Click here to close now.




















Welcome!

Cloud Security Authors: Elizabeth White, Liz McMillan, Cloud Best Practices Network, Dennis Griffin, Kevin Jackson

Related Topics: Microservices Expo, Java IoT, Microsoft Cloud, Containers Expo Blog, Agile Computing, Cloud Security

Microservices Expo: Article

The Marriage of Tech and Business… and How to Prevent a Divorce

Best practices for organization-wide identity and access management

Evolving regulatory compliance requirements can be a major headache for the IT teams responsible for identity and access management (IAM). Sarbanes Oxley, the wide range of privacy regulations and other federal requirements, have transformed IAM from a problem that keeps the chief information security officer up at night into a true business concern shared by all company executives. Knowing who has access to what information within your organization - and whether they should have that access - is a deceptively complex issue that has the potential to drive a wedge between even the healthiest of relationships across the business.

On the surface, it may seem as though the nuts and bolts of IAM should reside in a company's IT department. This is because there are many islands of information stored in databases across the business that are managed and administered by the IT team. In addition, employee access to particular areas of the network is usually enabled and revoked by IT.

The problem is that these functions are just the tip of the iceberg when it comes to effectively managing your identity governance program.

IAM Is Driven by Business Requirements
It has long been recognized that identity and access management must be process-driven if it is to gain any longer-term traction within an organization. In fact, Gartner highlighted the importance of process in a 2005 research report, stating that "Identity and access management is not only a set of technologies but also a set of processes that address fundamental issues about handling the strategic asset of identity in any enterprise. Establishing a long-term solution for managing identity requires understanding these basic processes."

Why is the process so important?

Any change to the identity of an employee is triggered by the business. The identity attributes of an employee are created when they are hired (onboarding), changed when they are promoted or assigned new responsibilities (change in responsibility), and must be restricted when they leave the organization (offboarding).

A strong partnership between IT and the company's business divisions is essential to ensure that:

  • There is a process to capture all of the changes that happen to the identity of an employee during their life cycle within an organization.
  • The business has established and approved the policies under which employee access will be granted or denied.
  • Changes are processed within the identified framework (i.e., no one is given access "through the backdoor").

By involving business owners early in the development of your IAM program - including human resources as it traditionally "owns" the bulk of employee attributes, like name, address, social security number and banking information - companies will improve the chances of executing their IAM goals on time and on budget.

Create a Culture of Continuous Compliance
Traditional approaches to identity and access governance take a reactive approach to meeting compliance requirements. If the sole measure of success is the ability to generate an attestation report, the company will always be in "firefighting" mode. It is far better to prevent access violations from happening than trying to chase them down once they occur. At that point, the security breach has already taken place, inappropriate access has already been granted and the damage has been done.

The goal of an effective identity governance initiative should be to ensure that employees are only given the access that is assigned to them under a clearly defined set of rules in accordance with company policy. On the other hand, requests for access that would violate a policy (e.g., separation of duties) should be denied and the appropriate manager should be alerted that a request has been made that would violate company policy. By working with business divisions to set these proactive policy parameters up front, the company is able to create a true culture of continuous compliance.

Your IAM Program Should Deliver More than Compliance
Compliance is a necessary evil. However, if handled correctly, compliance can also create the opportunity for meaningful efficiency improvements and cost reductions throughout an organization.

By managing the identity of your employees centrally and establishing proper business processes to manage identities, companies are able to:

  • Shorten new employee onboarding time to less than a day: It is important to capture the primary attributes needed to create an employee identity during the onboarding process and feed this information to all related systems (e.g., payroll, HR, Active Directory, SAP). This approach gives employees the access and assets they need to be productive on their first day with the company.
  • Eliminate repetitive manual data entry: A large Canadian retailer recently identified more than 90 attributes that make up the identity of their employees. More important, it also realized that these attributes were being manually re-entered up to ten times for different purposes across the company. Once it began managing their identity administration centrally, the retailer was able to capture data with no re-entry, thereby eliminating hundreds of redundant entries per employee.
  • Lower administrative costs: Improving time to productivity, streamlining administrative functions, and simplifying audits will result in millions of dollars saved, depending on the size of the organization.

