Making sure that the right people have access to the right data at the right time can be difficult in an ever-changing business environment. What was once a closed, local network is now a globally connected web of people and devices. Multiple user identities and access points become more difficult to manage, thus increasing the risk of a security breach. As organizations begin to interconnect with external users like partners, suppliers, and vendors, the risk of a security breach increases even further.
Verizon’s 2011 Data Breach Investigations Report finds that outsiders are responsible for 92% of breaches, which is a significant increase from the 2010 findings. However, although the percentage of insider attacks have decreased significantly over the previous year (16% versus 49%), this is largely due to the huge increase in smaller external attacks. As a result, the total number of insider attacks actually remained relatively constant. Privilege misuse has been identified to be the number one contributor. Given the difficulty of managing access for a user base that is constantly changing, this is no surprise. Adding mobile devices, remote users, and external partners and suppliers further adds to the complexity, increasing both cost and risk.
Identity and access management (IAM) is the security discipline that promises to make user access management more efficient and more secure. By centralizing user management, organizations move closer to the elusive single (or simplified) sign-on and reduce the number of credentials to be managed. IAM can help companies integrate user access management to the extended enterprise, including partners and suppliers, as well as remote access to back-end resources such as file servers and applications.
But IAM software has not quite lived up to its hype. It can be common to have organizational turf wars, long implementation times to integrate each application, and laborious development and maintenance efforts. This means a longer wait to demonstrate value. Additionally, total cost of ownership can be high with initial setup costs, high services-to-license ratios, and the need for specialized support staff.
Cloud-based services are getting plenty of attention these days — and for good reasons. Moving to such a model with subscription-based pricing helps control both CAPEX and OPEX, manage the administrative and operational overhead, and lets an organization focus on what they do best.
Like many other services, IAM is now available as a cloud-based service. By using providers who are experts in both cloud and security solutions, you can expect leading-edge security while eliminating the need for additional hardware and software. And, like most cloud services, organizations can expect to be up and running quickly.