This white paper talks about the Identity and Access Management (IAM) system challenges which arise due to introduction of modern technology trends, like cloud computing, BYOD (Bring Your Own Device). Managing identities in an effective way is essential for ensuring the enterprise governance and compliance standards. A good Identity and Access Management system is a must have feature for any organization for making its resources secure. With the ever growing global market trends, enterprises require extending its steps throughout the world in various geographies, which adds up challenges to manage identity while ensuring the resource ready and secure network. Due to the widespread offices locations, enterprises are required to come up with effective identity management solution for ensuring the compliance to its data. Poorly managed IAM system may lead to data theft and other security issues, which further may lead to financial losses. There are occurrences of very reputed enterprises suffered from data theft and fraud which lead them to big losses, this happened mostly due to poorly managed and unsecure identity and access management system. Enterprises require to do proper studies while selecting IAM product and designing the IAM system, keeping in mind the future extensions. Many times an enterprise grows so fast that its IAM system starts under performing with add on security issues, as it was not scalable.
To perform well in today’s competitive global market, many times enterprises require bringing modern trends like cloud computing, BYOD (Bring Your Own Device) and virtualization for its employees. This adds up additional security and maintenance challenges for its identity and access management system. While introducing new technology trends for employees, enterprises require modifying the identity and access management programs, which is a difficult task.
2. CURRENT COMMON IAM CHALLENGES
This section explains some of the common challenges of IAM systems. These challenges are quite old and enterprises now know how to effectively handle these. Still enterprises require to design an effective IAM system to avoid these challenges.
Diverse roles system
In today’s diverse world of information technology, enterprises are having large number of roles for their employees. Also, enterprises require to have various partners and contractors. Based on the role, granting the right access to resources is critical. With the large number of employees and variety of roles, it is always a challenge to implement an effective and secure IAM system. Frequent change in roles among employees makes this challenge even difficult. To answer these challenges, enterprises should have effective IAM programs which are smart enough to handle the diverse and ever changing roles system.
Offices in multiple locations
An organization can have its offices in various geographies, with each office having high number of employees working. All these employees from various locations need to access many common applications. Managing data identity of the users spread all over the world is a big challenge. With the over spread offices location, providing up to the mark data security and data integrity is always difficult. Administration on the data identities is also difficult for multiple offices location as we need to maintain multiple data repositories. Managing the wide spread usage of various identities like, users data, printers, phones, access machines, access cards, is getting difficult. While an organization grows at a very high rate across the globe, managing the access to various resources is quite difficult. Companies should have effective and scalable IAM program to answer all the challenges which evolved by diverse offices locations.
Resource ready environment
Resources should be ready to use for newly joined employees. Based on the role of new user, resources should be automatically assigned quickly and appropriate access should be granted, else it may lead to wastage of time and money. In an organization, while there are thousands of resources leaving or joining and many roles are changing, writing an effective IAM program which quickly grants and revokes resource accesses is critical. Designing a resource ready and secure environment is a challenge for any big organization. With having hundreds of applications to be accessed by thousands of resources it is always challenge to write the suitable IAM program which makes the resource environment ready and secure.
Changes in organizations
Change is unavoidable and important for any organization. Change is must for better productivity. Organizations are required to continuously bring new innovations to do well in today’s competitive business environment and to satisfy customer’s demands. The business should embrace change, without which enterprise may fail to satisfy growing base customers. Major changes come to any organization when new technologies are adopted. IAM system should be able to answer all the challenges which arise due to changing market trends. The common changes which may happen in any organization are when- new trends are adopted, new products are introduced, new user base is added, infrastructure changes. IAM should be able to proactively handle new data identities and access to new resources while ensuring all the required governance and compliance standards. IAM should be managed centrally for having best administration on all the identities. Managing central IAM repository reduces helpdesk volume. Central repository also brings down the digital identities volume which results in easy administration.
