Posted by: David Scott
access security, I/AM, identity and access management, identity management, IT security
Organizations, from small through medium businesses (SMB), to large global enterprises, must control access: to systems, environments, resources, and data. Access is limited to, and by, individuals and groups; this means that access is effectively denied as well – or had better be!
In addition to security concerns – that is, the controls and monitoring necessary to ensure data and resources are breached and corrupted, exposing individuals/the organization to harm – there exist legal and ethical reasons for protecting these things.
Naturally, Identity and Access Management (IAM) procedures and related policy is key and central to protection. Enabling users to access data and resources securely, appropriately, and with full knowledge for appropriate use (often overlooked – training) isn’t just a goal of IAM – it is the whole of it.
Your organization must strive to remain within best practices regarding IAM – and in so doing, the IT leader, allied vendors, and savvy business leaders must stay abreast of emerging standards and vet them for incorporation to their environments and overall security policies and plans.
Of particular interest to me are robust credentialing systems that allow entrée to several, perhaps a dozen or more, discreet systems, whether those systems are within the physical control of the organization, or scattered amongst vendors and other allied agencies that have granted access to portions of their environment and assets.
Gone are days of faith in a simple Single Sign-on, with breach of an ID and password granting access to all manner of allied systems. The ultimate is an ID and password solution that forces security questions and answers, with subsequent splay of discreet (for each system) randomly generated IDs and passwords, with special keys, for transmission to systems with appropriate handshake – all transparent to the user.
If you’re examining security and IAM (and you should be):
- How do you currently link physical and electronic identities? Are you comfortable with your present authenticating system(s)?
- What can you reasonably do to create stronger links between physical and electronic identities?
- How do you verify other agency’s electronic identities?
- Are your IAM products, processes and policies flexible; both in accommodating evolving roles and in general longevity for emerging and new best practices?
- Where is the optimal balance of effort between managing strict IAM and simple utilization of commonly distributed, wide-access, resources?
- What accommodation does your IAM strategies and policies need to make for single sign-on, etc., with externally hosted and cloud-based applications and resources?
August 30th: On this day in 1797, Mary Wollstonecraft Shelley was born in London, England (author, Frankenstein)