appropriate level of access is granted” (Wong, 2010).
Figure 2:
Business Drivers for Identity Management
Note: The figure above is retrieved from “Identity Management Market Forecast: 2007 to 2014,” 2008, Forrester.
The figure above describes how identity and access management “helps extend business services, improve efficiency and effectiveness, and allow for better governance and accountability” (Cser, 2008). This figure not only describes how IAM assists with the operation of a business, but also shows how crucial implementation of IAM is for many aspects within the business.
Based on the previous information, I believe that businesses should implement IAM as soon as the business is started. These controls are very important for the company to run smoothly. If the company has any information that needs to be kept confidential, it needs to implement this critical technology as soon as possible to minimize risk of exposure.
It has been discussed why a company should implement this IAM technology in regards to making operations perform and increasing productivity. There are four primary benefits mentioned by Nelson Cicchitto (the Chairman and CEO of Avatier Corporation) which are: “1. Cost reduction, 2. Improved security, 3. Achieving compliance, and 4. Improving efficiency through automation” (Cicchitto, 2007).
When identity and access management controls are automated (computerized), they “can offer genuine cost benefits. A simple example here is password resets. These soak up huge amounts of helpdesk time, and deploying single sign-on can cut costs dramatically” (Mayne, 2009). This improves efficiency through automation as well as reduces costs, which are numbers one and four on Cicchitto’s four main benefits of IAM list. This statement claims that with the elimination of the middle man, tasks can be done at a higher rate due to the ability of automating IAM tasks. This reduces the amount of pay the company has to provide to their technical support, and it also helps create more revenue. “One implementation we did for BT ended up saving it $4.5m per year” (Mayne, 2009).
The next great benefit of IAM is that it improves security. Companies use IAM to “provide security, trust and privacy by identifying users and authorizing access to identity-based systems, information resources and applications” (Vanamali, 2004). In summary, identity and access management is important to protect a company’s information resources and applications by ensuring that only authorized employees are supposed to have access to those resources permitted. On the other hand, IAM keeps out predators that attempt to steal those resources and applications.
For example, at my internship at the US Department of the Treasury, once receiving login information, we were only allowed to access files for the department we were working for. For me, working as the funds control intern in the budget department, I was not able to access information from the accounting department although it was a part of the same office. What is being said here is that it is important to have those controls in place to prevent any misappropriation of information.
The last benefit that Cicchitto listed was achieving compliance. “Compliance requires ensuring policy, procedure, and technical operations are followed” (Frost, n.d.). This is a key aspect of information systems auditing and control auditors, which is to “analyze an organization’s informational system and determine the controls and audit processes required to provide assurance that the information produced is reliable and that the system and data contained therein are secure” (College of Business, n.d.). IAM is a control that helps assist “to address compliance, IAM and related functions of logging, tracking, and provisioning access are critical to achieving this goal” of compliance (Frost, n.d). Other advantages to consider when it comes to the implementation of IAM include “faster response times, easily retrievable evidence of activities, better management of large data volumes, and the ability to centrally administer and monitor systems” (Rai, 2007).
What is the functionality of identity and access management? How does it work?
IAM has three main steps that are included during processing when a particular user has the authority to access information. The three steps are the use of directory services, access management, and identity life cycle management.
As mentioned earlier, directory services are a type of software that creates “a logical (virtual) view of a…directory by combining data from multiple repositories” (Witty, 2005). Microsoft’s Frederick Chong confirms with their statement that directory services is “a digital identity consisting of a few logical types of data and that this data needs to be securely stored and organized” (Chong, 2004). The directories store information, such as trusted passwords and user names.
The next important step of the functionality and anatomy of IAM is access management. Access management is the “process of controlling and granting access to satisfy resource requests. This process is usually completed through a sequence of authentication, authorization, and auditing actions” (Chong, 2004). At this stage, the user is submitting his or her information at some type of single sign-on access point. The system then checks to determine if that user’s information is in the database. If the two pieces of information are matched, then login is a success.
