Tip

Are identity and access management payoffs worth the fuss?

Few things come easy in IT.

Want to roll out full disk encryption? You'd better plan on touching each and every machine.

Considering network

    Requires Free Membership to View

access control (NAC) or a network access point? It's not going to be simple.

Looking to install a centrally-managed data loss prevention system? Well, you catch my drift. In most cases, the viewpoint of a vendor differs quite a bit from those of us in the trenches.

Identity and access management (IAM) is no different. We hear about these glamorous features that are suddenly going to us save time, effort and money while making our networks more secure and compliant -- what's there to lose? The fact is, we're often made to feel that if we don't implement IAM technologies then we might as well take down our firewall, remove our password requirements and let our users have their way. If it were only that simple.

Many of the vendor marketing and sales professionals pushing identity management don't truly understand the nuances and indescribable hassles of day-to-day network administration, much less what's involved with rolling out an IAM solution in the enterprise. The headaches associated with IAM can be extensive, going beyond the common issue of trying to sell the technology to management in order to justify the cost. Here are some of the big issues:

  • Determining who needs access to what for how long. You can't manage or secure what you don't acknowledge. Finding out what you've got and talking to the right managers about the access certain users and groups need is key.
  • Directory service synchronization. It's hard to believe that "lost in translation" still rears its ugly head more than a decade after Microsoft Active Directory was introduced, but you must be prepared for things to go awry.
  • Change management. Identity and access management systems hold the keys to the kingdom. A few out-of-process changes here and there can cause big problems, so a reasonable change management process -- i.e. one that doesn't get in the way of doing business that everyone needs to follow -- is a must.
  • System monitoring and maintenance. IAM is not going to run itself, and it's yet another system you'll need to keep secure. Think about what you're going to have to give up in order to find that extra time.

There's a saying that action without planning is the reason for every failure. I've seen this with IAM and other complex technologies. Business managers think they know what they want, they rush IT to implement it, and then, several months down the road wonder why things aren't running so smoothly. Based on what I see in my work, this need for immediate gratification is at the heart of many IT headaches.

While there are several things related to identity and access management you can't control (poorly-written software, politics, etc.) there are certain things you can control, like up-front planning and proper time management. If you can find the magic formula for tweaking the system and your business processes, IAM can deliver huge information security and compliance benefits.

I strongly believe that using the right technologies in the proper ways gives more to the business than it takes away. However, using the right technologies in the wrong ways (or not using the right technologies at all) will merely serve to hinder and create more business risks. Whether or not identity and access management is worth the fuss is completely up to you and the people involved with making it happen.

ABOUT THE AUTHOR
Kevin Beaver (CISSP), is an information security consultant, expert witness, as well as a seminar leader and keynote speaker with Atlanta-based Principle Logic, LLC. Kevin can be reached at www.principlelogic.com.

This was first published in August 2010

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.