Step by step toward an IAM solution

January 2009 Information Security

Today, businesses and government agencies not only process data internally, they need to exchange data with external partners as well. To do so they must open their IT systems to customers and partners. This, of course, increases the risk that data could fall into the wrong hands.

Mike Small, principal consultant security management, CA
Mike Small, principal consultant security management, CA

A well-functioning identity and access management (IAM) system is at the heart of every IT security solution. It identifies users working with the IT systems, controls their access rights for processing data and utilising resources, and it prevents that access. Further an IAM system documents exactly what access rights a user has and who approved them as well as tracking what a user does when and with what result. Thus the company can always trace what happened even in the worst-case scenario.

Implementing a complete IAM solution can be a lengthy and complex project. Therefore it is advisable to take an incremental approach because this will reduce project risk and realise the fastest return on investment. It makes sense to begin with processes that will offer the greatest benefit or with those that pose the highest security risk.

As a guide, a typical step by step implementation of a comprehensive IAM solution would start with basic password management and finally arrive at a sophisticated, federated identity and access management solution.

Step 1: Managing User Credentials. Problems with passwords account for a large proportion of help-desk issues and support costs. A password management system enables the centralised management of user accounts.

Step 2: Basic Identity Management. This automates the new hire process for granting access to systems and resources is driven from the HR function and includes approval processes defined by the chief information/security officer. It also ensures that when employees leave the organisation their access rights are removed.

Step 3: Role-Based Management. Here there are clear definitions of what access rights users performing different roles are entitled to. The identity and access management system automatically synchronises changes in entitlements as users’ responsibilities and roles change.

Step 4: Federated Identity Management. Here identity management extends beyond internal IT systems to cover employee access to both IT and non-IT resources and for partner access via federated trust.

Finally, remember, developing an IAM strategy needs to be centred around the business first and the technology second. The implementation of an IAM solution set should be viewed as a step-by-step project. Adopting an approach based on best practices aligned with business needs will prove to be the most effective.





Share this article:
Share via emailShare via LinkedInPrint this page



Further reading:

All aspects of data protection
Technews Publishing Editor's Choice Information Security Infrastructure AI & Data Analytics
SMART Security Solutions spoke to Kate Mollett, Senior Director, Commvault Africa, about the company and its evolution from a backup specialist to a full data protection specialist, as well as the latest announcements from the company.

Read more...
The song remains the same
Sophos Information Security
Sophos report found that telemetry logs were missing in nearly 42% of the attack cases studied. In 82% of these cases, cybercriminals disabled or wiped out the telemetry to hide their tracks.

Read more...
How hackers exploit our vulnerabilities
Information Security Risk Management & Resilience
Distractions, multi-tasking, and emotional responses increase individuals’ vulnerability to social engineering, manipulation, and various forms of digital attacks; 74% of all data breaches included a human element.

Read more...
Projections for 2024’s Advanced Threats Landscape
News & Events Information Security
Kaspersky Global Research and Analysis Team (GReAT) experts offer insights and projections for 2024 in the Kaspersky Security Bulletin, with a focus on the evolution of Advanced Persistent Threats (APT).

Read more...
Veeam and Sophos in strategic partnership
Information Security
Veeam and Sophos unite with a strategic partnership to advance the security of business-critical backups with managed detection and response for cyber resiliency, and to quickly recover impacted data by exchanging critical information.

Read more...
Unmasking insider risks
Information Security
In today’s business landscape, insider risks can manifest in various forms, including data theft, fraud, sabotage, insider trading, espionage, whistleblowing, negligence, truck hijacking, goods robbery from warehouses, and more.

Read more...
When technology is not enough
Information Security
[Sponsored] Garith Peck, Executive Head of Department for Security at Vodacom Business, writes about the importance of creating a cybersecurity strategy in a world where threats never sleep.

Read more...
Reinforcing cyber defences in a world of evolving threats
Sophos Information Security
[Sponsored Content] In South Africa, the urgency to amplify cybersecurity measures is underscored by alarming statistics revealing the continued vulnerability of organisations to ransomware and other sophisticated cyberattacks.

Read more...
Trellix detects collaboration by cybercriminals and nation states
News & Events Information Security
Trellix has released The CyberThreat Report: November 2023 from its Advanced Research Centre, highlighting new programming languages in malware development, adoption of malicious GenAI, and acceleration of geopolitical threat activity.

Read more...
SA enterprises can benefit from AI-driven cybersecurity
AI & Data Analytics Information Security
Cybercrime is big business, and threat actors deploy cutting-edge tools to carry out attacks. Fortunately, cybersecurity is constantly evolving to meet and counter the threats they face.

Read more...