The last important step of IAM is identity life cycle management. This life cycle just demonstrates the time period of a user within a company’s system. The three steps within this cycle are “creation, utilization, and termination” (Chong, 2004). It is obvious that creation is development of a user account, utilization is the user actually accessing the resources, and termination is closing of a user’s account. These key factors create the internal functions of IAM. Below is a diagram of how IAM actually works.
Figure 3:
IAM General Process Description
Note: The figure above was retrieved from “Identity and Access Management Solution,”2005, SANS Institute.
As shown in this diagram, when the users (whether a guest, the president, the registrar, etc.) types in his or her user information, the identity is verified first. Once the identity is verified through a source system, the privileges are managed. For example, either the previous year’s auditing papers or employee names for human resources are found based on the privileges given to that user. This not only prevents outsiders from accessing prohibited materials, it also prevents the registrar from accessing the resources that should be limited to the president, and vice versa.
What are the risks and concerns of implementing this technology?
When a business implements an IAM process it is possible to be exposed to new risks. The following is a list of factors that can pose a risk to a business’s current operations: “organization complacency, participation, planning, communication, incorporation of all systems into the process, process complexity, making the process too weak, and lack of enforcement” (Rai, 2007).
Organization complacency occurs when a company gets stuck in a rut and continues to do what they have always done because they are comfortable with it. They continue with this routine even “if the status quo is inefficient or inadequate from a control perspective” (Rai, 2007). If a company has this mentality, they will not want to improve their systems by implementing IAM.
The next factor is participation. Whenever a company brings a new process into an already established system, more time will be required for that process. This means a greater commitment from employees and an increase in employees’ work load. If the company cannot provide the time required to adopt IAM, implementation will likely fail.
Planning the implementation of IAM is crucial. “Successful projects require well laid-out plans, milestones for delivery, and processes for scoping change management to set expectations regarding resource commitments and timelines” (Rai, 2007). If the company has not spent the time to map out how the adoption of IAM will progress, IAM may not be successfully implemented into the company. As with communication, if the company doesn’t share with any of their stakeholders (owners, employees, customers, etc.) about the new project, they will not be able to provide what is needed for the project. Both of these items not being addressed will lead to the failure of IAM.
With the adoption of IAM, the company should approach it incrementally, instead of any company trying to incorporate IAM into all of the systems at once. To “bring many computer systems into the IAM framework at once can be overbearing and unsuccessful. Prioritizing key business risk areas and the system resources affected by the process are good targets for initial scope” (Rai, 2007). It is also important to note that if the process is too complex or too weak, this will also lead to the failure of IAM.
The last area that a company should be concerned with is the lack of enforcement. The “proper enforcement activities” such as governance, “enable it to operate as designed. If users are allowed to employ varied processes or circumvent established ones, the project’s overall success can be jeopardized” (Rai, 2007). Governance is defined as “the management, control, and orchestration of the various IAM business processes guided by the policies and business requirements of the organization and by local, national and possibly international legislation” (McDuff, 2009). Therefore, if identity and access management is not administered correctly, the overall success of IAM implementation will be diminished.
Mark Mayne says it best in his article labeled, The Big IAM, that if there are “badly-implemented projects, however, will not only soak up precious resources, but will merely automate existing problems, leading to a more costly cleanup exercise in the future” (Mayne, 2009). Companies need to be aware of these risks in order to have a properly working IAM controls within their system. With the recognition of these risks and concerns, some of these risks can be reduced or essentially eliminated. Now that the benefits and risks of implementing identity and access management have been mentioned, companies need to be aware of the future outlook of IAM.
How does the future outlook appear for IAM?
“By 2014, total revenues will reach $12.3 billion, with 57% going to software and 43% going to services. The compound annual growth rate (CAGR) of the entire IAM market during the 2006 to 2014 period will be 21.6%” (Cser, 2008). It is obvious here that IAM technology is here to stay. Increasing numbers of businesses and individuals will need protection from thieves in our society. With technology becoming increasingly sophisticated, hackers and thieves will learn new ways to steal confidential information. Therefore, IAM will be needed to protect companies and individuals.
