Oracle Magazine spoke with Sally Hudson, research director of security products at International Data Corporation (IDC), about securely authorizing users in an era of mobile devices, social networking, and cloud computing.
Oracle Magazine: What drives today’s organizations to implement enterprise identity management systems?
Hudson: For Fortune 1000 companies, one of the major business drivers is the need to comply with regulations such as Sarbanes-Oxley for public entities, the FFIEC [Federal Financial Institutions Examination Council] for financial institutions, and HIPAA [Health Insurance Portability and Accountability Act] for healthcare firms. These regulations are furthering the move toward identity and access management because they make specific demands about accountability: who is accessing your IT resources, when, and for what reason.
Also, as companies extend their information systems to partners and customers, federated, secure single-sign-on and authentication technologies become progressively more important. On top of that, there is a steady convergence as different companies, different technologies, and different access methods come together to offer people more-holistic choices for accessing enterprise information systems.
Oracle Magazine: How do IT and line-of-business [LOB] managers participate in today’s identity management [IDM] systems?
Hudson: While IT has traditionally been reluctant to hand over control to the business, they are now working in tandem with the business on granting entitlements, fine-grained attestation, and privileged user management. There are quantifiable business benefits associated with letting LOBs control who is accessing the system, who’s on the list of provisioning, and who they can flag immediately to remove. It just makes it all much simpler and more secure. Business managers are not only more comfortable, but they’re welcoming the interaction because they feel that they have more control over their environment and can better respond to audits.
Oracle Magazine: How can businesses effectively control the privileges of the system administrators and DBAs that manage their information systems?
Hudson: “Privilege creep” is often unintentional. But as systems have become more open and distributed, and especially with so many mobile devices accessing the network, companies are looking for easier ways to identify where users are overprivileged and correct that immediately. Today’s systems can provide temporary access and just as quickly take it away again. Having complete control over the provisioning/deprovisioning cycle of managing privileged identities is extremely important.
Oracle Magazine: How does the rise of smartphones and tablets complicate IDM deployments?Hudson: We’re seeing a much more diverse landscape of devices, computing habits, and access methods from outside of the corporate network. This trend necessitates a total security picture with different layers and end-point controls. It used to be just about keeping people out. Now, you have to let people in. Most organizations are looking toward multifaceted authentication—beyond the password—by using biometrics, soft tokens, and so forth to do this securely. Corporate IT strategies have evolved beyond just identity and access management to encompass a layered security approach that extends from the end point to the data center. It involves multiple technologies and touchpoints and coordination, with different layers of security from the internals of the database to the edge of the network.
Oracle Magazine: How do you create a consistent security architecture in public cloud deployments?
Hudson: Large companies see the cost benefits of moving certain aspects of their IT infrastructure into the cloud. However, they must do it in a secure fashion and not overlook their compliance regulations and their privacy regulations. It is important to work with a cloud vendor that is qualified and knowledgeable about your existing business and IT systems—ideally a vendor that understands the regulations within your industry and can demonstrate that it addresses multitenancy and privacy requirements accordingly.