White Paper. Identity and Access Governance Bringing Business and IT Together

Transcription

1 White Paper Identity and Access Governance Bringing Business and IT Together

2 Table of Contents Introduction... 1 IAG Industry Overview... 2 Melding Two Worlds... 4 Integration and Real Evolution... 6 Key Elements for Effective IAG Solutions... 6 Vendor Selection... 7 About NetIQ... 8 page

3 Introduction Given the risks that attend today s punishing threat and regulatory landscapes, your need for identity and access governance (IAG) has never been greater. You need to know exactly who has access to what resources and if these levels of access are appropriate. In recent years, this simple need-to-know mandate has evolved from an IT directive to a vital business imperative. As the general population s technical sophistication grows ever greater, so grows your risk of security breaches and so grows the speed with which your organization must respond to them. Where identity management is a primary concern for your IT department, the related areas of security compliance, risk mitigation and access governance are among the primary concerns of your organization s business executives. Identity management and access governance systems share many overlapping functions. But the people who use these systems IT professionals and business executives typically have very different objectives and technology backgrounds. And while converging these two systems makes sense, the converged systems must be robust enough to meet IT s demands and simple enough for non-it business professionals to manage. This isn t to imply that one system can, or should, do the jobs of both. Rather, it means that to meet the growing needs of both systems, your IAG solution must seamlessly integrate IT and business tools. 1

4 White Paper Identity and Access Governance Bringing Business and IT Together IAG Industry Overview Market Forces Many factors have contributed to the explosive growth of the identity and access governance (IAG) marketplace. The following are some of the primary factors driving this growth. Attacks, Cyber Terrorism, Internal Breaches and Fraud While most companies find it relatively easy to provide ample physical security for workers at each of their facilities, they find ensuring the safety of their systems, data and intellectual property a daunting task. Cyber, or computer, attacks can come from anywhere external sources or even organizations own employees. While the Federal Bureau of Investigation (FBI) increases the number of fraud cases it pursues each year by an average of ten percent 1, the number of cases that do not reach the FBI-involvement level is significantly higher. From disgruntled employees to unscrupulous competitors to cyber hackers looking for data they can sell, the risks have never been greater than they are today. While the Federal Bureau of Investigation (FBI) increases the number of fraud cases it pursues each year by an average of ten percent, the number of cases that do not reach the FBI-involvement level is significantly higher. However, most cyber-attacks and security breaches are preventable: Your company probably already has the information it needs to stop attacks. What it most likely doesn t have is a way to organize, manage and monitor data in such a way that it can see security risks and take preventive actions. Emergence of the Cloud The National Institute of Standards and Technology (NIST) defines the cloud as the delivery of computing as a service rather than a product, whereby shared resources, software, and information are provided to computers and other devices as a utility (like the electricity grid) over a network (typically the Internet) 2. Cloud-hosted platforms and services are becoming popular all over the world. It s easy to see why. Cloud-delivered software as a service (SaaS) is inherently scalable. Companies pay only for the software they need now; and as they need more capacity, they can easily allocate additional resources. However, using cloud-delivered services is not without its challenges. For example, providing all users with access to all applications can be expensive and risky. To keep costs in check and mitigate security risks, you need a way to allocate access to cloud resources based on users roles and responsibilities. That is, you need an effective IAG solution. 1 publications/financialcrimes-report / financial-crimes-report #Corporate 2 publications/nistpubs/ /SP pdf 2

5 Fully integrated IAG solutions that automate common procedures and processes are worthwhile investments even in tough times. Such solutions save time, money and frustration. Mobile Access To stay competitive, you must provide anytime, anywhere access to network resources. Doing this entails far more than installing traditional virtual private network (VPN) clients on company-owned machines. Remote users need access from a variety of non-traditional devices such as smartphones and tablets. To securely meet these needs, your access-control solution must both authenticate users and permit them to access their cloud-based resources from multiple devices. Such access requires secure and trusted identity management that works across all platforms. Budget Constraints During difficult economic times, organizations often constrain IT budgets even as they increase demands for IT services. Fully integrated IAG solutions that automate common procedures and processes are worthwhile investments even in tough times. Such solutions save time, money and frustration. IAG solutions save money in two main areas: productivity and security. If your workers don t have access to the resources they need to do their jobs, productivity suffers and labor costs rise. Similarly, productivity costs rise when your IT professionals must spend expensive hours doing mundane, repetitive tasks. But the greatest costs associated with separate, manually managed identity and access governance solutions occur when organizations don t have adequate security and compliance controls. Data breaches are expensive and become public knowledge very quickly. If your organization loses trust within the marketplace, it is at risk of extinction. Resulting Pressures As the aforementioned market forces increase, the pressure to adopt an effective, integrated, automated IAG solution mounts. Organizations like yours must ensure both the integrity of their systems and their abilities to effectively manage access to them. Market forces apply pressures in two key areas. Audits, Regulation, Compliance Increased government and industry oversight result from concerns about data security, which in turn result from market forces such as the Internet s expansion and the cloud s growing popularity. Government and industry regulators often deploy oversight in the form of regulations, and regulations sometimes become laws to ensure compliance. 3

