IAM Best Practices: Involve HR, Use Single Sign-on
While identity and access management is a challenge for all organizations, especially global ones, panelists at the SC Congress event offered tips that can help.
The complexities of identity and access management (IAM) continue to mushroom. While there is no simple solution to the problem, a panel of corporate tech experts discussed some of the challenges, best practicand their outlook for the future at the recent SC Congress event in Chicago.
Cargill, with more than 140,000 knowledge workers, production employees and other employees at 60 companies around the globe, and several thousand internal applications, has suffered from what Jim O’Conner, the conglomerate’s chief information security officer, terms "identity sprawl."
The evolution of the business, including use of the cloud, the expansion of delivery and the addition of mobile apps and devices, means an increasing need for a way to effectively manage global access and identity, said Paul Munsen, the company’s global identity and access management platform lead.
"The business always wants to move faster," Munsen said. "The way you handle identity can make or break a [technology] deployment. The best way is to focus on the basics. You can tie the source of an identity to a source system (such as human resources)."
IAM and Human Resources
Panelists agreed that involving human resources is a critical element of managing identity and access management because it is the one area of the company that is involved with an employee from his or her initial hire through the employee’s departure from the firm.
Large companies deal with thousands of employees in various stages of employment, from the initial hire to change in positions within the company to leaving the firm, said John Germain, director of infrastructure and security services for Xylem, Inc., a water treatment company.
"The number of identities has increased dramatically," Germain said. "It used to be that there were tens of identities for HR to manage; now there are thousands."
As the number of identities increase, people tend to get lazy, using a single password across multiple identities. Thus if a hacker obtains that password, he or she can access multiple corporate and personal accounts that use that single identity. This is becoming an even bigger issue as business and personal lives continue to merge, Germain explained.
In addition to lazy users, the legacy technology systems that many companies use in human resources and other areas pose an identity management challenge, Germain said.
"It’s expensive and complex to get off legacy systems. HR is normally playing catch up in adding new systems," he said. "The more disparate systems (legacy and new) that you have, the more challenging it is to manage identities."
Though HR needs to be involved at some level, the department doesn’t always see eye to eye with corporate executives on the best way to manage corporate identities, Cargill's O'Conner said.
Single Sign-on and Simplicity
One solution panelists cited was single sign-on (SSO) for corporate identities, enabling a user to sign in once in order to gain access to several different systems.
"Simplicity is beautiful; if you make it too complex, people can screw it up," Germain said.
While passwords need to be complex enough that they are not easily compromised and there may be additional authentication layers, if a company makes identity authorization too complex, it will involve delays and expense as employees repeatedly contact support to gain access.
Considering IAM Costs
New systems to simplify the management of identity and access involve additional expense that could cause some companies to balk at making the investment, the panelists agreed. But any such expense should be weighed against the long-term expense of people contacting support in order to get access, O'Conner said.
Another cost control measure is to make sure security requirements reflect the sensitivity of the information and systems being accessed, panelists agreed. "The basics have to be there," O'Conner said. But some information can be left "open" for most employees to access, while other information and systems need increasing layers of security.
Though the iPhone 6 and Apple Pay made a splash recently with the availability of the phone’s Touch ID fingerprint scanner, panelists said they see biometrics as only part of the identity and access management solution of the future. While biometrics have been tried in the past, the actual success has been very limited, they pointed out.
O’Conner said biometrics might be fine to identify a user to a device, as in the iPhone 6, but that an additional method of security should be used to allow access to a corporate network and yet another layer to access sensitive information within that network.
Many companies struggle with IAM. Sebastien Lefebvre, IT platform director of Research and Development for Biogen Idec, speaking at the Bio-IT World Conference earlier this year, called IAM the "most important security challenge" for the health care and life sciences industries.
More IAM Advice
IT Business Edge published five critical tenets of identity and access management, as identified by IAM software provider SailPoint. It's a good list, with points that are especially relevant for cloud environments. Another handy resource on IT Business Edge is a 10-step plan for a successful IAM project, provided by the CISO of Carlson Wagonlit Travel.
Phillip J. Britt writes for a number of technology, financial services and business websites and publications, including BAI, Telephony, Connected Planet, Savings Institutions, Independent Banker, insideARM.com, Bank Systems & Technology, Mobile Marketing & Technology, Loyalty 360, CRM Magazine, KM World and Information Today.