Extending enterprise security with identity and access management
By Imran Khan, senior systems engineer, Technical Infrastructure, Avanade Canada
Banks, insurance companies, and capital markets institutions are faced with the monumental task of managing access to mission-critical systems. These organizations have large numbers of internal and external users accessing an increasing number of applications, with each user requiring a different level of security and control requirements. In addition, these organizations must also address identity management concerns that arise from compliance issues related to regulations like Sarbanes-Oxley, the Health Information Portability and Accountability Act, and the Gramm-Leach-Bliley Act.
High administrative costs due to account maintenance, password resets, inconsistent information, inflexible information technology (IT) environments, silos due to bank mergers and acquisitions, and, finally, aging IT infrastructures make this even more challenging for financial services organizations. Together, these factors are propelling the adoption of identity and access management solutions within the financial services sector.
What is identity and access management?
Identity and access management is far more than just a security technology. Ultimately, it will be the foundation for managing application services and will pave the way for smoother, Service-Oriented Architecture (SOA)–based business integration.
The commoditization of services, the automation of business processes, and the alignment of products and platforms are forcing many financial services organizations to re-evaluate their existing technology and move towards a shared services model. Organizations want to derive more business value from IT, and this is driving fundamental changes. Focus is shifting from individual applications and servers to services and automated business processes, which require a coherent shared-services model to deliver these functions.
Banks and insurance companies are no exception; they often have large user bases that require access to an increasing number of applications with different classes of users and different security and control requirements. The integration of identity and access management services provide individualized security and access rights based on a person's identity.
Leveraging identity management to automate provisioning and de-provisioning of user accounts and for centralized authentication logging and auditing capabilities can also play an important role in regulatory compliance. It provides a means to facilitate the audit reporting process by enabling institutions to track and manage user identities and security access while maintaining central control over security policies and security administration workflow.
Setting up an identity management environment can be a daunting task. The overall concept is complex and touches a tremendous number of applications and users. Companies deploying this type of solution need to align organizational processes and technology to allow consolidation and integration of identity and access management services. Moreover, they also need to provide individualized security and access rights based on a person's identity.
For example, a large insurance client was looking to establish an identity and integration management system for all its users and departments. The intent of this project was to decrease the amount of manual effort and time spent in the area of account and printer management. In addition, they were looking to implement an effective single point of administration portal.
Avanade evaluated the company's existing processes and identified the benefits of designing an identity management infrastructure. Microsoft Identity Integration Server was implemented and integrated with the company's intranet phonebook, Alcatel, USU Valuewise, HP Servicedesk, and Windows Active Directory services for user and password management. The company also deployed an end-user portal to simplify password resets.
The insurance company was able to reduce the overall operational complexity for their help desk, while avoiding further resource costs with an automated user-provisioning process and centralized administration.
Build a business case
Given the complexity of identity and access management, it is often easy to underestimate the scope of a project. When it comes to planning, it is crucial to outline objectives and goals up front. In addition, it is important for financial institutions to focus on the following core drivers for identity management implementations:
| • | Business: Reducing application maintenance costs, increasing productivity, and facilitating regulatory compliance |
| • | Security: Enforcing the password policy, disabling user access privileges instantly, and maintaining effective control of the account life cycle |
| • | Functional: Providing simplified sign-on, delegating security administration, and maintaining central control |
Before selecting partners or products, a plan must be in place that provides clear strategic direction and details the scope, end goals, and drivers for the project.
The return on investment from an identity and access management solution comes from the cost savings resulting from increased productivity, reduced administration time, improved profitability, and, most importantly, reduced security incidents.
In the longer term, SOA may be the driver of identity management as it dovetails with service orchestration into a single infrastructure solution. For now, identity management is still gaining momentum and provides a compelling solution for managing Webs of application services within financial services companies.