6 White Paper Identity and Access Governance Bringing Business and IT Together Sarbanes-Oxley (SOX) and the Health Insurance Portability and Accountability Act (HIPAA) are just two examples of the many regulations that require effective IAG solutions for compliance: The ability to certify that people have access only to the resources they need, and only when they need them, is vital to compliance efforts. Speed of Access and Updates Years ago, businesses were content to wait for the U.S. mail to deliver correspondence and information. In today s communications setting, businesses expect instantaneous information sharing. They also expect instant user-provisioning and de-provisioning. Generating helpdesk tickets and waiting for heavily burdened IT staff to manually grant or remove access to each resource is no longer an acceptable practice. More than ever before, functions such as updating systems and applications to meet new business needs and compliance regulations, routine upgrades, and IT policy and procedure updates receive visibility at your organization s highest levels. Management assumes immediate execution, even as complexities mount. More than ever before, functions such as updating systems and applications to meet new business needs and compliance regulations, routine upgrades, and IT policy and procedure updates receive visibility at your organization s highest levels Melding Two Worlds Definitions To understand IAG solutions, you must first know something about how identity-management and access-governance systems work. Identity Management IT s needs and requirements drive identity and access management systems. Identitymanagement tools allow IT professionals to: Provision application and server access Provide trusted authentication mechanisms that ensure users are who they say they are Simplify secure sign-on processes Allocate access for SaaS resources and mobile devices Administer Active Directory functions Provide detailed, privileged administration capabilities for IT personnel These tools are very powerful and address complex issues. They are designed to perform automation behind the scenes and are not typically used by average business users. 4

7 Access governance tools not only give business leaders the ability to meet regulatory requirements and authorize access, but they also automate common, repetitive tasks, which reduces the burdens these tasks impose on IT and helpdesk personnel. Access Governance Access governance issues typically reside at the business level, so access governance tools have user interfaces that are designed for business managers rather than IT personnel. These tools typically support the following activities: Ensuring that the business complies with IAG rules and regulations Authorizing access requests for new hires, employees whose positions have changed and temporary teams Certifying appropriate access levels Defining and managing system-wide user roles Managing entitlements associated with various roles and positions Assessing, managing and mitigating risks based on roles, entitlements and access levels Access governance tools not only give business leaders the ability to meet regulatory requirements and authorize access, but they also automate common, repetitive tasks, which reduces the burdens these tasks impose on IT and helpdesk personnel. IAG and Organizational Needs IT organizations must support compliance efforts, provide access, keep systems secure and update technology and computing environments all while trying to support strategic business objectives. Business managers are concerned with staying compliant, passing security/regulatory audits, mitigating risks, quickly responding to internal and external customers and having the ability to view the entire enterprise in an easy-to-understand and use system. As different as IT and business needs might seem, in the case of identity-management and access-governance systems, you cannot meet the needs of one without meeting the needs of the other. It is imperative that both systems work together to meet and exceed business and IT objectives. Governance does not replace the need for strong identity management. Rather, it complements the identity-management infrastructure and allows those closest to ultimate business needs to truly take advantage of business systems, rather than becoming slaves to them. In other words, seamlessly integrating identity-management and access-governance systems meets both IT and business needs. 5

