Building an Access Control Framework (pt. 1)

From what I have seen of Identity Management tools, they are more about management than identity, which is fine, once you have solved the the challenge of effectively identifying all the users of your sensitive data. But, slick as they can be, an IdM tool may only automate your existing processes and if they are bad processes you will not likely see either the ROI, increased productivity or enhanced risk management you sold to your senior leadership when requesting that they write a seven-figure check to the security vendor who was still standing at the end of your RFI/bakeoff/proof of concept process.

Ironically, settling the identity part of the identity management equation may help you avoid or reduce the investment in an IdM product. Freudian concerns aside, as a security, risk or compliance professional, you probably only care about identifying those people who access your organization’s most sensitive data or systems, as corporate data that is available to all associates may only require data leakage controls to ensure it does not become public, if even that level of control is required. Managing access to your sensitive data and systems is hard enough without expending unnecessary resources to secure data that is generally available anyway.

Solving the identity challenge, in tandem with an accurate and maintainable asset inventory and a robust data classification program provides the foundation for not only effective access control, but the ability to demonstrate (to management, auditors, and regulators) that you actually have effective access control.

The reason most identity management solutions are not effective with identities is that the tools are not used until the associate is already well-established in your organization and the IdM system is just another stop in the provisioning chain. By the time the user is entered in IdM, identities for multiple systems may already have been created, a potentially insurmountable obstacle to ever binding a user to a single identity and likely forever dooming you to manage multiple identities. Further, increasingly restrictive data privacy controls likely limit the data attributes that most distinguish one individual from another. The only way to effectively manage user identities is to establish a single, dataless attribute at the first point where your organization touches the individual, be they an employee, contractor, vendor, business partner or whether they are hired into a central or distributed unit of the enterprise. It is at this first touch that the most distinct data are available about the individual and if secured at the point where what is functionally an identity token is created, the sensitive personally identifiable information need not seep any further into the organization.

Of course, no vendor solution exists to assign identifiers to multiple associate sourcing systems so you will have to provide your own. While such an undertaking may seem daunting, you can relatively easily create a web service to bind a user to an identifier. You will also require a data store, with adequate security for the personally-identifiable information you will be storing; and, presenting the biggest challenge – the agreement of all the other stakeholders who source or provision users. In my next installment I will describe in a case study how any organization can achieve a unique, permanent identity for each user.

Post a Comment

Your email is never published nor shared. Required fields are marked *