Tip

Six ways to improve identity and access management (IAM) for Windows

In recent years, most enterprises have evolved away from the traditional client/server model of Windows networking – a computing era many of us deeply miss. Now there are custom Web applications, remote access systems, the need to support Unix/Linux and other legacy systems via LDAP integration, and so on that have introduced a vast set of complexities we never dreamed of just 10 years ago.

Saving money with IAM

"When it comes to [Windows] identity, it's Active Directory or bust – and most companies have plenty of systems that simply don't integrate with Active Directory authentication. In those cases, every non-AD system adds more overhead to identity management, and by overhead, of course, I mean cost."
-- Don Jones, Microsoft MVP

Read more:

    Requires Free Membership to View

Cutting the cost of Windows identity and access management 

These changes can be managed effectively if you have some semblance of control in and around identity and access management (IAM). Unfortunately, this is an area of IT that we've yet to master, and it's one of the things I see Windows administrators struggle with the most. From the "I've gotta have it now!" demands of users to the more critical security and compliance requirements expected of businesses today, if you don't have good control of identity management, it's undoubtedly controlling you.

If you've considered establishing some controls around IAM or are in need of improving your current Windows identity management situation, it's high time to step back and look at the soft side of the equation. As we've learned over the years, simply throwing technology at a problem such as this – be it Windows Server 2008 R2's IAM features or some third-party product – will usually only buy you short-term benefits. Like most things in IT, if you don't plan things out and back them up with solid and well-documented processes, they'll likely serve to take on a life of their own and often hinder more than they help.

There are six things you can do right now to improve your current Windows identity and access management situation that will also help ensure you do IAM right from the beginning:

  1. Get feedback from others who are affected at the administration level. This may include developers, DBAs, and security managers (both physical and information).
  2. Consider your business data classification and retention policies and processes (assuming they even exist). Identity and access management ties directly into this and your organization's legal counsel, CFO, CIO, HR, and internal audit team will likely have some direction.
  3. Work with your information security and internal audit people to see if they have any ideas on streamlining the provisioning/de-provisioning of users and other Active Directory objects that may require access approvals and audit trails.
  4. Consider business partners, customers, and recent/forthcoming acquisitions that may fall under the policies and processes you establish.
  5. Document, document, document. Create a set of standards and a formal policy for IAM that includes the scope, roles and responsibilities, and specific procedures involved. Here's a security policy template you can build on. Don't forget that IAM ties in with incident response and disaster recovery/business continuity as well.
  6. Your identity and access management system (documentation, processes, and technical controls) need to be reassessed on a consistent and periodic basis. The larger the business and more complex the environment, the more important this becomes. Annual information risk assessments or internal audits would be opportune times to do this.

When working through these areas, remember to focus on how you can improve visibility, control, and timeliness – the three "other" cornerstones of Windows security we simply can't afford to overlook.

ABOUT THE AUTHOR
Kevin Beaver (CISSP), is an information security consultant, expert witness, as well as a seminar leader and keynote speaker with Atlanta-based Principle Logic, LLC. Kevin can be reached at www.principlelogic.com.


This was first published in June 2010

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.