Learn from Past Failures
Many organizations have been down the IAM solution path before with varying degrees of success. The problem-solving responsibility has traditionally been handed off to - you guessed it - the IT department, which typically attempts to solve the issue via technological solutions. As discussed earlier, the challenge is that the IT department is trying to solve the issue when it doesn't own the information or the process. Attempting an IT-only fix, centered around third-party technology and buy-in from other departments, leads to annoyance at best and losses in time and capital at worse.

In spite of these challenges, there is hope for organizations looking for the Holy Grail of IAM. Below are some best practices organizations can employ to improve their internal IAM processes:

  • Solicit business involvement early: IT cannot solve the problem alone. They're the custodians and the business is the end user. IT must engage with business and HR in lay language and find common denominators.
  • Create an identity warehouse: Conduct a thorough cleaning of identity data housed by various internal systems so there is easy reconciliation and clear visibility into access granted to employees.
  • Fix the controls: Implement procedures early in the business process (i.e., during onboarding), and make sure they are followed, to derive the most value from your identity and access management program.
  • Process, process, process: IT spends a significant portion of its time and budget on the dreary work of managing identities. IT and the business divisions can realize measurable benefits from implementing processes that drive down wasted time and money.
  • Go paperless: Going paperless with IAM liberates employees from the stacks of paper on their desks. An electronic IAM system can lighten the load across divisions by identifying holdups and speeding timelines.
  • Prevention is the key: Get away from the "putting out the fires" mentality. True process control means that fires are prevented.

Conclusion
Approaching IAM in a process-oriented way allows organizations to deal with potential problems proactively. When implemented properly, these best practices can help streamline IAM processes across all organizational departments, resulting in shortened onboarding, reduced costs, increased efficiency and regulatory compliance. Those are goals the whole company can get behind.

More Stories By Jay O'Donnell

Jay O’Donnell is the CEO and founder of N8 Identity and spearheads the continuing development of N8 Identity’s industry-leading solutions. One of the early pioneers of the identity and access management (IAM) industry, he initially founded an IAM consulting business in 2000. After overseeing dozens of large-scale IAM projects, he led the development of Employee Lifecycle Manager® in 2007 to meet the need for a software solution that delivered pre-defined identity and access processes throughout the lifecycle of a user within an organization. Jay is an internationally recognized expert in information security, compliance, identity management, federated identity and directory services.

Comments (0)

Share your thoughts on this story.

Add your comment
You must be signed in to add a comment. Sign-in | Register

In accordance with our Comment Policy, we encourage comments that are on topic, relevant and to-the-point. We will remove comments that include profanity, personal attacks, racial slurs, threats of violence, or other inappropriate material that violates our Terms and Conditions, and will block users who make repeated violations. We ask all readers to expect diversity of opinion and to treat one another with dignity and respect.