There are also several new forces that are shaping up the trend in the next couple of years for IAM. The following trends are sure to “shape the market in the next five to seven years: Identity-as-a-services (IDaaS), outsourced identity management, centralized fine-grained entitlement management, consumer identity solutions for proofing and authentication, policy repository convergence, and physical/logical security convergence” (Cser, 2008). These new aspects of identity and access management should become mainstream within this time frame as well as improve the IAM technology overall.
Identity and access management also brings in changes for employees and professionals in society. With the economy in its current state, “companies across all sectors have already begun to lay off staff…inevitable some companies are going to have to lay off talented IT and information security professionals” (Griffeth, 2009). With numerous layoffs, there will be an increase “challenge for identity and access management professionals will be securing data from former employees who know the system from the inside out” (Griffeth, 2009). This means that companies are now laying off people who have the knowledge and experience of working with the networks of the ex-employers. Therefore, companies must increase the IAM controls to keep terminated IT employees retaliating against the company by crashing their systems. There are also concerns as companies continue to cut their budgets. As companies continue to make financial cuts, they must take care that the IAM security program doesn’t suffer.
What is the role of auditing in regards to IAM?
Internal auditors play a very important role in this process in which they assist companies in the development of IAM processes, as well as monitor the implementation and adoption of IAM. Before auditing IAM systems, they need to understand the company’s foundation of IAM. When auditing it is important that the client company has “records of ‘who did what, when’ within the IT infrastructure. Federal regulations such as the Sarbanes-Oxley Act are key drivers of the identity-related auditing requirements” (Chong, 2004). Auditors will need to review those records of what has occurred within the IT infrastructure, as well as be aware of the policies and regulations when reviewing identity and access management controls. “Internal auditors need to examine the identity and access management processes that exist within the organization” whether there is a defined program in place or not (Rai, 2007).
The audit process includes the phases of “audit generation, data collection and storage, and analysis and feedback” (Chong, 2004). Auditors are able to find information through audit trails. An audit trail includes the records that auditors use as evidence throughout the audit process. They could use such applications as firewalls to assist with the detection of invasions from the outside, or “business applications which can produce audit data to aid debugging or comply with regulatory audit requirements” (Chong, 2004). All of the information and evidence the auditors find through audit trails will be collected and stored. This collected information can then be analyzed to lead to a conclusion about what needs to be done within their IAM process. Auditing these IAM controls is important to determine if any type of theft, piggybacking, or anything of that nature has not occurred. This audit should be done as a part of the whole audit process. Refer to table on the following page that summarizes the entire audit process of identity and access management.
Table 4:
Auditing Within Identity and Access Management
Phases What is done? Information Retrieved
Audit Generation Find information through audit trails. They can look at firewalls, VPN servers, middleware components, and business applications.
Data Collection and Storage The storage and collection phase. They collect the data that was found during phase 1 and stored for the next phase of the audit.
Analysis and Feedback Analyze the information retrieved. Review the information found during the audit trail and provide feedback on the findings.
Conclusion
Identity and access management is a well-established technology; however there will be the need of future improvements and further research. Below are several recommendations that identity and access management creators should consider for the future outlook of the technology.
The first recommendation for identity and access management is to “ensure stronger identity management by leveraging additional authentication technologies” (Aberdeen, 2007). This indicates that developers of IAM to work for continuous improvement, research, and new inventions to make sure the technology continues to operate efficiently, regardless of rapid changes in technology. If identity and access management does not create any new developments, the technology will become stagnant and will be unable to protect information it had in the past. This recommendation will assist with the performance of the technology.
The second recommendation given to the IAM technology is that “the market trend toward suites will complicate product selection” (Cser, 2008). Product suites, which are the collection of programs, will be able to support all of the technologies, old and new, that are under the span of identity and access management. Identity and access management will continue to expand, therefore “IT security organizations will face greater difficulty in mapping requirements to a short list of products and finally selecting a product” (Cser, 2008). That is why it is essential for IT security organizations to find a way to streamline these products into one suite similar to the Adobe Creative Suite or Microsoft Office Suite.
