Five Business Drivers of Identity and Access Management

Transcription

1 Research Publication Date: 31 October 2003 ID Number: SPA Five Business Drivers of Identity and Access Management Roberta J. Witty The primary reasons to implement IAM solutions are business facilitation, cost containment, operational efficiency, IT risk management and regulatory compliance. IAM also ensures a secure access control infrastructure. Reproduction of this publication in any form without prior written permission is forbidden. The information contained herein has been obtained from sources believed to be reliable. Gartner disclaims all warranties as to the accuracy, completeness or adequacy of such information. Gartner shall have no liability for errors, omissions or inadequacies in the information contained herein or for interpretations thereof. The reader assumes sole responsibility for the selection of these materials to achieve its intended results. The opinions expressed herein are subject to change without notice.

2 WHAT YOU NEED TO KNOW Identity and access management projects are much more than technology implementations they have real business value by reducing direct costs, improving operational efficiency and enabling regulatory compliance. Alerting senior management to IAM's business benefits will help with project approval and investment allocation. STRATEGIC PLANNING ASSUMPTION(S) By 2005, 60 percent of Global 1000 enterprises will implement IAM products from one or two primary vendors (0.8 probability). By 2005, operational efficiency and cost containment will be the primary business drivers for enterprisewide IAM implementations (0.8 probability). ANALYSIS The five business drivers (see Figure 1) for implementing the components of an identity and access management (IAM) solution are: Business facilitation Cost containment Operational efficiency IT risk management Regulatory compliance Publication Date: 31 October 2003/ID Number: SPA Page 2 of 8

3 Figure 1. The Five IAM Business Drivers Business Units Regulatory Compliance! Gramm-Leach-Bliley Act! HIPAA! 21 CFR Part 11! North American Electric Reliability Council! Sarbanes-Oxley Chief Information Security Officer Risk Management! Audit management! Terminations! Policy-based compliance! Strong authentication! Strong audit trail Source: Gartner Research (October 2003) Business Facilitation! Customer self-registration! Portal and personalization! Outsourcing! Customer retention CIO CFO Cost Containment! Reduce/avoid staff Security administration Help desk! Common IAM architecture! Non-IT services Help Desk Security Administration Operational Efficiency! Improved service-level agreement (less than 24 hours)! Productivity savings! User convenience! Security administration reporting Some drivers are more applicable to one component of the IAM solution than another (see Table 1). Cost containment and IT risk management are the primary reasons for the majority of IAM implementations for internal user access. Business facilitation is the primary driver for implementations that address external user access control. Because all IAM components assist with regulatory compliance, the majority of enterprises deal with this business driver as a supporting motivator for implementing a "best practice" information security program. Table 1. IAM Business Drivers and Components Business Facilitation Cost Containment Operational Efficiency IT Risk Management Regulatory Compliance Authentication Services X X X X Enterprise Single Sign-On X X X Password Management X X X X X User Provisioning, Metadirectory, Identity Administration Operating-System Security X X X X X Database Security X X X X Publication Date: 31 October 2003/ID Number: SPA Page 3 of 8

