In an increasingly interconnected and technology dependent business world, we are hearing a lot more focus on the discipline of Identity and Access Management. Identity and Access Management, or IAM for short, used to be something that was the preserve of the boffins in the IT department, but with the evolving regulatory landscape, IAM is now front and center of business critical components that all business leaders must grapple with.
The key principles
There are three key principles in relation to understanding Identity and Access Management – identification, verification, and authorization. The first two principles generally work hand-in-hand – the user must identify themselves and their identity must be verified as being approved for system access. At the most basic level this can be completed via a user name and password, however we are increasingly seeing businesses move to token-based access codes, or at the higher-end of the scale businesses are requiring some form of biometric identification (such as fingerprints) in order for system access to be granted. Once the user has been identified and verified, the system must then have a clear understanding of authorization – what is this specific user authorized to do or access within the system.
The complexity of authorization
Authorization is a complex minefield, primarily because within any system you will have users who have different levels of access and who are authorized to do different things. Where we have seen problems arise has been where several different systems are integrated, and there are authorization conflicts or unforeseen consequences for different levels of authorization – this is sometimes referred to as a toxic combination of access, businesses need to make sure that the inbuilt system controls are not compromised when multiple systems are integrated and there are conflicting authorization levels.
The investment case
In order to mitigate the potential risks associated with user identification, verification, and authorization, significant and ongoing investment in systems and infrastructure is required. This is a constant juggling act between trying to keep the user experience as smooth and as seamless as possible, while also trying to reduce the potential exposure of the business that could result from a data breach or unauthorized transactions.
Follow a risk-based approach
As a starting point, you need to identify your most critical applications and system for your business – make sure that you have robust identity and access management frameworks in place for these first, rather than trying to re-engineer the entire business. It’s not enough to just have the technological functionality in place for identity and access management, you also need the governance processes in place that enable you to track who has been granted access to what systems, and what the various authorization levels are.
The challenges faced by businesses trying to navigate the data protection requirements of today’s operating systems and customer relationships continue to grow in complexity. But there is no point trying to avoid the hard decisions required, you need to understand how your systems work, the identity management framework you are using, and the potential risks faced by your business.