The third recommendation that IAM vendors need to address is to “continue to reduce the number of separate identity directories and synchronized separate directories” (Aberdeen, 2007). This recommendation is similar to the second recommendation of creating a product suite in which developers need to streamline the directories in order to reduce the amount of directories required for usage.
The fourth recommendation for IAM is to make it a priority to develop “strong audit capabilities and security information management (SIM) integration” (Cser, 2008). This recommendation is very important because “regulatory compliance is almost invariably or customarily one of the driver of any IAM project” (Cser, 2008). Many organizational executives believe that the reports given to auditors to provide information for auditor questions is what they generally anticipate from the implementation of identity and access management.
The fifth recommendation to educate employees has great importance.
“Be prepared to educate business partners about identity and access management – what it is and why it is important” (Kalin, 2005). If partners, managers, and owners understand what IAM means for their company including the benefits implementation gives, then these decision makers are going to be more readily to accept the adoption of this technology. When persuading management that IAM is beneficial to the company, it is important to mention that it will reduce costs, security will improve, productivity will improve, and most importantly “being better prepared to enforce compliance with regulations and demonstrate that compliance to Sarbanes-Oxley auditors” (Kalin, 2005). Education is critical in successively implementing IAM.
These five recommendations are the concerns and improvements that companies need to be aware of when progressing into the future with identity and access management. Vendors and creators of identity and access management applications need to be able to continuously improve IAM in order to meet the needs of their customers (companies). If vendors let these mentioned recommendations go unaddressed, companies will not want to use such a complex technology. Companies that implement IAM in the present, or future, also need to be aware of these recommendations to make sure that the benefits outweigh the risks of IAM implementation. This can only be done by educating those decision makers of the company.
Works Cited
Aberdeen Group (2007). Identity and Access Management Critical to Operations and Security. Communication News. Retrieved from http://www.comnews.com/WhitePaper_Library/Managed_services/pdfs/Quest_Software_Aberdeen_IAM_Critical_to_Operations_and_Security.pdf.
AICPA (2009). 2009 Top Technology Initiatives and Honorable Mentions. Retrieved from http://infotech.aicpa.org/resources/top+technology+initiatives/2009+top+technology+initiatives+and+honorable+mentions.htm.
Aldhizer III, G., Juras, P., & Martin, D. (2008). Using Automated Identity and Access Management Controls. CPA Journal, 78(9), 66-71. Retrieved from Business Source Complete database: http://0-search.ebscohost.com.maurice.bgsu.edu/login.aspx?direct=true&db=bth&AN=35654420&loginpage=login.asp&site=ehost-live&scope=site.
CA (2006). How can Identity and Access Management help me to improve compliance and drive business performance? CA. Retrieved from http://images.vnunet.com/v7_static/itw/pdf/iam_solution_brief.pdf.
Chong, F. (2004). Identity and Access Management. Microsoft Corporation. Retrieved from http://msdn.microsoft.com/en-us/library/aa480030.aspx.
Cicchitto, N. (2007). Evaluating Your Identity and Access Management Options. Enterprise Innovator. Retrieved from http://enterpriseinnovator.com/index.php?articleID=12635§ionID=25.
College of Business (n.d.). Information Systems Auditing and Control. Bowling Green State University. Retrieved from http://www.business.bgsu.edu/amis/isac.html.
Cser, A. and Penn, J. (2008). Identity Management Market Forecast: 2007 to 2014. Forrester. Retrieved from http://www.securelyyoursllc.com/files/Identity%20Management%20Market%20Forecast%202007%20To%202014.pdf.
Frost, R. and Morooney, K. (n.d.). How Identity and Access Management Can Help Your Institution Touch Its Toes. Internet 2. Retrieved from http://net.educause.edu/ir/library/powerpoint/ENT015A.pps.
Greenemeier, L. (2007). Security; Know Your Users Well—Centralized ID and access management is fundamental to securing networks. Information Week, 51. Retrieved from LexisNexis Academic database.
