Story image

The key to security helping the business: Identity

14 Sep 15

The security industry often gets wound up in dissecting the latest mega breaches in deep forensic detail. But the reality is good security hygiene isn’t just about firewalls, intrusion detection systems and other controls. Managing the security around identities, access and the governance to systems – Identity Governance and Administration (IGA)– is critical to maintaining secure systems.

Chris Gacesa from RSA has been working with identity and access management systems since the birth of identity management systems early this century. Over the years he’s seen many changes in the attitude of companies.

“Back then, if someone needed access to the HR system, walls would go up whereas today it’s flipped on its head where now they want or need to know who is using their system”.

Gacesa says there are some basic questions that application developers and business owners need to address when establishing identity management systems.

“These questions are: Who has access, and to what applications? How do they get access to that application? How confident is the business that people have the appropriate level of access to applications? Are the compliance and regulation guidelines being adhered to?”

Successful IGA isn’t just about processes and procedures when users and systems are active. Gacesa says it starts when new personnel and applications are on boarded.

However, these aren’t new challenges. So why are they suddenly becoming a sharper point of focus?

“This has come about because the earliest players quickly learned that connecting to many different applications was really complex. It took a long time to get an application on boarded, for the users in the business to get access, and therefore be productive,” says Gacesa.

During a recent engagement with an airline, Gacesa discovered the company could only bring five of the 95 applications they wanted online due to challenges with their legacy provisioning solution.

“It took them over 650 labour hours to connect each application,” he says. “It was way too hard”.

The new world: Provisioning 2.0.

“This is now a world where we can very quickly provision all those applications with far less effort. This allows systems to connect with a focus on configuration rather than lots of complex coding,” says Gacesa.

As a result of this approach to provisioning, the airline was able to connect all of its applications and keep up with the demands of being a dynamic company. This included migrating older applications as there are now ways to secure critical data within legacy databases as well as via established application interfaces.

As well as facilitating the connection of the systems the airlines needed, there was another payoff.

“Because of this new way of provisioning and their flexible identity infrastructure, they were able to acquire another airline and easily connect to other apps. It simplified the process”.

Often, IGA is seen as being purely a technology issue with limited payoff for those adopting it. However, the ability to provision and decommission applications easily delivers benefits that can be easily understood and recognised in business terms.

As applications are more widely distributed and more devices are being used, an effective IGA strategy offers significant flexibility.

Of course, there’s also an obvious security benefit. Gacesa cited data from a recent Verizon security report which showed that 95% of breaches used stolen credentials. By understanding what identities are active, what they can be used for, and who is using them, it’s possible to limit the damage done by hackers and better identify the vulnerable points in the threat surface.

IGA Challenges

With the application platform, threat and regulatory landscapes changing, Gacesa says companies have a lot on their plates at the moment.

“One of the core challenges is that IGA projects were driven by IT. But they lacked an understanding of the processes they were trying to secure. What we’re now seeing is more of an influence in moving that responsibility back to the line of business application owners so they can easily define the workflows they need.

“There’s also an increasing need to report data breaches across the world. The regulations and audits associated with this requirement are challenges that businesses face as they must ensure they have the right governance and audit processes in place.

“The changing landscape of where these applications are consumed is also an evolving challenge. There are so many cloud apps, and different devices, which are providing further challenges for businesses.”

What’s RSA doing?

In the past, IGA was seen as a point in time project, but RSA has changed that through its Via Lifecycle and Governance platform. Having evolved from RSA’s Aveksa products, Via reflects RSA’s long pedigree and extensive expertise in IGA. It has also been recognised by Gartner as a leader in the IGA and user authorisation spaces.

“We provide a phased approach that looks at the monolithic identity management problem we see today. Gaining visibility and certification around who has access, how they get access – we see that as the first stage. Then we can apply policy behind that.”

Gacesa says this ensures appropriate controls are in place so that an identity that gives access to one system doesn’t create a situation where it allows access to another with unintended consequences. Gacesa likened this to the segregation of duties in a finance group that separates accounts payable and receivable functions.

This covers everything from adding and removing people from applications, through to compliance and audit reporting. And this can be done with minimal coding as Via is largely configuration-based so it can be used by business users, rather than technical staff.

Click here to Download the Free Identity Access & Governance Whitepaper from RSA

Kiwis make waves in IoT World Cup
A New Zealand company, KotahiNet, has been named as a finalist in the IoT World Cup for its River Pollution Monitoring solution.
Can it be trusted? Huawei’s founder speaks out
Ren Zhengfei spoke candidly in a recent media roundtable about security, 5G, his daughter’s detainment, the USA, and the West’s perception of Huawei.
Oracle Java Card update boosts security for IoT devices
"Java Card 3.1 is very significant to the Internet of Things, bringing interoperability, security and flexibility to a fast-growing market currently lacking high-security and flexible edge security solutions."
How SMBs can use data to drive business outcomes
With the right technology, companies can capture consumer, sales, and expense data, and use it to evaluate and construct future plans.
Survey shows that IoT is RoI across Asia Pacific
A recent Frost & Sullivan survey across Australia, Hong Kong and Singapore shows that IoT deployment improves business metrics by around 12%.
Sophos hires ex-McAfee SVP Gavin Struther
After 16 years as the APAC senior vice president and president for McAfee, Struthers is now heading the APJ arm of Sophos.
Security platform provider Deep Instinct expands local presence
The company has made two A/NZ specific leadership hires and formed several partnerships with organisations in the region.
Half of companies unable to detect IoT device breaches
A Gemalto study also shows that the of blockchain technology to help secure IoT data, services and devices has doubled in a year.