Cost and profit
Cost is one of the most important factors which require to be analyzed very carefully while designing an IAM system. Enterprises need to ensure that investments to implement IAM should be minimum and returns should be maximum to satisfy the factor of profit and cost. But many times to satisfy increased customers’ demands, enterprises have to face minor or major losses. This majorly occurs because of improper IAM implementation. Some times IAM implementation becomes very time consuming, costly and tedious because there are more and more applications which required to be integrated with IAM. To avoid this, various identity management life cycle activities for various applications are required to be scaled efficiently. The IAM design and implementation staff is to be kept as minimal as possible, so that it can result a good investment and profit margin.
3. GROWING TECHHNOLOGY TRENDS AND CHALLEGNES TO IAM
Technology is most important role in today’s competitive market and it affects a lot on the way we do our business. In last few years, there is an immense growth in the adoption of new technology trends in organizations. But new technologies bring new challenges. It is imperative for organizations to continuously put effort for deciding innovative ways to bring down the challenges of new technology implementation. Due to emerging technology, more and more distinct digital identities are getting evolved which are getting difficult to manage. In addition to this, secure access control solution to these vast varieties of digital identities is a big task. A seamless solution is a must have feature to accommodate the new technology. There are many IAM products in market, some of which are promising to handle end to end scenario of technology growth. But still enterprise requires performing proper workshop to decide which IAM product to be used. Companies which are still not adopting new technologies are facing adverse effects like, profit losses, revenue losses, reduction in end product quality, losing market reputation, losing best associates and so on. Adoption to new technology is sometimes imperative for maintaining good revenue and product quality. But, there are various challenges which come with new technology trends.
Because of new technology resources, identity and access management solution is getting more and more challenging. This section explains some of new technology trends and common challenges which arise due to introduction of these new technologies and trends into the organizations.
3.1 BYOD (Bring Your Own Device)
To increase the productivity, many enterprises started thinking beyond a typical business technology adoption and are welcoming newer technology trends to follow in offices. Today, mobiles and tables PCs are used so largely that users want to use it everywhere, even in office. Due to the vast technology hardware, employees want to be flexibly connected to office network through their mobiles, laptops or tablet PCs. This fact of increased usage of mobiles and tablets emerged a new technology trend, known as BYOD (Bring Your Own Device). Instead of using their old office desktops, employees like to use their own technology devices in office. This make them feel more flexible.
There are many organizations who have welcomed this trend in their offices for the employee satisfaction and better productivity. Another reason why corporates are looking forward to BYOD for their employees is because it is very cost effective. According to CEOs of such organizations, BYOD leads to better productivity, as employees are happy and comfortable while using their own device with having an option to use office provided machines too. BYOD trend comes under the ‘IT Consumerization’, which according to Gartner is a one of the most significant IT trend for the next 10 years. But by providing the official network access to employees’ / user’s own devices, there are increased security and management issues or risks.
Identity and access management challenges comes with BYOD
BYOD provides a flexible way of using employees owned devices in office network, but it comes with add on challenges of managing access and identity for these new devices. For a BYOD enabled network, there are thousands of users try to access many applications, so IAM system should be smart enough to decide who is connected and what that user is doing over the network. Designing IAM policies for BYOD is quite a challenge. Managing the access over the corporate owned device is easy as system administrator has installed various programs which allow or restrict access to various components. Many times enterprises allow cloud based applications to be accessed by their employees, designing a centralized IAM solution to the corporate and cloud applications can be hard.
The biggest pain point comes when the type of employee owned devices increases and coming up with some generic rules and policies for various devices may not work. Enterprises need to design IAM and other programs for each of the device type. Employees should not be encouraged to use any device which comes out of the allowed device groups. Each device which employee connects to corporate network is a new identity for the network. IAM system should immediately recognize such devices and start the auto identity registration process. This kind of IAM design is a challenge when it comes to deal with huge amount of employees and device types. Auditing and monitoring is another challenge for any BYOD enabled network. With the vast set of user’s own device types it is always difficult to monitor user activities and behavior. Generating summarized audit reports are very important, as any BYOD enables network is more prone to issues related to governance and compliance. So, to reduce IT overload, an effective IAM solution, which compliance to the universal security policy is a must for implementing BYOD.