4 Extranet Access Management, Identity Administration Source: Gartner Research (October 2003) Business Facilitation X X X X X To provide easier, faster access to enterprise information for customers, trading partners and employees, increasingly via the Internet, you also must provide the appropriate security infrastructure for such an environment. Reasons to implement an IAM solution for business facilitation include: Customer Self-Registration When the number of customers reaches hundreds of thousands, enterprises can't manage the security administration requirements of all users through manual measures. They must automate, or they can't deliver the service. When automating, enterprises offload the administrative costs to end-user departments or customers. Extranet access management (EAM) products typically are used for end-user self-registration. Portal and Personalization Implementation More business services are being delivered via portals that provide a common access interface, as well as to deliver personalized services to the end user. Portals must authenticate and authorize users. The delivery of personalized services can leverage the information repository that is also used for authentication and authorization. Directories and EAM products are key components to portal and personalization projects. Outsourcing When enterprises outsource their IT operations, the outsourcing service provider often assumes the security administration responsibility for their clients. To make this operation cost-effective and efficient for both parties, and to provide a separation of duties among its outsourcing customers, the outsourcing service provider must have a well-defined security administration function. Service providers often use user provisioning products to provide this function internally to their operations. Customer Retention Customers are demanding; if you don t make it easy for them to use your service, they ll leave you for a competitor with which it is easier to do business. The cost of obtaining a new customer is high the cost to retain a customer can be even higher. Marketing managers use various types of tactics to retain customers, including self-service password resets and single sign-on (SSO) functionality. Cost Containment Current staffing levels can't accommodate enterprises' growing needs for day-to-day security administration activities at the help desk or security administration groups. Regardless of an economic upturn or downturn, enterprises want cost-cutting measures. IAM solutions are one of the few areas within the information security program that can provide you with direct savings. Reduce or Avoid Adding Staff In the typical enterprise, help desk personnel, system administrators and security administrators handle user access requests on a daily basis. In some enterprises, the help desk call volume that is associated with password problems is as high as 80 percent. (The help desk has other problems, such as a very short password change policy for all applications for example, 30 days.) Adding a system or application to the IT environment often means training someone on that new technology, or acquiring additional talent to handle it from a security administration perspective. However, it is rare to find an enterprise that eliminates staff doing security administration activity. Usually these people are reassigned to other, sometimes long-neglected, information security activities, such as audit log monitoring. You can reduce the costs of the security administration process by using password management, user provisioning and EAM products. Publication Date: 31 October 2003/ID Number: SPA Page 4 of 8

5 Common IAM Architecture By establishing a common IAM architecture, you can eliminate the costs that are associated with design and development "one-offs" in each application development group; reduce or eliminate platform-specific hardware and software that is supporting security administration activities; and ease application integration by providing a common authentication and authorization infrastructure. Directories, password management, user provisioning and EAM products are the backbones of an IAM architecture. Non-IT Services Once you have implemented a user provisioning product, you will see the benefits of the system outside of the information security domain. Non-IT resources, such as physical security access devices, cellular phones and pagers (and other devices that have a monthly service fee), can be better-managed at the time of issuance. More importantly, when the device's user leaves the enterprise, the monthly bill can be eliminated more quickly. Operational Efficiency Enterprises want a faster fulfillment process for access requests, as well as improved user convenience through the use of IAM solutions. Password management, user provisioning, EAM and SSO products deliver on this business driver. Improved Service-Level Agreements Achieving an access request fulfillment turnaround time of 24 hours or less, which is a requirement in a growing number of enterprises, can be achieved only via automation. With an average of 18 user accounts per internal user, creating 18 accounts in a day, including approvals, can't be done manually. Productivity Savings Automating the IAM process results in time savings in many areas: Revenue-producing employees and contractors get access to needed resources and can start working within their first few days of employment. Reducing the time frame for approving access requests means less time spent by middle and senior management on these approvals. A nice feature in some IAM products is a "one-click" approval process, which eliminates even more time from the approval process. Approvers don't have to go into the user provisioning product to approve the request; they can use the secure facility to send the approval, once they are notified via . Enabling users to change their passwords not only eliminates help desk cost, but also reduces the time spent by users to change the password. Thus, they can work when they want to, and can get back to work sooner than the average 20 minutes spent going through the help desk. User Convenience Password management and SSO products put end users in control and make for happier users overall. They are critical components for ensuring customer retention. Security Administration Reporting Enterprises must produce reports for day-to-day security administration purposes. Obtaining this information from a centralized facility increases operational efficiency. IT Risk Management The ability to prove the security of your access control infrastructure is an important requirement for day-to-day security administration activities and auditing purposes, and to obtain and maintain customers. In addition, the ability to implement and maintain regulatory requirements is a "must do" for certain industries. All components of the IAM solution, except for SSO which has its detractors who perceive a lowered level of security through its use aid in ensuring a secure access control infrastructure. Publication Date: 31 October 2003/ID Number: SPA Page 5 of 8

