Increased Security Levels
After looking at the most important benefits of Identity and Access Management in my last post I will continue with another post where I will especially be considering the increased security levels you can achieve with Identity and Access Management and its strategic benefits to the enterprise.
In terms of Identity and access management, increased security levels mean guaranteeing confidentiality and preventing data misuse. The prerequisites for guaranteed confidentiality include secure authentification and the correct issuing of rights, consistent administration, and regular auditing.
Without the “Single Point of Control” provided by an Identity and access management system (IAM), it can be hard to keep track of a user’s current resource allocations. Undesirable correlations between authorizations, which could lead to a violation of the principle of the separation of powers for example, are not recognized.
Methods from risk management can be used to quantitatively analyze increased security levels, but I will not go into in detail on these here. These methods have recently been increasingly developed due to legal regulations and standards on risk reduction. The Basel Capital Accord, for example, requires the European banking industry to evaluate operative risk. Risk evaluation methods are based on databases with experimental values for the losses caused by damaging events. Statistical models are drawn up from these and expanded by trend indicators where necessary.
Unfortunately in many companies there are no statistics available on the amounts of damage caused by data misuse, so an evaluation in money terms is difficult. Qualitative parameters for improvements in security levels can however be provided.
IAM benefits: Targeted rights issue
Without an identity and access management solution, problems such as an accumulation of user rights often occur. When employees change workplaces they receive new resource authorizations and the old ones, which are no longer required, are often not deleted. When employees leave a company their user accounts are often not deleted or deleted incompletely.
An Identity and Access Management system guarantees a targeted rights issue that reacts flexibly to changes.
- An increase in security levels can be qualitatively evaluated as follows: The percentage of authorizations which have incorrectly accumulated is determined by a preliminary investigation (perhaps based on a spot check). If rights issuing is 80% automated, this value can be reduced by about the same percentage.
- The number of unused user accounts (“orphaned accounts”) is determined and automatic deletion reduces the number of these.
IAM benefits: Compliance with legal regulations
Identity Management also enables regulations to be implemented throughout the en-terprise. These are often derived from legal guidelines (e.g. HIPAA or Sarbanes-Oxley in the USA, the Basel Capital Accord in Europe). Infringements of these regulations can damage a company’s image and also lead to the imposition of heavy fines.
Long-term strategic IAM benefits
Increased networking among companies and the resulting increased use of web services do also affect Identity Access Management. The implementation of standards (e.g. SPML, XACML) and technologies provides a basis for companies to operate flexibly on the market. It will be much easier to introduce cross-company standards in the future if a company’s internal Identity Management is standardized.
IAM benefits: Reducing the costs of friction
I define friction costs as “The opportunity costs of a bad decision, resulting from a lack of information and an insufficient use of standards.”
Identity and access management solutions enable user administration to be standardized and contributes considerably to improving the quality of user and authorization data through automation and data synchronization. Further IAM benefits are that cross-platform reporting provides information which would otherwise not be available, or which could only be obtained with difficulty. An area where this could impact security might be finding correlations in one person’s rights in different systems, for example. Here you could use our Garancy Access Intelligence Manager. (For details go to our Garancy offering at http://www.betasystems-iam.com/portfolio/products/garancy-access-intelligence-manager.html The solution brings transparency and security to business processes and allows them to be reviewed retroactively. The product does this by analyzing all business-relevant data sources and providing information in the shape of individualized drill-down and drill-through reports.)
So let me recap the IAM benefits so far:
- Identity Management solutions provide countless approaches for concretely and reliably calculating benefits and Return on Investment. The focus is on the abolition or simplification of user administration. Increased end user productivity can also be an important benefit. This can be reliably measured if the effects of the non-availability of resources on the productivity of end users in a company can be assessed.
- Another important area is increased security levels. These can be evaluated in money terms using risk management methods. One-off effects and long-term strate-gic benefits can also be demonstrated.
- Legal regulations, the growing influence of security aspects on the corporate business model and the economic necessity to make business processes more efficient will all increase the importance of quantifying the benefits of Identity Management.
In part (3) of my líttle blog series on IAM benefits I will look at the costs of identity and access management in more detail e.g. software licences, maintenance, implementation and operating costs.