The 4As of Identity and Access Management

Mega trends such as cloud computing, Bring-Your-Own-Device and the consumerization of IT continue to complicate the work environment. As a result, password management, user access and security are far more complex than ever before. Chief Information Security Officers (CISOs) are thus more often than not caught up in the complications of managing their infrastructure in today’s IT reality. 

While CISOs continue to face evolving challenges, the need to protect against threats and ensure the security of corporate information remains a constant. Here are four key areas that today’s CISOs should pay attention to when considering identity and access management: 

Authentication

Authentication verifies the identity of a person logging into a system. CISOs should require more than one form of authentication as personal passwords can be hacked with guesswork. This is also dependent on the role and the level of access a staff holds. Companies can consider providing their staff with a security token that allows the generation of random PINs. A biometric device, which is akin to a fingerprint scanner, is another option. Adding a second factor such as a randomly generated PIN or fingerprint makes the system harder to infiltrate. 

Authorization 

Authorization places parameters around what a user is allowed to do once they are authenticated. A user is permitted a certain level of access to certain applications and assets based on his or her login credentials.  For example, a user in the role of finance accounts payable will have authorization and access to certain financial applications or files, while a user in the role of a Sales Specialist would not.  

Administration 

Administration enables an individual to authenticate and be correctly authorized. Apart from setting up an individual’s credentials in the system so that information can be authenticated when logging in, administration also determines the role an individual holds in the system.  For instance, whenever a new employee enters the company, an administrator or manager has to enter their information into the system and list what applications they have access to. Administration results in processes that enable individuals to complete tasks efficiently and securely.  It is possible to have an administrator manually type out everyone’s information; however that is definitely not the most efficient method.  

Administrators need to know what access to give when setting up a new user. While administrators may have an understanding of the role, exceptions to the rule exist. For example, special projects often require a change in the level of access since people need to complete tasks that are usually outside their scope of responsibilities. The administration involved in maintaining the parameters for authentication and authorization can become very complex quickly.  From a security standpoint, this can become a problem especially when employees leave the organization and management needs to quickly ensure that they can no longer access the network.  It will take time to manually perform the removal of each staff, putting corporate data at risk of being exploited by a disgruntled ex-employee. 

Audit 

Auditing verifies the above three areas are working as planned. Business managers need to recertify that the list of people with access to the data and the applications they are responsible for remain accurate.  With employee departures and changing roles, this is an ongoing process. The audit is also useful in spotting any anomalies and ensuring they are fixed.  A mistake found during a compliance audit and being fined may seem like a bad situation but a much worse scenario would involve a disgruntled employee or a hacker exploiting the breach.  

CISOs carry a tremendous load on their shoulders.  Their career, reputation, and in many ways the survival of their organization is dependent on their efforts. Security needs to be maintained regardless of whether CISOs have sufficient staffing, budget or tools in place.  The actions they take may very well save their organization from being the next security breach headline, which in turn prevents a probable loss of customers, loss of income and job cuts.  

Barrie Sheers, Vice President, Dell Software Group, APJ