Comment: Realizing Business Value from Access Risk Management

Managing risk in a complex environment poses significant challenges and increases the demand for effective identity and access management (IAM) systems, says Fowler
Managing risk in a complex environment poses significant challenges and increases the demand for effective identity and access management (IAM) systems, says Fowler

IT consumerization, cloud computing and virtualization have put significant pressure on organizations to open their networks to consumers, shareholders and employees, while maintaining high security standards. With these pressures comes a variety of security risks associated with poor control of access to sensitive information and lack of effective security systems to manage and monitor how data is being used.

The demand for immediate access to critical information anytime, anywhere and from any device is moving business risk outside the traditional four walls of the organization, making it increasingly difficult to analyze, quantify and understand risk. And when we talk about risk, we need to consider that businesses are struggling to ward off different types – financial, reputational, technological, regulatory, and so on.

Managing risk in such a complex environment poses significant challenges to IT security teams and increases the demand for effective identity and access management (IAM) systems that can help better understand and control access.

A recent survey by the UK Information Commissioner’s Office showed that security breaches are on the rise despite businesses trying to adopt tougher security measures. It seems like organizations are willing to improve risk management but find it difficult to do it right, especially when it comes to IAM.

The implementation of effective access risk management solutions is often hindered by a long and complicated deployment process that requires significant investment and time to achieve ROI. Furthermore, many of today’s IAM solutions consist of multiple applications woven together with manual workflows and custom software. This often makes it difficult to streamline IT security functions across the organizations and exposes the business to significant risks from a major security breach.

This often discourages businesses from investing in IAM solutions and, even when they do so, the complex deployment process and functionalities make it difficult to understand and control access to sensitive data.

The responsibility for this situation can be partially attributed to the heavy emphasis of customization that IAM providers have been adopting in an attempt to develop solutions that conform to customers’ existing manual business practices. On one hand, this approach requires fewer changes in existing IT systems. But on the other hand, it significantly increases implementation costs and extends a customer’s time-to-value to months, if not years. This high level of customization leaves organizations with partial implementations that often fail to deliver the needed value and protection.

To improve effectiveness and ease the implementation of IAM solutions, our industry needs to adopt a new approach to access risk management that looks at automating security processes and makes the deployment and use of IAM solutions faster and easier for businesses. These solutions should have the flexibility to adapt to organizations’ needs, while offering less customization, low cost of maintenance and quicker ROI.

This new approach should focus not just on automation and operational efficiency, but also on addressing organizations’ most critical access risks. To effectively manage operational and user access risk, IAM solutions should control access to critical resources in accordance with pre-established company policies. By accumulating data about critical assets, internal processes, employees’ entitlements and regulatory risks, IAM solutions can help organizations determine where the greatest risk lies and create a comprehensive view of access risk. What’s even more important is empowering the business with the needed tools to make sense of all this data and enable real-time risk assessment and analysis.

Using a real-time analytics engine, the system can immediately notify an organization of changes in security risks and enable IT staff to immediately remediate issues. IT managers will no longer have to wait three to six months to receive attestations of who has access to what, or to view weekly status reports on security issues. This will provide businesses with a real-time visibility of access risk and enable them to react quicker than ever before to security issues.

Another significant benefit from IAM solutions is that they are a great tool for achieving compliance and speeding up security auditing. To meet the highest regulatory standards, organizations need to monitor not only who has access to what resources, but also how employees are using their access rights and how their behavior could potentially impact the business.

By aligning IAM functions with IT and user access policies, organizations will be able to establish different levels of risk and escalate security issues to the relevant person – as the security breach is happening. This will significantly speed up response times and enable IT staff to take timely security measures, thereby preventing further potential damage to the organization.

There are a few basic qualities that differentiate the new generation of effective IAM solutions from traditional ones. An effective IAM solution should have an integrated functionality that automates the collection and management of all identity information and then integrates key IAM processes, such as user provisioning, role and profile management, compliance, attestation and password management. Furthermore, it should be flexible enough to enable managers to grant, revoke and modify user access rights. This model will enable quick deployment and implementation, while delivering business value in weeks rather than months or years.

Another important factor for the success of an IAM strategy is the visibility of access risk. By enabling real-time access intelligence that provides a comprehensive view of access risk and other related activities, businesses will be able to reveal compliance vulnerabilities or other security issues that indicate hidden risks.

This access intelligence data should be easy to use and understand, thus enabling IT managers to better quantify, prioritize and understand risk. Tools such as graphical risk profiling are a great way to improve risk visibility and enable managers to address security issues associated with inappropriate access as soon as they are identified.

And last, but not least, this new generation of IAM solutions should be able to support businesses in making information security part of the corporate culture. By aligning IAM with business risk, organizations will be able to better enforce security policies and compliance requirements, while making their information networks fully open, safe and efficient.

Dave Fowler has 35 years of experience in the technology industry covering enterprise software, security technologies, applications and networking. He has held operational, marketing and product development positions at technology companies such as SilkNet, Kana, Sun Microsystems, VidSys, and Groove Networks, and has played a leading role in mergers, acquisitions and IPOs. At Courion, Fowler is responsible for engineering, product planning and management, the Courion Labs research operations, and the software as a service (SaaS) operations. 

What’s hot on Infosecurity Magazine?