6 Audit Management Responding to audits in a timely manner saves money for auditors, system administrators, security administrators and managers. Terminations Disabling terminated users' access immediately following their termination results in reduced exposure for enterprises. With no facility that identifies user accounts enterprisewide, it is 99 percent probable that one will be missed. This account may allow a disgruntled employee or hacker to breach the enterprise's security. Policy-Based Compliance Automatically implementing and maintaining IAM policies, such as password formation, change and history policies, roles and privileges, and business hours usage, are central to an IAM solution. Automation helps reduce the cost of log monitoring because you can focus on access exceptions. Strong Authentication For industries such as financial services and healthcare, providing a stronger authentication mechanism other than user ID and password is a requirement based on the confidentiality and sensitivity of the information being accessed, including the IAM product. Strong Audit Trail Nonrepudiation may be a requirement for the event log entries of the IAM component for industries that must have a strong access control infrastructure. Regulatory Compliance The regulations for the financial services, healthcare, pharmaceutical and other industries regulated by the U.S. Food and Drug Administration, as well as electric energy industries, require the establishment of a secure access control infrastructure. The U.S. Public Company Accounting Reform and Investor Protection Act of 2002 (also known as the Sarbanes-Oxley Act) is causing U.S. public companies and foreign enterprises with U.S. operations to address their internal control infrastructure. Specific regulations and their IAM focus include: Financial Services The Gramm-Leach-Bliley Financial Services Modernization Act of 1999 secure access to customer information. Healthcare/Medical The Health Insurance Portability and Accountability Act (HIPAA) limit access to individual healthcare information to the minimum access necessary to perform job functions (roles) that are related to treatment, payment and healthcare operations. Part 11 of the U.S. Title 21 Code of Federal Regulations (21 CFR Part 11) maintain a chain of validity and integrity of data submitted as a part of a new drug application. That is, logging each unique individual or machine responsible for the creation of, change to or deletion of data that supports an electronic submission of a new drug application. Electric Utilities The North American Electric Reliability Council Urgent Action Standard 1200: Section 1204, Electronic Access Control identify and implement electronic access controls for access to critical cyberassets within the electronic security perimeter. Section 1207, Personnel identify all personnel, including contractors and service vendors, who are granted electronic or physical access to critical cyberassets. Section 1210, Information Protection maintain a document that identifies the access limitations to sensitive information related to critical cyberassets. Publication Date: 31 October 2003/ID Number: SPA Page 6 of 8

7 Public U.S. Companies and Foreign Companies Traded on U.S. Markets, Including Their Subsidiaries Sarbanes-Oxley auditing and separating duties for access to information or transactions that could affect enterprises' financial statements. Industries Best-Suited for an IAM Solution Regulated industries have a vested interest in implementing many, if not all, IAM components. Other industries that are implementing IAM technologies include: Retail Retail institutions have an annual staff turnover of close to 100 percent. Also, they have to contend with holiday hiring cycles that put strain on their ability to handle the security administration needs of these new users. Education Similar to retail, educational institutions have cycles in their user population (academic terms). They also must ensure that the accounts associated with users who are no longer affiliated with the institution are removed from the IT environment. Some institutions have discovered ex-students and ex-teachers using institution-owned computer processing facilities to run private businesses. Government State governments are greatly interested in delivering state services to their constituencies via the Internet. Thus, they need an access control infrastructure that can manage millions of users, most of whom have only occasional need to access government services (for example, for yearly tax returns). Manufacturing Enterprise resource planning implementations have forced many manufacturing companies to develop roles and associated access rights for their workforces. To maintain these roles, many of these companies turn to user provisioning products otherwise, their role-based access control structures would be out of date in six to 12 months. Key Issues How will enterprises manage the complexity of authentication and access control in a highly distributed world? Acronym Key CFR Code of Federal Regulations EAM HIPAA IAM SSO extranet access management Healthcare Information Portability and Accountability Act identity and access management single sign-on This research is part of a set of related research pieces. See "The Growing Need for Identity and Access Management" for an overview. Publication Date: 31 October 2003/ID Number: SPA Page 7 of 8

8 REGIONAL HEADQUARTERS Corporate Headquarters 56 Top Gallant Road Stamford, CT U.S.A European Headquarters Tamesis The Glanty Egham Surrey, TW20 9AW UNITED KINGDOM Asia/Pacific Headquarters Level 7, 40 Miller Street North Sydney New South Wales 2060 AUSTRALIA Latin America Headquarters Av. das Nações Unidas andar WTC São Paulo SP BRAZIL Publication Date: 31 October 2003/ID Number: SPA Page 8 of 8