Identity management still eludes most companies

By Ron Condon, UK Bureau Chief 19 Jun 2008 | SearchSecurity.co.uk

Security UK News Digg This!     StumbleUpon     Del.icio.us

Knowing who is accessing what on your network may seem like a fundamental prerequisite of security, but very few organisations have so far made a success of identity and access management (IAM).

People underestimate the number of places where user IDs end up, and the number of times where, in order to get the job done, people are given access to systems and no records are kept. Drew Wagar, principal advisor, KPMG

According to new research from KPMG, which polled 235 senior managers in 21 European countries, only 11% of organisations reckon they have successfully implemented IAM. More than two thirds (68%) said projects were hampered because they put too much focus on technology and failed to deal first with organisational and procedural changes.

When asked why projects had failed, half the respondents said their organisations were not ready for the changes in culture and processes that IAM would have imposed. Budget restrictions and technology problems ranked much lower as impediments to success.

Drew Wagar, a principal advisor with KPMG, said many projects had failed because their business case was flawed from the start, with their focus on cost containment and competitive differentiation. In line with promises from suppliers, some companies had based their business case on better user provisioning, lower auditing costs, and other benefits such as making it easier to do mergers and acquisitions.

But Wagar said it was "probably more sensible" at this stage to take a risk-based approach and to focus on regulatory compliance, which was far more likely to get buy-in from senior management.

Too many companies had also relied on technology as a solution without first doing the necessary groundwork."Eighty percent of IAM is about people and processes," he said. Only when companies have understood and tidied up their processes can they expect to automate them through technology.

"People underestimate the number of places where user IDs end up, and the number of times where, in order to get the job done, people are given access to systems and no records are kept," he said. "That might just be done for expediency, and it is easy for organisations to drop into bad habits. Almost all organisations find themselves having to bypass a process in order to get a job done. Once it's happened once, it is easier to do it again. You can end up with a situation where all the user accounts are in disarray."

Even so, Wagar said IAM is a tough project to sell to higher management. "It doesn't stand up well as a business case in its own right. It is difficult and expensive, and arguably doesn't deliver very much in the short term."

He recommended wrapping IAM into a broader strategic programme of risk reduction or process improvement, often under the banner of PCI DSS compliance or ISO 27001 accreditation. And when tackling role-based access control, he said companies should be pragmatic. "Trying to get RBAC rolled out to 100% of the organisation is frankly naïve. You're better off aiming for 80% of your significant applications."

The report, 'KPMG's 2008 European Identity & Access Management (IAM) Survey', found that the financial services industry had the best examples of IAM implementation, while Government and healthcare lagged badly behind.

Tags: Secure User Authentication and Authorization,  User Identities and Provisioning,  User Password Security,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Secure User Authentication and Authorization Preventing password fatigue with single sign-on (SSO) authentication Gridsure finds global deal for its pattern-based authentication Physical security threats: Don't gift your data away Using unique device identification for bank website security Yahoo login credentials at risk to hijacking attack Single sign-on system removes password chaos at East Kent NHS Trust Tokenless two-factor authentication helps council with CoCo compliance Risk-based multifactor authentication implementation best practices Chip and PIN adoption serves lesson for U.S. payment industry Group to shed light on secure identity management threats User Identities and Provisioning Microsoft's Charney details new botnet protection, IdM technology at RSA How to perform an Active Directory health check Windows management tips: How to backup and restore Active Directory Will physical security integrators work with IT departments? Tokenless two-factor authentication helps council with CoCo compliance Risk-based multifactor authentication implementation best practices Group to shed light on secure identity management threats Poor privileged account management practices leave security gap Content-aware IAM: Uniting user access and data rights Microsoft Windows 7 DirectAccess pros and cons User Password Security Microsoft, security firms warn of password meltdown Single sign-on system removes password chaos at East Kent NHS Trust Brute force attacks target Yahoo email accounts The consequences of poor Microsoft SharePoint security permissions policies Unpatched vulnerability discovered in Microsoft SQL Server Supplier's problems with passwords solved by single sign-on technology Social networks and spear phishing attacks How effective are password hack tools? How to protect employees' personal information and passwords Gartner: How to succeed at identity and access management

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary Chip and PIN  (SearchSecurityUK.com) UK Identity Cards Act  (SearchSecurityUK.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary