Few things come easy in IT.
Want to roll out full disk encryption? You'd better plan on touching each and every machine.
Looking to install a centrally-managed data loss prevention system? Well, you catch my drift. In most cases, the viewpoint of a vendor differs quite a bit from those of us in the trenches.
Identity and access management (IAM) is no different. We hear about these glamorous features that are suddenly going to us save time, effort and money while making our networks more secure and compliant -- what's there to lose? The fact is, we're often made to feel that if we don't implement IAM technologies then we might as well take down our firewall, remove our password requirements and let our users have their way. If it were only that simple.
Many of the vendor marketing and sales professionals pushing identity management don't truly understand the nuances and indescribable hassles of day-to-day network administration, much less what's involved with rolling out an IAM solution in the enterprise. The headaches associated with IAM can be extensive, going beyond the common issue of trying to sell the technology to management in order to justify the cost. Here are some of the big issues:
- Determining who needs access to what for how long. You can't manage or secure what you don't acknowledge. Finding out what you've got and talking to the right managers about the access certain users and groups need is key.
- Directory service synchronization. It's hard to believe that "lost in translation" still rears its ugly head more than a decade after Microsoft Active Directory was introduced, but you must be prepared for things to go awry.
- Change management. Identity and access management systems hold the keys to the kingdom. A few out-of-process changes here and there can cause big problems, so a reasonable change management process -- i.e. one that doesn't get in the way of doing business that everyone needs to follow -- is a must.
- System monitoring and maintenance. IAM is not going to run itself, and it's yet another system you'll need to keep secure. Think about what you're going to have to give up in order to find that extra time.
There's a saying that action without planning is the reason for every failure. I've seen this with IAM and other complex technologies. Business managers think they know what they want, they rush IT to implement it, and then, several months down the road wonder why things aren't running so smoothly. Based on what I see in my work, this need for immediate gratification is at the heart of many IT headaches.
While there are several things related to identity and access management you can't control (poorly-written software, politics, etc.) there are certain things you can control, like up-front planning and proper time management. If you can find the magic formula for tweaking the system and your business processes, IAM can deliver huge information security and compliance benefits.
I strongly believe that using the right technologies in the proper ways gives more to the business than it takes away. However, using the right technologies in the wrong ways (or not using the right technologies at all) will merely serve to hinder and create more business risks. Whether or not identity and access management is worth the fuss is completely up to you and the people involved with making it happen.
ABOUT THE AUTHOR
Kevin Beaver (CISSP), is an information security consultant, expert witness, as well as a seminar leader and keynote speaker with Atlanta-based Principle Logic, LLC. Kevin can be reached at www.principlelogic.com.