Last Updated on December 2, 2014 by Dishan M. Francis

Identity-And-Access-Management

In modern world business have much more complicated infrastructure requirements. The day’s people connected to a switch or router and uses few network application is now over. It’s becoming more “network” world and connectivity to different systems, resources which is available over internet, home network, corporate network is common.

I believe it’s much better to explain it with a real world example. There is company called ABC corp. which is in publishing business. Its headquarters are located in New York City. It also have branches in Europe and Asia. All offices are interconnected using LAN and WAN solutions. Each offices have its own network resources with different access permissions. These resources access permissions are managed based on user, department or office geographical location. Company also use different applications such as billing, content management systems (CMS), FTP Uploads/Downloads, Online Stores etc. Also company have remote workers login from different locations in the world and they also have access to some of the systems and resources company use. ABC corp. recently merge with another company called XYZ Inc. Both companies wants to share access to systems and resources they have with minimum changes to current infrastructure setup. Apart from the infrastructure just imagine the complexity of the different access permissions its deals with. How many different systems they uses? Some of these systems are well known applications and some are developed by third party development teams. How many different technologies they uses? Some of the solutions they used based on Linux, some are based on mac and some are based on Microsoft. What about the connectivity with corporate communication device such as phones, tablets etc.?. This is where Identity and Access (IDA) solutions comes. It will simplify the complex identity and access requirements of business.

IDA solutions are not simply a set of server roles or applications you can install on a server and configure. It is a solution to a business problem. It does have set of tools and technologies which can use to address the problem but I would say it’s like a double-edged sword. If it’s not carefully evaluated against the business problem before introduce them to infrastructure, it will be chaos.

What we need to consider before go with IDA solution?

Security – when it comes to digital data the security is more critical concern any business faces when applying new solution. Before we apply IDA solution we need to identify the security risks involve and prepare plan to address those. For ex- single sign on (SSO) is one of the great feature in IDA solutions. But same time it can make more damaged to a network or data than a system with different login systems (in network security breach). We need to evaluate all of these concerns and build the security boundaries, policies etc. when it comes to merging two different networks this is become more and more important. Because the other network may using complete different security policies. Also the data which will be shared among the companies will be much more critical, confidential data. So the solution we providing must address all these concerns.

Cost – It is also important to evaluate the cost involve with the solution such as hardware cost, software license cost, administration cost, product development cost etc.

Benefits – It is defiantly need to evaluate the benefits that corporation will have with IDA solution. In beginning of this article I mentioned that IDA solution will simplify the complex identity and access requirements but will it be enough? We need evaluate

•    How it will affect productivity?
•    How it will affect data, network security?
•    How we can justify the cost involve with the IDA solution against the benefits?

CIA Triad

CIA-triad

IDA solutions consist of 3 core elements. These elements are equally important.

Confidentiality – Data, resources should only available for the authorized persons. For ex- Let’s assume company have a network share which contains payroll information. Management decides its only should access by account department. So it’s must to ensure no other departments have access to it. None of the new implementations should effect this primary requirement.

Integrity – This means when data is been share between two or more parties it should not have access or modified by unauthorized person.  For ex- “User A” is editing a file from “Share A”. If it’s NOT share for others that activity only between User A and Share A

Availability – Let’s assume an accountant is accessing billing system to view a customer billing information. If the user is permitted for it, need to ensure those data is available. New implementations, security rules should not make any impact on it.

In this article I tried to explain what is IDA solution and in future posts I will explain the different tools and techniques uses in IDA solution.


Image Source : http://informationsecurityadviser.co.uk/cia-triad/ , http://www.businesscomputingworld.co.uk/the-iam-gap/