In the past, the challenges of IAM might have been confined to the chief information security officer alone, but the new requirements of Sarbanes Oxley and other federal guidelines have shifted it into a real business concern for all company leaders. Who has access to what data on the network – and whether they should have that access – is a surprisingly thorny issue, and it’s difficult to find consensus on what a solution ought to look like.
At first blush, the IT department seems like the proper place to house IAM. That’s probably because IT manages the databases that house identity information and can deny or grant access to that information. The problem is that these IT functions do not tell the entire story when it comes to adequately operating the company’s identity governance initiative.
IAM is Directed by Business Needs
It has long been acknowledged that identity and access management must be process-driven if it is to produce any long-term impact within a business. According to Sally Hudson, research director at IDC Research, “IDC has discovered that many IAM solution deployments are too often fragmented or incompletely installed, creating duplication of effort, noncompliance and frustration across divisions. Reducing repetitive processes, manual paperwork and data entry represents a good opportunity for companies seeking ways to cut IAM costs and improve compliance with federal regulations.”
The emphasis placed on process begs the question: Why?
The answer is simple. The business side of the company, not IT, triggers any change to the identity of an employee. The identity characteristics of an employee are developed when they are hired (onboarding), altered when they are assigned new responsibilities or promoted (change in responsibility) and must be rescinded when they leave the company (offboarding).
A secure alliance between IT and the organization’s business divisions is imperative to ensure that:
- There is a process in place to capture all of the developments that happen to the identity of an employee throughout their lifecycle with a company.
- The business has instituted and approved the guidelines under which employee access will be granted or denied.
- Changes are processed within the identified framework (i.e. no one is given access “through the backdoor”).
By engaging business divisions as well as IT early in the development of an IAM program – including human resources as it generally “owns” the bulk of employee attributes, like name, address, social security number and banking information – businesses will increase the likelihood of executing their IAM goals within the time frame and budget allotted.
Jay O’Donnell is the CEO and founder of N8 Identity and spearheads the continuing development of N8 Identity’s industry-leading solutions. One of the early pioneers of the identity and access management (IAM) industry, Jay initially founded an IAM consulting business in 2000. After overseeing dozens of large-scale IAM projects, Jay led the development of Employee Lifecycle Manager in 2007 to meet the need for a software solution that delivered pre-defined identity and access processes throughout the lifecycle of a user within an organization. Jay is an internationally recognized expert in information security, compliance, identity management, federated identity and directory services.
Check Out These IT Security Videos
- VIDEO: How Secure Are Your Mobile Devices?
- VIDEO: Who's Watching Your Network?
- VIDEO: Increase Your Internet Privacy With PETS
- VIDEO: How To Make iPads And iPhones Secure
- VIDEO: Increase Security with Multi-Factor Authentication
- VIDEO: Build A Secure Future In Information Security
- VIDEO: Threat Prevention: Exactly What Is It?
(Shutterstock cover image credit: Access Management)