Managing identities and enforcing user access across multiple channels in an enterprise often leads to a tug of war. Organizations’ leaders need to maintain and adhere to compliance policies that are based on organization, industry and federal requirements while trying to ensure workers remain efficient. It’s a tricky spot for CIOs and CISOs who are responsible for protecting the data that keeps any enterprise functioning.
So how do they approach this challenge? The first step is to fully understand what exactly they’re trying to protect and why. The answer is different for every organization, and is often dependent on what industry they’re working in, as each vertical has specific regulations they are subject to. From Sarbanes-Oxley to HIPAA to FISMA, these regulations have their own nuances and requirements, and each bears its own set of risks and consequences for non-compliance.
At the same time, every organization regardless of industry has a workforce that may or may not understand these regulations and the critical importance of compliance. It’s a story told across industries — healthcare organizations that inadvertently allow inappropriate employee access to patient records, hacked financial institutions that face data breaches, and government employees who mishandle citizen files. Some of these violations are nefarious in nature; most are inadvertent human error, but all are worrisome to the organizations dealing with them.
The 5 Areas of Identity and Access Management
Once an organization understands what they need to protect and why, they need to manage this tug of war between protecting data in a compliant manner and remaining usable for employees, by understanding the five top level areas of identity and access management: Identity Lifecycle Management, Cloud Identity, Secure Access, Information Protection, and Directory Services.
- Identity Lifecycle Management
Every employee entering an organization begins a journey that starts with a new set of credentials registered within a company database. Over time this employee may be promoted, change departments, or have new responsibilities requiring different levels of access to company information. At some point, this employee may take an extended leave of absence or leave the company altogether. Throughout this lifecycle, the employee’s access is organized, managed and maintained on the back-end in a number of ways, which in large enterprises can be challenging without the proper technology solutions in place. This can become even more complicated when contractors, interns, seasonal employees, rehires, and partners outside of your organization are thrown into the mix.
To get a handle on identity lifecycle management, enterprises should leverage a tool like Microsoft Identity Manager (MIM), which can be customized for how your team needs to manage users, credentials, security, access, and data compliance. Create automated processes for adding new users or removing users, provisioning and deprovisioning identities, managing credentials like passwords or certificates, managing access, delegating administration for managing certain components of a digital identity, and creating self-service scenarios where users can manage and change parts of their own identity. On its own, this task is daunting, but using a tool like MIM will help your organization decrease risk and increase usability while still staying manageable.
- Cloud Identity
As digital transformations continue to happen in organizations around the globe, more and more enterprises are embracing the cloud in favor of traditional on-premises storage and platforms. As such, new identities for employees are being introduced, and enterprises need to consider how identity works across cloud platforms and services.
From a usability standpoint, employees are keen to work in the cloud, but enterprises face the challenge of managing identities, authentication and authorization in an efficient manner while maintaining the right levels of access across organizational and platform boundaries. Enterprises should consider cloud identity solutions that can provide a secure single web sign-on for access to multiple applications — cloud based or on-premises — over the life of an online session, like Microsoft’s Azure Active Directory and MIM. Solutions like these combined with Azure Identity Protection help organizations manage log-ins across different applications, monitor user activity, group users by category or lifecycle phase, assign permissions, and maintain credentials in a secure, streamlined manner.
- Secure Access
Today’s employees want to be able to access applications and systems from anywhere on any device. While this may improve productivity, it creates complications for companies that must comply with policies and regulations in terms of protecting sensitive and confidential data.
Take, for example, a salesperson at an auto dealership. Making a sale is just one part of the job. This person may also be responsible for dealing with a buyer’s sensitive information — including a social security number and financial specifics — contained within his or her loan application. Unthinkingly, the salesperson may save this application on a desktop, send it over unsecured email to a manager or the dealership’s finance department, or place it in a file in the cloud for easy access later on. This mishandling of crucial data puts the organization at risk for non-compliance in the name of saving time.
To provide secure and auditable access to this information for employees that is also efficient, consistent and easy to use can result in one side losing the tug of war. As such, it’s important to consider Single Sign On, Multi-Factor Authentication, and Conditional Access using products such as Azure Active Directory and Direct Access.
- Information Protection
Every organization, regardless of sector, has confidential information that must be safeguarded and protected, including intellectual property, client information, financial details, research and much more. Controlling access to this information is challenging, but critical, and there are several ways to do so, including rights management and data loss prevention (DLP) solutions such as Azure Information Protection Services. These solutions limit what digital information can be copied, printed or shared, and companies can protect files and quarantine emails based on policies put in place. These policies can be bound to the digital information so that it’s always protected regardless of where it is sent, which lowers the risk of data leaks or breaches and improves regulatory compliance.
- Directory Services
An organization’s active directories can be a mix of information — everything from database identity stores to a variety of authentication and authorization systems. Directories control access to applications and data, which means they are vital to any identity and access management solution.
The challenge is that in many enterprises the number of directories can be unwieldy due to mergers, acquisitions, a transition to cloud applications, or decisions made outside of IT. In short, the more directories, the more complex the identity and access management becomes, and the more confusing it is for end users when they are attempting to access different resources required to perform their job responsibilities. Employees are often confused and distracted from their task at hand as they try to figure out how to access specific business applications. The key to solving this problem is to reduce complexity by consolidating and integrating directory services, which will refocus employees while maintaining data integrity, containing costs and minimizing risks.
Getting a handle on Identity and Access Management (IAM) can seem daunting, but finding that balance in the tug of war between compliance and usability isn’t impossible.
This blog post is the second in our IAM series. Read the first post to get my perspective on why Identity and Access Management matters. In my next blog I’ll dive deeper into how Microsoft technologies can specifically help you map out your IAM solution. After that I’ll discuss some of the reasons to invest in IAM, and then provide a practical guide on how to get started.