Who’s doing what with information on the network? IT folk need to be in a position to answer that fundamental question from whatever direction it may be fired, be it senior management, regulatory bodies or customers. And they need to be able to answer the real, underlying question: Are the right defense mechanisms in place?
There are plenty of tools for external attacks, from firewalls to virus protection to intrusion detection systems, says Warren Shiau, lead analyst at the Toronto-based Strategic Counsel. But identity and access management (IAM) systems are uniquely well-placed to deal with internal security breaches, he says. These are the fastest-growing category of attack, according to surveys conducted by the firm. “Three years ago, Canadian respondents said internal breaches accounted for about 5 per cent of attacks, but today this is 33 per cent. People also said associated costs have really gone up but they’re around soft areas that are hard to fix, like loss of trust, damaged reputation and so on,” he says.
Nevertheless, there has not been a massive uptake of IAM, not in Canada or elsewhere, says James Quin, senior analyst at the London, ON.-based Info-Tech Research Group. “It’s a security solution that offers many benefits, but comes with a convoluted implementation process.” IAM is essentially middleware that is retrofitted between every user, application and data source on an existing system to create an integrated security management layer. But as in any sphere, retrofitting onto an old system is harder than putting in a new one, he explains.
No universal system
A comprehensive IAM solution usually comes with a number of automating mechanisms, such as single sign-on (SSO), user provisioning, role definition and audit trail analysis. Realistically, only large companies have the resources to implement all aspects, says Quin. “As a rough rule of thumb, I recommend only organizations that have around 5,000 employees or 20 applications consider a full-blown IAM.” Shiau agrees with these parameters. But many security needs are universal. For example, access to company funds should always be restricted, says Shiau. Many companies rely on system controls to govern access, but these can be circumvented if users can create multiple identities. “A control is passive, but with IAM, the system locks down so users can’t change roles,” he says. Both analysts agree smaller organizations can benefit by implementing foundation aspects that can eventually lead to a complete IAM, depending on their needs, number of employees and applications. Some companies are in the wide but shallow category, with many employees but few applications. Winnipeg-based Palliser Furniture Ltd., a furniture designer and wholesaler, employs 3,500 staff in Canada, Asia and Mexico, but only uses five major applications. Started up by Mennonite founders, the company implemented an IAM system to protect its patents, design information and faith-based values.
Palliser’s systems and directories were too complex, having grown organically over time, says Jason Bergeron, senior IT director. “We had all kinds of folders with security upon security. It wasn’t clear who had access to what parts. Even if you thought you’d locked someone out, that wasn’t necessarily the case due to the complexity.”
Bergeron’s major goal was to simplify the network environment, so the role management components of IAM were of greatest interest. IT staff started by creating a group membership hierarchy and a new directory structure, then slotting files into it. A few major user roles were created based on company divisions. “We started by giving the least permissions possible,” says Bergeron, adding user access privileges were fine-tuned during the temporary transition phase. On user request, IT staff checked previous access privileges and granted them in the new structure. Today, formal approvals are required. “There is no question anymore who has read or write access to a folder,” says Bergeron.
Getting deeper into IAM
Other organizations are in the thin but deep category. The Ontario-based Hastings and Prince Edward Counties Health Unit (HPECHU) employs 180 staff, but uses 30 applications, many of which are external ones provided remotely by the Ministry of Health. Improving security by reducing sign-on was a primary concern in this environment, as users needed to maintain six complex passwords each to logon to applications accessed on a regular basis. “Organizations can talk the talk about strict password policies, but if the user experience isn’t positive, they’ll go back to sticky notes,” says Tom Lockhart, the HPECHU’s IT systems manager.
Lockhart opted for a federated identity management approach to achieve SSO for both internal and external applications. By using IAM middleware to build hooks into applications, this creates the illusion to the user that only one sign-on is needed, he explains. “It’s actually separate applications exchanging credentials back and forth, but we created one store for all of them.” An added benefit is that it eliminates the need to write authentication modules into future specialized applications, as a consistent IAM database is used by all systems, he says. The HPECHU tested its IAM system in a laboratory environment, then introduced it gradually in production mode, starting with seven roles for a few test users initially to ensure it worked properly before rolling it out.
Major corporations are typically both wide and deep, and need a comprehensive IAM. Toronto-based Canadian Tire Corporation is one example. A conglomerate comprised of five distinct businesses in retail, banking and manufacturing, the company has thousands of employees, vendors, contractors, resellers, and shippers, many with cross-functional responsibilities. “We needed an umbrella structure where levels of authorization in one organization implied some level of authorization in another, so we needed to get a handle on role engineering,” says Yaj Bhattacharya, enterprise architect at Canadian Tire.
Federated identity management is crucial in this complex environment where multiple business partners need to collaborate via the Web. “Without it, we would have to micro-manage authentication for all those people within our network,” he says. Instead, only those aspects needed for a particular transaction are presented when one company shares user information with another in the federated approach. “Certain parts of the user profile will be blanked out but will contain the stamp of trust from Canadian Tire.”
The IAM system is also the cornerstone for other projects, says Bhattacharya. Service-oriented architecture (SOA), for example, requires authentication of not just human beings but things such as Web services. “To allow a Web application to access information, it needs to carry with it some attribute such that the people who’ve signed in are authenticated to view the requested data,” he says.
Canadian Tire’s IAM was implemented last year, but role engineering is an ongoing process. Defining unambiguous work flows to automate user provisioning by capturing the real-life processes used to set up and approve users can be challenging, says Bhattacharya. There are many ad hoc processes; for example, user approval may mean HR phones IT staff to let them know to proceed, or sends a formal e-mail, or presents a formal document. “It’s pointless to automate Byzantine processes, so IT staff should check to see if they understand HR’s approval processes beforehand,” he says.
HR and IT systems often operate as two silos, but it’s imperative they be synchronized in an IAM provisioning system. “Any change in HR’s structure that may impact the IAM should be reflected. If a manager becomes a director in another part of the organization, he shouldn’t approve new entrants to the old group,” says Bhattacharya. “You must constantly work at an IAM, but once you get the basics right, you’ve laid the foundation for future upgrades.”