@ThingsExpo Stories
SYS-CON Events announced today that Micron Technology, Inc., a global leader in advanced semiconductor systems, will exhibit at the 17th International Cloud Expo®, which will take place on November 3–5, 2015, at the Santa Clara Convention Center in Santa Clara, CA. Micron’s broad portfolio of high-performance memory technologies – including DRAM, NAND and NOR Flash – is the basis for solid state drives, modules, multichip packages and other system solutions. Backed by more than 35 years of technology leadership, Micron's memory solutions enable the world's most innovative computing, consumer,...
SYS-CON Events announced today the Containers & Microservices Bootcamp, being held November 3-4, 2015, in conjunction with 17th Cloud Expo, @ThingsExpo, and @DevOpsSummit at the Santa Clara Convention Center in Santa Clara, CA. This is your chance to get started with the latest technology in the industry. Combined with real-world scenarios and use cases, the Containers and Microservices Bootcamp, led by Janakiram MSV, a Microsoft Regional Director, will include presentations as well as hands-on demos and comprehensive walkthroughs.
In his session at @ThingsExpo, Lee Williams, a producer of the first smartphones and tablets, will talk about how he is now applying his experience in mobile technology to the design and development of the next generation of Environmental and Sustainability Services at ETwater. He will explain how M2M controllers work through wirelessly connected remote controls; and specifically delve into a retrofit option that reverse-engineers control codes of existing conventional controller systems so they don't have to be replaced and are instantly converted to become smart, connected devices.
SYS-CON Events announced today that Pythian, a global IT services company specializing in helping companies leverage disruptive technologies to optimize revenue-generating systems, has been named “Bronze Sponsor” of SYS-CON's 17th Cloud Expo, which will take place on November 3–5, 2015, at the Santa Clara Convention Center in Santa Clara, CA. Founded in 1997, Pythian is a global IT services company that helps companies compete by adopting disruptive technologies such as cloud, Big Data, advanced analytics, and DevOps to advance innovation and increase agility. Specializing in designing, imple...
Akana has announced the availability of the new Akana Healthcare Solution. The API-driven solution helps healthcare organizations accelerate their transition to being secure, digitally interoperable businesses. It leverages the Health Level Seven International Fast Healthcare Interoperability Resources (HL7 FHIR) standard to enable broader business use of medical data. Akana developed the Healthcare Solution in response to healthcare businesses that want to increase electronic, multi-device access to health records while reducing operating costs and complying with government regulations.
17th Cloud Expo, taking place Nov 3-5, 2015, at the Santa Clara Convention Center in Santa Clara, CA, will feature technical sessions from a rock star conference faculty and the leading industry players in the world. Cloud computing is now being embraced by a majority of enterprises of all sizes. Yesterday's debate about public vs. private has transformed into the reality of hybrid cloud: a recent survey shows that 74% of enterprises have a hybrid cloud strategy. Meanwhile, 94% of enterprises are using some form of XaaS – software, platform, and infrastructure as a service.
With the Apple Watch making its way onto wrists all over the world, it’s only a matter of time before it becomes a staple in the workplace. In fact, Forrester reported that 68 percent of technology and business decision-makers characterize wearables as a top priority for 2015. Recognizing their business value early on, FinancialForce.com was the first to bring ERP to wearables, helping streamline communication across front and back office functions. In his session at @ThingsExpo, Kevin Roberts, GM of Platform at FinancialForce.com, will discuss the value of business applications on wearable ...
The 3rd International WebRTC Summit, to be held Nov. 4–6, 2014, at the Santa Clara Convention Center in Santa Clara, CA, announces that its Call for Papers is now open. Topics include all aspects of improving IT delivery by eliminating waste through automated business models leveraging cloud technologies. WebRTC Summit is co-located with 15th International Cloud Expo, 6th International Big Data Expo, 3rd International DevOps Summit and 2nd Internet of @ThingsExpo. WebRTC (Web-based Real-Time Communication) is an open source project supported by Google, Mozilla and Opera that aims to enable bro...
The 17th International Cloud Expo has announced that its Call for Papers is open. 17th International Cloud Expo, to be held November 3-5, 2015, at the Santa Clara Convention Center in Santa Clara, CA, brings together Cloud Computing, APM, APIs, Microservices, Security, Big Data, Internet of Things, DevOps and WebRTC to one location. With cloud computing driving a higher percentage of enterprise IT budgets every year, it becomes increasingly important to plant your flag in this fast-expanding business opportunity. Submit your speaking proposal today!