Security concerns with BYOD
Managing security in a typical corporate network with connected corporate owned devices is easy. Designing a secure and compliance network for a BYOD is a difficult task, especially when employees start using applications or devices which are not as per the guidelines or are not adhering to the security policies. Network policies should be able to authenticate devices just after they get connected. Enterprises should also release the accepted devices list which users can connect to the network. Any unauthorized device connection can be very severe to enterprise network and can lead to identity theft and other losses. Users owned devices may sometimes contain unsecure data and security issue may arise once these devices get connected to the enterprise network. Before using BYOD features, users should sign acknowledgement contract, which contain generic rules and regulations, for example, what kind of personal data and applications users can store in their owned devices. Enterprise should force users to download basic security program into their devices. Another security dimension should be considered for the fact that, since employees are using their own devices, they can or should be able to download some basic enterprises data to carry out their official jobs. This sensitive company data should be encrypted on user’s devices else it may lead to violations on confidential data.
Employees may have personal data on their devices while connecting to enterprise network. Personal data can be videos, photos, emails, personal information and so on. It is the responsibility of enterprise to equip the network so that such information is kept secure and private. Similar way, company should protect its network form employee’s unsecured private data. Sometimes, employee may lose personal data which is stored in device. So, enterprises should have proper term and condition to be applied on employees’ personal data stored in their devices.
It is well accepted by many enterprises that introduction to BYOD lead them to IT overhead. The explanation on why BYOD add lots to network traffic is based on the fact that personally owned devices may contain many applications which user would like to use frequently while connected to company’s network. For example, employee may require responding to personal emails or would like to use Skype for an urgent call. In other case, employee would like to access the social web sites while connecting to company network. This all adds up a lot to network traffic. Enterprises now can use various tools which monitor the application or data usage of users. This way they can have a check on data usage and can also perform various actions in case required. Another solution to this issue is to restrict the usage of some applications in employee devices which consumes high data. These additional data traffic is one of the byproduct of BYOD and require to handle in the best way possible, else it can give immense load to company’s servers. At some level enterprises also can encourage employees to proactively monitor their own network usage through various network traffic reporting tools.
3.2 VIRTUALIZATION – APPLICATION AND DESKTOP
With today’s rapid change in technology, employees are required to enhance their desktop and applications to pace up the productivity. Many times employees or users require to wait for system updates or PC refresh. Desktop and application virtualization basically is centralizing the applications and desktops by storing them in a data store and providing a way to access them on demand. This way end users do not required to have the applications installed in their system, rather they can access them virtually from anywhere. By virtualizing the applications, enterprises can achieve more flexibly and heterogeneity for their environment. The main advantage of virtualization is the time saved which was earlier required to install updates and maintenance in all the end systems. In addition, the access can be managed in a much granular way through virtualizing the applications or desktop. By virtualizing applications and desktops, users can connect from anywhere through their own devices. Just after the connection to network, users can be allowed to download a thin client into the local system which creates a connection to the virtualized desktop for accessing the required applications. This is proving out to be a very cost effective way of using company resources and many organizations are adopting this way. Basically, BYOD and virtualization both are interrelated and they may work in parallel. With virtualization there is an immense reduction in the risk of losing the data, as everything stays on remote data store and users access it through a secure remote channel protocol. In a virtualized environment, updates are required to be done only on the centralized application which is placed in data store and all the end users can access the updated application, hence time can be saved.
Increased security risks with over virtualization
If application and desktop virtualization is used in a limited and controlled way then security is not a major issue and can be handled with much ease. But now days many organizations are impressed with the cost saving feature of virtualization and sometimes they virtualize their critical applications, without having proper security and compliance structure. Going ahead with virtualization without proper planning may lead to many access and compliance related issues. Proper access control and audit feature required to be installed before extending the virtualization feature. All critical applications which are to be virtualized should be SOX or PCI regulated. Another access concern of a virtualized network is that, in case the access goes to a wrong hand, then the production remote machine can be turned off or application’s critical files can be stolen. This all may lead to huge losses. Few enterprises do not have skilled and expert associates to implement virtualization security. Implementing security for virtualized network is much difficult then managing security for physical network.
