UC Cloud Security: Avoiding an Identity Crisis

user-pic
Who are you? How does the enterprise identify you and know for sure that you are really you? Do you have multiple identities that must be supported? How many systems and services do you access that require a unique identity?

These questions surround the IT issue of identity management (IdM), the administrative task of identifying individuals and controlling their access to IT resources and services based on established identities. More than just user IDs and passwords, IdM covers a wide range of disciplines, dealing with technology, law (data protection), compliance regulations, law enforcement (identity theft), security, privacy and enterprise organizational structures.

UC Makes IdM More Complex

An issue in IT for years, IdM also becomes a unified communications (UC) challenge as enterprises integrate multiple systems, products and services, each with its own method(s) for determining identity. Within the UC environment, the task is even more complex, because the enterprise likely will have non-interoperable systems that cannot work together for secure IdM. And then there's the user component: users have to remember or write down multiple IDs and passwords. Even if the enterprise has created a single sign-on method, users still must contend with public and other enterprises' identity systems.

As a key form of information access protection, IdM should be implemented with the same emphasis and care as security. This is even more critical as identity theft and illicit access to an organization's resources today are practiced not just by hackers but by cybercriminals as well.

The Elements of Identity Management

The enterprise must deal with IdM from a number of vantage points:

• User access: enough, but not too much. New employees will not be fully productive until they have their account information completed, and existing employees may be restricted until updates or changes have been made to their accounts. Once users are authorized, they require access to many systems, including the network, e-mail, Internet, enterprise resource planning (ERP) system, mainframe and many more. Ex-employees whose access and privileges are not terminated in a timely manner could abuse or misuse the access. Contractors who are enabled for data access are subject to the same issues.

• Administering to minimize vulnerabilities. Administrators for each system, private and public, must perform essentially the same tasks: creating, changing and terminating user accounts. Different systems probably will have partial or contradictory user information, making it difficult to provide services and ensure secure operations, especially for financial transactions. These redundancies and inefficiencies can lead to inconsistencies and boost costs.

Furthermore, there are numerous ways in which administrators can leave the system open to vulnerabilities or attacks. If they create accounts that are not used, an attack might occur without setting off alarms. If new accounts are set up with easy-to-guess passwords or a default password that is never changed, illicit access becomes easier. If users are allowed to retain their access privileges after they change job responsibilities, they will have more privileges than they should.

• Addressing compliance and regulation. Regulations cover customer privacy, business practices and corporate governance, and apply to healthcare and financial institutions, retailers, pharmaceutical firms and publicly traded companies. They require  enterprises to be able to track users and their access to systems and data. Specifically, regulations call for the ability to do the following:

» Authenticate the user in a secure manner
» Control user access, especially to sensitive systems
» Ensure that data access is appropriately granted to the user
» Prove, measure and report on the three points above

All these factors must be consistent, secure, auditable and accurately reported. To make it even more complex, not only are the federal and state governments frequently adding new regulations, but the courts may change a regulation's interpretation at any time.
    
• Executing a successful implementation. Implementing an IdM system is a complicated process. The typical organization needs to determine and inventory what is presently stored, where it is stored and how access is assigned to each application. If there are multiple systems - some on proprietary legacy platforms, others using commercial tools or services - then some reprogramming may be required to allow the systems to interact.

Crucial to a successful implementation is the creation of a centralized secure IdM database and the definition and policing of database policies. The enterprise must train users and contractors on proper security procedures, and then constantly and consistently monitor their access to applications and data.

Email and Social Media Links: Share securely via email |  |






Join the Webtorials Community
Subscription Maintenance


Featured Sponsors























Webtorials TechNotes

Featured Analysts

Gary Audin, Delphi, Inc.

Michael Finneran, dBrn Associates

William A. Flanagan, Flanagan Consulting

Douglas Jarrett, Keller and Heckman LLP

Jim Metzler, Ashton, Metzler & Associates

Lisa Phifer, Core Competence

Dave Powell, Independent Technical Writer

David Rohde, TechCaliber Consulting LLC

Steven Taylor, Distributed Networking Associates, Inc.

Joanie Wexler, Technology Analyst/Editor


Publisher

Steven Taylor

TechNotes is a special program of Webtorials and Distributed Networking Associates, Inc.

Notices

Please note: By downloading this information, you acknowledge that the sponsor(s) of this information may contact you, providing that they give you the option of opting out of further communications from them concerning this information.  Also, by your downloading this information, you agree that the information is for your personal use only and that this information may not be retransmitted to others or reposted on another web site.  Please encourage colleagues to download their own copy after registering at http://www.webtorials.com/reg/.  Continuing past this point indicates your acceptance of our terms of use as specified at Terms of Use.

Webtorial® is a registered servicemark of Distributed Networking Associates. The Webtorial logo is a servicemark of Distributed Networking Associates. Copyright 1999-2013, Distributed Networking Associates, Inc.