Story image

The key to security helping the business: Identity

14 Sep 2015

The security industry often gets wound up in dissecting the latest mega breaches in deep forensic detail. But the reality is good security hygiene isn’t just about firewalls, intrusion detection systems and other controls. Managing the security around identities, access and the governance to systems – Identity Governance and Administration (IGA)– is critical to maintaining secure systems.

Chris Gacesa from RSA has been working with identity and access management systems since the birth of identity management systems early this century. Over the years he’s seen many changes in the attitude of companies.

“Back then, if someone needed access to the HR system, walls would go up whereas today it’s flipped on its head where now they want or need to know who is using their system”.

Gacesa says there are some basic questions that application developers and business owners need to address when establishing identity management systems.

“These questions are: Who has access, and to what applications? How do they get access to that application? How confident is the business that people have the appropriate level of access to applications? Are the compliance and regulation guidelines being adhered to?”

Successful IGA isn’t just about processes and procedures when users and systems are active. Gacesa says it starts when new personnel and applications are on boarded.

However, these aren’t new challenges. So why are they suddenly becoming a sharper point of focus?

“This has come about because the earliest players quickly learned that connecting to many different applications was really complex. It took a long time to get an application on boarded, for the users in the business to get access, and therefore be productive,” says Gacesa.

During a recent engagement with an airline, Gacesa discovered the company could only bring five of the 95 applications they wanted online due to challenges with their legacy provisioning solution.

“It took them over 650 labour hours to connect each application,” he says. “It was way too hard”.

The new world: Provisioning 2.0.

“This is now a world where we can very quickly provision all those applications with far less effort. This allows systems to connect with a focus on configuration rather than lots of complex coding,” says Gacesa.

As a result of this approach to provisioning, the airline was able to connect all of its applications and keep up with the demands of being a dynamic company. This included migrating older applications as there are now ways to secure critical data within legacy databases as well as via established application interfaces.

As well as facilitating the connection of the systems the airlines needed, there was another payoff.

“Because of this new way of provisioning and their flexible identity infrastructure, they were able to acquire another airline and easily connect to other apps. It simplified the process”.

Often, IGA is seen as being purely a technology issue with limited payoff for those adopting it. However, the ability to provision and decommission applications easily delivers benefits that can be easily understood and recognised in business terms.

As applications are more widely distributed and more devices are being used, an effective IGA strategy offers significant flexibility.

Of course, there’s also an obvious security benefit. Gacesa cited data from a recent Verizon security report which showed that 95% of breaches used stolen credentials. By understanding what identities are active, what they can be used for, and who is using them, it’s possible to limit the damage done by hackers and better identify the vulnerable points in the threat surface.

IGA Challenges

With the application platform, threat and regulatory landscapes changing, Gacesa says companies have a lot on their plates at the moment.

“One of the core challenges is that IGA projects were driven by IT. But they lacked an understanding of the processes they were trying to secure. What we’re now seeing is more of an influence in moving that responsibility back to the line of business application owners so they can easily define the workflows they need.

“There’s also an increasing need to report data breaches across the world. The regulations and audits associated with this requirement are challenges that businesses face as they must ensure they have the right governance and audit processes in place.

“The changing landscape of where these applications are consumed is also an evolving challenge. There are so many cloud apps, and different devices, which are providing further challenges for businesses.”

What’s RSA doing?

In the past, IGA was seen as a point in time project, but RSA has changed that through its Via Lifecycle and Governance platform. Having evolved from RSA’s Aveksa products, Via reflects RSA’s long pedigree and extensive expertise in IGA. It has also been recognised by Gartner as a leader in the IGA and user authorisation spaces.

“We provide a phased approach that looks at the monolithic identity management problem we see today. Gaining visibility and certification around who has access, how they get access – we see that as the first stage. Then we can apply policy behind that.”

Gacesa says this ensures appropriate controls are in place so that an identity that gives access to one system doesn’t create a situation where it allows access to another with unintended consequences. Gacesa likened this to the segregation of duties in a finance group that separates accounts payable and receivable functions.

This covers everything from adding and removing people from applications, through to compliance and audit reporting. And this can be done with minimal coding as Via is largely configuration-based so it can be used by business users, rather than technical staff.

Click here to Download the Free Identity Access & Governance Whitepaper from RSA

Dell EMC launches interactive AI Experience Zones
The AI Experience Zones are designed to educate visitors about how to start, identify, and implement an AI project.
EXCLUSIVE: Forcepoint global channel chief talks strategy
As a solution sold 100% via the channel, cybersecurity solutions company Forcepoint places a strong emphasis on its partner relationships.
IDC: Semiconductor market declines after three years of growth
However, it says that semiconductor revenues will recover in 2020 and log a compound annual growth rate (CAGR) of 2.0% from 2018-2023.
D-Link hooks up with Alexa and Assistant with new smart camera
The new camera is designed for outdoor use within a wireless smart home network.
Vocus slams ComCom mobile review as “disgraceful”
The Commission says there is no need for measures to improve competition in the NZ mobile market. Vocus says this decision will be “crippling.”
Virtustream launches new services for cloud applications
The new suite of professional and managed services expands Virtustream’s enterprise application and services solutions.
Secureworks Magic Quadrant Leader for Security Services
This is the 11th time Secureworks has been positioned as a Leader in the Gartner Magic Quadrant for Managed Security Services, Worldwide.
Datto expands A/NZ presence with Sydney office
This investment will enable Datto and its partners to continue to grow and address the IT needs of small and medium businesses (SMBs) in the region.