SYS-CON Events announced today that the "Second Containers & Microservices Expo" will take place November 3-5, 2015, at the Santa Clara Convention Center in Santa Clara, CA. Containers and microservices have become topics of intense interest throughout the cloud developer and enterprise IT communities.
WebRTC services have already permeated corporate communications in the form of videoconferencing solutions. However, WebRTC has the potential of going beyond and catalyzing a new class of services providing more than calls with capabilities such as mass-scale real-time media broadcasting, enriched and augmented video, person-to-machine and machine-to-machine communications. In his session at @ThingsExpo, Luis Lopez, CEO of Kurento, will introduce the technologies required for implementing these ideas and some early experiments performed in the Kurento open source software community in areas ...
Consumer IoT applications provide data about the user that just doesn’t exist in traditional PC or mobile web applications. This rich data, or “context,” enables the highly personalized consumer experiences that characterize many consumer IoT apps. This same data is also providing brands with unprecedented insight into how their connected products are being used, while, at the same time, powering highly targeted engagement and marketing opportunities. In his session at @ThingsExpo, Nathan Treloar, President and COO of Bebaio, will explore examples of brands transforming their businesses by t...
SYS-CON Events announced today that HPM Networks will exhibit at the 17th International Cloud Expo®, which will take place on November 3–5, 2015, at the Santa Clara Convention Center in Santa Clara, CA. For 20 years, HPM Networks has been integrating technology solutions that solve complex business challenges. HPM Networks has designed solutions for both SMB and enterprise customers throughout the San Francisco Bay Area.
While many app developers are comfortable building apps for the smartphone, there is a whole new world out there. In his session at @ThingsExpo, Narayan Sainaney, Co-founder and CTO of Mojio, will discuss how the business case for connected car apps is growing and, with open platform companies having already done the heavy lifting, there really is no barrier to entry.
Too often with compelling new technologies market participants become overly enamored with that attractiveness of the technology and neglect underlying business drivers. This tendency, what some call the “newest shiny object syndrome,” is understandable given that virtually all of us are heavily engaged in technology. But it is also mistaken. Without concrete business cases driving its deployment, IoT, like many other technologies before it, will fade into obscurity.
With major technology companies and startups seriously embracing IoT strategies, now is the perfect time to attend @ThingsExpo in Silicon Valley. Learn what is going on, contribute to the discussions, and ensure that your enterprise is as "IoT-Ready" as it can be! Internet of @ThingsExpo, taking place Nov 3-5, 2015, at the Santa Clara Convention Center in Santa Clara, CA, is co-located with 17th Cloud Expo and will feature technical sessions from a rock star conference faculty and the leading industry players in the world. The Internet of Things (IoT) is the most profound change in personal an...
As more intelligent IoT applications shift into gear, they’re merging into the ever-increasing traffic flow of the Internet. It won’t be long before we experience bottlenecks, as IoT traffic peaks during rush hours. Organizations that are unprepared will find themselves by the side of the road unable to cross back into the fast lane. As billions of new devices begin to communicate and exchange data – will your infrastructure be scalable enough to handle this new interconnected world?
With the proliferation of connected devices underpinning new Internet of Things systems, Brandon Schulz, Director of Luxoft IoT – Retail, will be looking at the transformation of the retail customer experience in brick and mortar stores in his session at @ThingsExpo. Questions he will address include: Will beacons drop to the wayside like QR codes, or be a proximity-based profit driver? How will the customer experience change in stores of all types when everything can be instrumented and analyzed? As an area of investment, how might a retail company move towards an innovation methodolo...
The Internet of Things is in the early stages of mainstream deployment but it promises to unlock value and rapidly transform how organizations manage, operationalize, and monetize their assets. IoT is a complex structure of hardware, sensors, applications, analytics and devices that need to be able to communicate geographically and across all functions. Once the data is collected from numerous endpoints, the challenge then becomes converting it into actionable insight.
Contrary to mainstream media attention, the multiple possibilities of how consumer IoT will transform our everyday lives aren’t the only angle of this headline-gaining trend. There’s a huge opportunity for “industrial IoT” and “Smart Cities” to impact the world in the same capacity – especially during critical situations. For example, a community water dam that needs to release water can leverage embedded critical communications logic to alert the appropriate individuals, on the right device, as soon as they are needed to take action.