Griffeth, D. (2009). Identity and access management 2009: Staff cuts, insider threats. Search Security. Retrieved from http://searchsecurity.techtarget.com/tip/0,289483,sid14_gci1344839,00.html.
IBM (2007). Identity and access management: uncovering the secrets to successful implementations. IBM Corporation. Retrieved from http://www-935.ibm.com/services/us/gts/pdf/sp_wp_identity-and-access-management-uncovering-the-secrets.pdf.
Identity Access Management (n.d.). From Wikipedia. Retrieved March 21, 2010 from http://en.wikipedia.org/wiki/Identity_access_management.
Kalin, S. (2005). How to Tackle Identity and Access Management. CIO. Retrieved from http://www.cio.com/article/14772/How_to_Tackle_Identity_and_Access_Management.
Kobielus, J. (2005). What Is Federated Identity Management? Business Communications Review, 35(8), 56-61. Retrieved from Business Source Complete database: http://0-search.ebscohost.com.maurice.bgsu.edu/login.aspx?direct=true&db=bth&AN=17848698&loginpage=login.asp&site=ehost-live&scope=site.
Linares, M. (2005). Identity and Access Management Solution. SANS Institute. Retrieved from http://www.sans.org/reading_room/whitepapers/services/identity-access-management-solution_1640.
Lynch, C. (1998). A White Paper on Authentication and Access Management Issues in Cross-organizational Use of Networked Information Resources. Retrieved from http://www.cni.org/projects/authentication/authentication-wp.html.
Mayne, M. (2009). The big IAM. SC Magazine: For IT Security Professionals, 32-36. Retrieved from Business Source Complete database: http://0-search.ebscohost.com.maurice.bgsu.edu/login.aspx?direct=true&db=bth&AN=43422929&loginpage=login.asp&site=ehost-live&scope=site.
McDuff, R. & McMillan, P. (2009). An Identity Management Framework and Maturity Model for the Australian and New Zealand Higher Education Sector. CAUDIT. Retrieved from www.caudit.edu.au/educauseaustralasia09/.../Patricia-McMillan.pdf.
O'Leary, D. (2008). Gartner's hype cycle and information system research issues. International Journal of Accounting Information Systems, 9(4), 240-252. doi:10.1016/j.accinf.2008.09.001.
Rai, S., Bresz, F., Renshaw, T., Rozek, J., and White, T. (2007). Global Technology Audit Guide: Identity and Access Management. The Institute of Internal Auditors. Retrieved from infotech.aicpa.org/NR/rdonlyres/...9CE1.../GTAG9IdentAccessMgmt.pdf.
Vanamali, S. (2004). Identity Management Framework: Delivering Value for Business. Information Systems Control Journal (Vol. 4). Retrieved from http://itgi.org/Template.cfm?Section=Home&CONTENTID=21335&TEMPLATE=/ContentManagement/ContentDisplay.cfm.
Witty, R., Allan, A., Enck, J., Hirst, C., Runyon, B., Wagner, R., Perkins, E., Pescatore, J., & Wheatman, V. (2005). Hype Cycle for Identity and Access Management Technologies, 2005. Gartner. Retrieved from http://www85.homepage.villanova.edu/timothy.ay/DIT2160/IdMgt/hype_cycle_for_.pdf.
Wong, J. (2010). Identity and Access Management Continually Rank High in Lists. AICPA. Retrieved from http://www.cpa2biz.com/Content/media/PRODUCER_CONTENT/Newsletters/Articles_2010/CPA/Feb/IdentityAccessMgmt.jsp.
Yager, N. & Dunstone, T. (2010). The Biometric Menagerie. IEEE Transactions on Pattern Analysis & Machine Intelligence (Vol. 32/No. 2, 220-230). Retrieved from IEEE Computer Society: http://0-www.computer.org.maurice.bgsu.edu/portal/web/csdl/transactions/tpami#4.
Friday, April 23, 2010
Subscribe to:
Posts (Atom)