In a multiple virtualization environment, an organization can have distinct naming, routing and ports. So, managing identities in such case can be difficult. The heterogeneity which comes along with virtualization makes the task of end to end successful connection a bit difficulty. So, the identities are required to be managed very carefully while implementing multiple virtualization networks.
3.3 CLOUD COMPUTING
Cloud computing is a big revolution in IT industry, which delivers on demand services anywhere anytime. Cloud computing has done a tremendous growth especially in consumer market. The simplest example of using cloud service is checking mails in consumer web sites like Gmail. The end user does not know exactly where and at which server his mails are stored. Cloud computing meant to be delivering the applications at run time. Now days, many enterprises are using cloud provided space for keeping their official applications and sometimes even infrastructure, this way they do not have to worry about the space and scaling is not an issue with cloud services. Cloud computing service providers generally have resources like, space, applications, software, infrastructure and so on for the customers.
Many organizations are now adopting cloud based applications for their employees. Scaling the users up or down in a cloud based environment is not an issue. Traditionally, enterprises need to have teams for managing the lower value activities like software installs, updates, configures, tests and so on. These tasks may not contribute much on the profitability and is costlier when the applications are large in number. In addition, the hardware needs to be managed for installing these applications locally. With cloud based applications, enterprises need not to worry about managing the hardware and software for the applications which they require for the employees. Cloud computing vendor basically provides application, infrastructure and platform services to enterprises and end users can use cloud based services wherever and whenever needed. Cloud computing applications are proving to be very cost effective and easy to manage. End users only require accessing the applications via browser or thin client and require configuring the application. Application access via cloud is making the access more mobile. Compare to traditional way of accessing official applications, through cloud services, users can access applications anytime, anywhere and even through their personal devices. This way productivity can be increased. Cloud infrastructure is yet another cloud service, in which vendor provides the whole infrastructure requires for running an application and users just require accessing these applications through the virtual machines (VMs). But along with the advanced cloud technology and ease of using applications, there are many challenges involved with cloud services, especially with managing identities and access for cloud based applications. Security is another concern for the enterprises which are using cloud services.
IAM challenges with cloud
Implementing an effective IAM system is a concern for most of the organizations and it becomes even challenging when organizations start using cloud services. IAM ensures that only the authorized entities gets access to resources, but it is possible that after an employee leaves organization, his all internal accesses are revoked but somehow not the cloud application’s access. For local applications, identity provisioning and de-provisioning is easy, but it is a challenge for cloud based applications. Access points are increasing by adopting new technology trends like cloud computing and managing the access for thousands of identities over these multiple access points is getting difficult. This also increases the chances of security breach. Implementing SSO among multiple cloud based application is difficult as the identity database is store locally but the applications are hosted outside in a cloud environment. Cloud computing is highly scalable and having high elasticity for adding up or removing resource identities. Due to this flexibility or scalability, sometimes there are new identities getting added up at a very high rate, which sometimes lead to identity and access management issues. A cloud environment is heterogeneous and composed of various services, so implementing a fine grained identity and access model is critical, else organizations may suffer security issues or identity theft, which further may lead to big losses.
In consumer market, millions of users use cloud services while using internet to pay bills, to book the tickets and so on. While creating a user account or identity in cloud service provider environment, users sometimes are required to provide sensitive information. Many times these digital identities flow among various providers application store. Since user identities flow this way in a unsecure cloud environment, providers require to have a very effective IAM system to protect the identity theft and fraud. In future, cloud computing will grow further, so more effective and smart IAM programs require to be designed. An effective IAM systems is one through which users are able to see what data is shown to which provider. This way users can decide what level of sensitive information should be provided.
