By Patrick Fink, Manager, Advisory, Ernst & Young GmbH.
Identity access management (IAM), as it is known today, refers to the management of the entire life cycle of digital identity and its controlled access to a specific information asset. Tomorrow, however, as information needs of organizations grow, and as the interaction points to access information increases, IAM will be about making the right information assets accessible to the right stakeholders.
Many companies still struggle to identify clearly which users should have access to which information assets. Overcoming this complexity effectively to help drive cost advantages and to realize added value for the business is important. Managing complexity requires a holistic IAM that integrates business and IT, and is adapted to an organization’s risk appetite and security needs. For this reason, the future of IAM will, more than ever, be an important component of risk management and the internal control system, but it will also increasingly make use of new technology developments such as the Internet of Things (IoT) and big data.
Choosing the right IAM approach
Currently, many organizations are still following the “need-to-know” principle as it is frequently required by law – this allows access to data or functions that users require for their daily business, without an explicit focus on the company’s key risks. In the future, however, a risk-based approach that concentrates on critical and sensitive IT systems and data will need to overtake the need-to-know approach. As a consequence, access to data or functions that are not considered critical can be combined; authorization structures can be simplified and complexity can be reduced.
This risk-based approach can also play an essential role in helping to manage complexity in the future, especially when the evolution of the IoT creates millions of new identities and vast amounts of data that need to be managed from a risk perspective. CIOs are well-placed to work with companies’ risk management and security teams on an IAM approach that is future proof, takes advantage of new technologies and offers the best possible security for the organization.
Four steps to consider when upgrading your IAM
Choosing the right access model: There are two primary models, “role-based access control (RBAC)” and “attribute access control (ABAC).” In RBAC, roles are defined and sets of authorizations for data and functions are assigned to them. One or more roles are then assigned to individual users to grant them specific accesses. ABAC is a newer model and relies on user attributes for access decisions. ABAC policies are rules that evaluate access on the basis of sets of attributes, such as the user’s location. This model typically requires less maintenance and overhead, but is complex in design and implementation. A combination of approaches is likely to be required to cover all aspects of access control in the future. To choose the right access model, organizations should clearly focus on the optimal support of an organization’s needs.
Big data enters the picture: Big data presents additional opportunities. Because it enables fast reaction times, it supports IAM’s potential future integration and handling of cloud services and smart, non-PC devices all of which require dynamic and real-time access decisions to be made based on individual risk situations and threat levels. To support this decision process, big data analysis could be used to evaluate the massive amount of security data created via IAM systems and processes. CIOs will be at the forefront of providing the right tools and methods to do so, and also to create the mechanisms to analyze and interpret the output data.
IoT follows suit: According to Gartner, by 2020, “the internet of things will redefine the concept of ‘identity management’ to include what people own, share and use.” The design of fit-for-purpose authentication, provisioning and governance solutions could bring cost advantages. However, to achieve this, organizations would need to consider shifting from the current preventative focus of IAM to a more detective focus. Otherwise, managing the complex multitude of different interfaces, devices or services that access critical and sensitive functions or data could be very taxing and costly. CIOs will consider the future IAM when choosing the IoT platform they want to deploy in their organization to design the proper security.
The shift to user-friendliness: User self-service tools these days are often complex and frustrating for employees, causing many users to leave the self-service tool and call the help desk. It will be the CIOs task to guide on the functionality of self-service tools to make sure they are increasingly user friendly, with an easy-to-use multichannel integration, primarily via smartphone. This would can help to reduce operating cost and employee frustration, and improve productivity.
Why is now the time to start thinking about IAM?
A robust IAM plan can help organizations avoid potentially very expensive ad hoc solutions. And cost advantages from IAM can be easier realized by closer process integration and automation. Using a holistic and highly automated IAM, such an integration could be accelerated and even standardized. This could also help increase business agility, enable better analysis and understanding of employee and customer behavior. This new knowledge could also help support the optimization of business processes, and help drive competitive advantage.