Search
Advertisement

Business

Regulatory Resource   Threat Intelligence      Resilient IT      Boardroom Strategies      
Resilient IT / Network and Infrastructure

The Importance of Access Management

By Lauren Barack

As information security gains a higher profile inside today's companies, access to that information must become a key concern for CIOs. Without a strong identity and access management program in place, companies run the very real risk of finding their information open to attack.

Identity and access management (IAM) is also known as a "scan and block" process. The security of a system or user is evaluated as it tries to access the network (the "scan"); then, depending on the threat of that system and the identity of the user, access may be granted. If a threat is detected, a method to deny access takes place instead (the "block").

For example, in the medical field, limiting access to data can be a matter of life and death. Patient data that falls into the wrong hands, whether by intent or chance, can impact treatment plans. Also, a medical enterprise can find itself embroiled in a pricey legal battle should a patient's medical record be retrieved by an outside source and used to discriminate against that person in any way. To prevent wayward files, Children's Hospital Boston, for one, took a self-service approach to IAM and created a program that automatically timed-out a user's access after a set time. By timing out, the program ensured that sensitive patient data was more protected if a doctor walked away in the middle of accessing confidential patient files.

More CIOs in all sectors are recognizing the importance of identity and access management. In fact, a full 87 percent of C-level executives and IT managers who responded to a recent survey by KRC Research said they planned to increase their IAM budget for 2005, with 55 percent of them increasing it by an average of 19 percent from what they spent in 2004.

Budgeting for a secure IAM program is money well spent. For example, the cost of managing security codes for Web applications is $13.50 per user for each application on an annual basis, according to a Gartner Group report. In an enterprise of 20,000 and just six applications, that cost can quickly escalate to nearly $2 million to maintain a secure network. But a strong IAM plan can virtually eliminate those costs by automating the process.

Besides saving money, an IAM program can help with regulatory compliance requirements. In the KRC study, about 92 percent of those responsible for regulatory compliance said IAM was critical to following rules mandating safeguards for sensitive data in Sarbanes-Oxley, HIPAA, and the Graham-Leach-Bliley Act. Each of these pieces of legislation requires enterprises to safeguard their sensitive, private data or else face legal action.

At the moment, identity and access management is not a standardized practice. There are no industry standards for authentication or verification or for establishing the program from the start. Each company seems to be creating its own program and plan.

Microsoft, for example, has an estimated 60,000 employees and freelance personnel who access the software giant's IT servers from 175 different points around the world. To ensure that access to data is granted only to the right people, Microsoft has implemented a "smart card" approach, a physical card that is required to access any Microsoft server. The firm has also launched plans for a new technology it has called Network Access Protection, or NAP, that it will add to Windows Server in late 2007. NAP could become an industry standard as 43 companies have already agreed to partner with Microsoft in developing the software. NAP is a hybrid: virus-scanning technology married to software that will be able to automatically deny server access to computers that don't meet specific security requirements.

When planning a secure and relevant identity access management program for their own organizations, CIOs may not have access to best practices yet, but they can learn much from companies like Microsoft. In addition, Gartner recommends six essential steps to take to create a strong IAM plan:

  • Create a baseline Before implementing an IAM program, an enterprise should have a baseline security system in place that includes all necessary patches and anti-virus software and maintains port and personal firewall settings. To prevent against access breaches, enterprises should also install persistent agents that do a regular deep scan of the complete system to make sure it is secure, and install dynamic agents that do an immediate scan each time a user attempts to access the network.
  • Install access control Controlling who has access to the network is critical to securing data. Access control technology should be installed that can make instant judgments on whether an end-user is granted access, or should be quarantined until proper patches or anti-virus solutions can be applied.


  • Include automation End-users from time to time will need to be quarantined, and patches applied before they can safely access a network. Automated IAM software can save an enterprise time and money by downloading necessary fixes immediately to a device that is trying to gain access.


  • Monitor the network Even after an end-user device has been allowed access, a strong IAM practice will continue to monitor it to see if it begins to act suspiciously.


  • Contain rogue attacks Certainly, as more enterprises install IAM solutions, there will be rogue software created by attackers that can pass the first test of scanning and gain access to the system. Worse, after being granted access, the software could then begin installing a virus. A way to contain viruses quickly is to isolate the specific IP address launching the attack, or build containment walls within a network so that if one area is breached, it can be quarantined.


  • Maintain security A good IAM plan will not just be an add-on product, but part of every device in the enterprise. Of course, CIOs will want to tie office computers into the "scan and block" system. But they should not neglect remote devices such as PDAs and laptops, which can access a company's network and bring viruses in on piggyback.

Enterprises must also consider including good IAM practices in their security plans. The good news is this approach may bring about a new level of protection and keep firms in line with regulatory compliance. While some companies like Microsoft are working on what they hope will be an industry standard, CIOs cannot afford to wait.

Lauren Barack's work has been published in Business 2.0 and Wired.

CIO Strategy Center is a daily editorial resource offering innovative insights and strategies for building an integrated, secure and resilient IT infrastructure.

Articles by Topic
Network and Infrastructure
Analytics and ROI
Strategies
Related Content

Features

View More


Metrics

View More

Fast Fact

"In the medical field, limiting access to data can be a matter of life and death."
Sponsor Tools

Resources

White Papers

View More


Podcast Audio Content

CIO Strategy Center is now available in audio format.

This week's feature topic is:


Preparing for a Disaster
Playtime: 8 min 07 sec



Download | Subscribe

Copyright © 2009 Studio One Networks. All rights reserved.

© MMIX, CBS Broadcasting Inc. All Rights Reserved.