8 White Paper Identity and Access Governance Bringing Business and IT Together Integration and Real Evolution The Value of Existing Investments Some new vendors in the IAG space advocate pushing forward with emerging technologies, leaving the past behind. This throw the baby out with the bath water approach is expensive at best and dangerous at worst. Leveraging existing equipment and technology provides greater value and has an important added advantage: Existing systems have already gained user acceptance. With the right IAG solution, you can maintain the technologies that have worked for you in the past and still stay current with important new technologies. The right IAG solutions must support a wide range of platforms, applications and technologies. This ensures your ability to successfully use your current systems as a technology foundation upon which to deploy the latest technologies, thus enabling you to build a path for future development. With the right IAG solution, you can maintain the technologies that have worked for you in the past and still stay current with important new technologies. The Future Your company must create a strong vision for the future and determine which direction will carry it forward. Its IAG system will be an important part of this future. If you envision acquiring other companies (or if you see other companies acquiring yours), you know upfront you ll need systems that can accommodate new and different technologies but you ll need such systems even if you see a future that doesn t involve acquisitions. After all, today s technologies will become the legacy technologies of tomorrow. When they do, it will be better to build on them than to replace them. Ensure that your path forward includes strong integration capabilities that allow existing systems to seamlessly coexist with new and emerging technologies including new platforms and computing environments. Key Elements for Effective IAG Solutions The following product features are integral to successful IAG solutions: Full integration between identity management and access governance systems Ensure that the governance system you select is more than just compatible with or does more than merely interface with your identity and access-management system. Truly seamless integration between robust offerings in each category will help ensure your success. 6

9 Selecting the right vendor is as important as selecting the right systems and tools. Ease of use A simplified, user-friendly interface is critical, especially for business users dealing with access governance. Look for a dashboard interface that enables business managers to quickly view the entire IAG landscape and drill down to detailed user profiles that show each user s roles and entitlements. These capabilities will help business users quickly and painlessly adopt the new system and meet compliance objectives. Orphan account control While it s important to quickly provision appropriate access to resources, it is even more important to quickly revoke access when employees or vendors leave. Make sure your IAG solution includes triggers that prevent orphan accounts from becoming potential security risks. Entitlement-creep control As workers transfer departments, accept promotions, join temporary teams and so forth, some solutions make it easy for them to retain access privileges from past projects. Effective IAG solutions, however, monitor and control such entitlement creep, thus ensuring users access privileges extend only as far as their current needs. Trusted fulfillment Governance systems are only as good as the identity management systems with which they are integrated. Make sure both systems are powerful and easy to use, and provide rich integration. Multi-platform support Strong IAG systems support all leading software applications and databases, operating systems, hardware, web-server environments. Risk assessment and mitigation tools The ability to quickly identify and mitigate risks is clearly an essential element of any good IAG solution.. Vendor Selection Selecting the right vendor is as important as selecting the right systems and tools. Here are a few questions you should ask when selecting a vendor: Credibility What is the potential vendor s reputation in the marketplace? How satisfied are other clients with the vendor s support and services? If a prospective vendor s reputation is suspect, or it is too new to have built a solid reputation, exercise increased caution in the selection process. Vision for the future What is the prospective the vendor s vision? Is the vendor playing follow the leader or is it the leader? Do the vendor s goals and strategies align with yours? Look for a vendor whose vision fits well with your organization s. Industry leadership and track record What is the potential vendor s history? Has it been an innovator in the markets it serves? Has it shown that the IAG market is a key area of focus, or does IAG seem to be an afterthought? Past leadership is the best indication of future success. Demonstrated performance How knowledgeable are the vendor s engineering and support staffs? Have the vendors successfully implemented solutions very similar to yours at other locations? Again, finding out how the vendor s existing clients rate its performance can help you determine how well the vendor will perform for you. 7

10 White Paper Identity and Access Governance Bringing Business and IT Together As identity management and access governance technologies converge, it s doubly important to select the right products from the right vendors. Proper research, planning and partner selection will ensure that your organization s IAG solution will meet its needs for years to come. About NetIQ NetIQ is a global, IT enterprise software company with relentless focus on customer success. Customers and partners choose NetIQ to cost-effectively tackle information protection challenges and manage the complexity of dynamic, highly distributed business applications. Customers and partners choose NetIQ to cost-effectively tackle information protection challenges and manage the complexity of dynamic, highly distributed business applications. Our portfolio includes scalable, automated solutions for Identity, Security and Governance, and IT Operations Management that help organizations securely deliver, measure, and manage computing services across physical, virtual, and cloud computing environments. These solutions and our practical, customer-focused approach to solving persistent IT challenges ensure organizations are able to reduce cost, complexity and risk. To learn more about our industry-acclaimed software solutions, visit: 8

11 Worldwide Headquarters 515 Post Oak Blvd., Suite 1200 Houston, Texas USA /communities/ For a complete list of our offices in North America, Europe, the Middle East, Africa, Asia-Pacific and Latin America, please visit: /contacts Q 04/ NetIQ Corporation and its affiliates. All rights reserved. NetIQ and the NetIQ logo are trademarks or registered trademarks of NetIQ Corporation in the USA. All other company and product names may be trademarks of their respective companies.