Security in cloud based environment
Today, managing security for local applications is not an issue for most of the organization. But the same is a challenge when it comes to securely accessing cloud applications. Unlike secure intranet environment, a cloud is more like an open and less secure means of storing and accessing applications because cloud applications reside outside the organization’s firewall. So, for any organization it is important to design an effective security program for accessing cloud based services. Generally, a cloud vendor provides various services to many customers dynamically, so data security becomes even bigger concern for enterprises availing the cloud services.
There are three cloud delivery models, SaaS (software as a service), PaaS (platform as a service) and IaaS (infrastructure as a service). Among these, IaaS has higher concerns over security. IaaS delivery model of cloud computing has the fact that the whole infrastructure is set up virtually where the applications are stored. This virtual infrastructure can be a virtual machine (VMs). Trusting VMs may be an issue with IaaS. The various cloud environments are public, private, community and hybrid, where the most secure environment is private, so enterprises should always opt for private environment where resources are dedicatedly virtualized only for a particular organization.
Another security challenge which a consumer organization face in contract with cloud provider is based on the fact that cloud provider provides data services and they may illegally access consumer’s confidential data. In this scenario, technically monitoring the provider’s operations may not be feasible sometimes, so there should be proper trust between the provider and consumer to avoid such security issues.
Cloud is a multi-tenancy environment, where providers may share infrastructure to various consumers. This fact makes cloud computing more unsecure. In such scenarios providers must have effective access rules and policies for protecting organizational data which they have in their cloud database store. Organizations too should take utmost care before start availing cloud services through any vender, for example they require to make sure that basic cloud computing security rules are satisfied.
4. FEDERATED IDENITTY MANAGEMENT
In the previous sections I have highlighted some new technology trends in IT and various security challenges evolved as a result of adopting these trends. Federative Identity Management (FIM) is a term which is emerged for easing up identity and access management while adopting new technologies.
How Federated Identity Management can help
With the vast establishment of internet applications and new technologies, employees are required to access many applications of different organizations. Federated identity management (FIM) is a term which allows employees to use the same credentials to access other company’s applications. Through federation organizations can have a trust to allow their employees to access each other’s services without creating new credentials. FIM basically results in single sign on (SSO) and provides a seamless approach to access other company’s services. Without FIM, companies are required to maintain all the user base locally and are required authenticating the users of other organizations, which is very time consuming and not a cost effective way, also it requires high maintenance efforts. Imagine a situation where thousands of employees of an organization require to access many applications from various vendors, without FIM all these employees need to create account in data store of all these applications. With FIM, Service provider, which is the organization providing access to its application to other organization’s employee, basically requires to determine if outside user who is trying to access its application is authorized for the access. This way of generating trust for accessing applications of other companies is very convenient and secure and is very useful in the BYOD and cloud environment.
FIM is based on the model of service provider and identity provider, where service provider allows outsider to get access to its services and identity provider provides user credentials and authentication to access service provider’s service. This works on the basis of trusted contract between the cloud service provides and consumer. FIM is playing very important role in easing up the IAM issues with BYOD and cloud computing. As these technology trends are based on the fact of virtually accessing outer applications, so FIM is proving up as a key to manage the identities and access.
Some of the vendors of cloud IAM and FIM are as follows
Cloud IAM Vendors: Oracle, IBM, CA, Novell, SUN
FIM Vendors: Novell, Oracle, RSA, Tivoli, SUN
With newer technology trends are getting evolved, managing identities and access for the employees is getting more and more tedious. Many times to perform well in the market, enterprises are required to adopt latest technology trend but a poorly managed identity and access services may lead to security issues. Many IAM vendors are now days making their product more and more compatible to new technologies like cloud computing or BYOD. It is imperative that enterprises take utmost care before start introducing new technology trends for their employees and are required to design effective IAM solution which handles end to end identity and access related challenges and issues.
I hereby acknowledge my gratitude to Manjunath Meti and Anustup Paul for their valuable feedback during first round review of the content of this paper.