Recession Makes IAM Crucial

Any economic downturn brings new risks to your organization. Nervous employees who fear downsizing may be tempted to gain unauthorized access to sensitive information stored across applications while temporary workers are less loyal and identity verification processes for full-time employees may not be used, making your organization more susceptible.

For this reason, identity and access management (IAM) remains a top priority for security professionals. In Forrester’s “The State of Enterprise IT Security: 2008 to 2009,” 82 percent of security decision-makers reported that IAM would be an important or very important issue for their IT security organization in the coming year. Forrester predicts that the IAM market will grow from nearly $2.6 billion in 2006 to more than $12.3 billion in 2014.

Security is an issue with temporary employees because although they offer a lower-cost workforce option as they are hired and fired much more easily than permanent employees, they also bring increased risks. They lack the loyalty that permanent employees feel toward the company and may be less inclined to recognize and report inappropriate activities but they need the same thorough vetting and training as permanent employees. And, because their turnover rate is much higher than that of normal employees, temporary workers need to be provisioned and de-provisioned more often, quickly and cost effectively in large numbers.

Current employees are also a security risk as they may be nervous for the future of their position within a company. Nervous employees are often tempted to mine, steal, or destroy critical information. Monitoring and reporting access to applications and data is critical, especially when employees are at risk of leaving the organization — voluntarily, for performance reasons, or when layoffs occur.

IAM has solutions for these problems: centralized access management for monitoring and enforcing policies for application access; advances in role-based access control to provide temporary workers with timely access and to deactivate them quickly, uniformly, and securely. Growing support for SaaS applications using federated user account provisioning and hosted IAM provider services adds incremental gains in IAM for many organizations.

Centralized access management increases security and reduces costs. Access management solutions govern centralized access to applications and data. Many of these solutions also integrate with non-Web solutions like desktop, phone, and interactive voice response (IVR), providing tight controls over who can access what data. Recent developments in adaptive and risk-based authentication allow you to put even more granular policy definition around the context of the access.

Options include IP address geolocation, machine fingerprints, transaction types, and single sign-on (SSO) solutions that improve password quality because users have only one, higher-quality password to remember. It also makes forgotten password recovery and reset much easier, reducing the risks associated with a data breach in the case of a password compromise. Without centralized access management, if one password is compromised, there is no way of telling if other passwords were breached and need to be reset. If there is only one password to all applications, then resetting that password will take care of re-securing access to all applications.

Integration with SaaS applications leads the way to IAM outsourcing. SaaS applications can be integrated seamlessly into the corporate IAM ecosystem, and provisioned and deprovisioned with user accounts. Doing so forces firms to rethink their identity management infrastructure. This refactoring of identity services is fairly common, and it creates a reusable, lower-cost identity fabric if done properly. This identity fabric then yields itself to the partial — or even full — outsourcing of identity management to managed security services providers (MSSPs) like Covisint, FuGen, Simeio Solutions, Symplified, VeriSign, Wipro.

It is also important to note in these economic times that the IT organizations that have deployed IAM solutions are helping to reduce costs on IT administration by automating the process of adding, modifying, and deleting users, minimizing audit remediation costs by controlling access to critical enterprise resources like ERP, Web, and thick client applications, and avoiding or reducing the cost of a data breach.

Despite the cut in costs that IAM may provide, security budgets have traditionally been difficult to defend in organizations. Executive management views security and IAM investment as something of a checklist item that will help the company get through an audit, or as a hasty follow-up measure after a security incident (system or data breach, etc.). IT managers should still be prepared to provide hard and fast numbers and statistics when discussing these items with your budget approvers.

Measure the impact of an IAM rollout using easy metrics that translate into dollars. Nothing conveys the value of the IAM project better than its contribution to reduced call center costs due to fewer helpdesk calls, fewer audit findings — and thus lower cost of mitigation of audit findings around user access recertification. An additional benefit is improved productivity of adequately provisioned users (having all access to applications when they start versus having to wait two to three weeks for all access to be granted).

Treat IAM as mission-critical infrastructure, not an application, regardless of the economy. If your Web access management infrastructure stops working, it usually means business also stops. The people and organizations responsible for maintaining this infrastructure and the policy definitions for it are indispensable in making sure it continues to directly support business.

Use IAM to support facts-based reorganization and savings. Information in IAM systems (access logs to applications in enterprise SSO and Web SSO systems, your role-based access-control policies, usage statistics of who’s using what application based on their role, etc.) can be used as direct evidence of which functions of the company need to be outsourced and why.

During times of economic uncertainty, executive management is more likely to ask for the concrete business value and cost-benefit analysis of an IAM project, and cancel these projects if there is no clear linkage between the business value and quick wins of the IAM project. Executive management is also likely to add intense scrutiny into savings realized through using IAM. Quick provisioning of access to temporary workers, managing and enforcing access policies to all applications, and preparing to support SaaS applications all highlight IAM’s importance in avoiding new risks.

Andras Cser is a principal analyst at Forrester Research, where he serves Security & Risk professionals. To obtain free, related research from Forrester, please visit www.forrester.com/csofeb.