Everybody knows that the IT perimeter has been permanently warped by cloud-based resources, the consumerization of IT and the ever-agile work day. Information technology and information security decision makers are grappling with the tight-rope act of balancing the security of their organization’s data with their stakeholder’s usability expectations. Happily, the pervading need to bridge the identity-mobility-access gap has given rise to innovative identity and access management (IAM) solutions, of which this blog series provides an overview.
The New Fuzzy IT Perimeter
To recap the previous articles
in this series, the traditional enterprise IT perimeter has been changed by cloud applications, mobile devices and remote user access (see Part 1 and 2). By default, this distortion has considerable implications in terms of the volume of overhead experienced by IT departments because of the sheer number of identities, applications and endpoints they now need to support. The new ‘fuzzy’ IT perimeter also raises concerns over the security and confidentiality of enterprise data distributed across different cloud, on-premises and mobile resources.
The ensuing management-and-security headache has given rise to numerous solutions crafted with the goal of minimizing the number of user identities that IT departments have to support per person. Similarly, to secure those identities, technologies aimed at simplifying user authentication have emerged, such as Bluetooth Smart solutions, which extend PKI security to tablets and smartphones (see Part 3 and of this series).
What other technologies have emerged to secure, and restore structure to, a fuzzy IT perimeter? Below are several key developments.
Enterprise Mobility Management (EMM)
In many organizations, employees may use two or more mobile devices every day. Enterprise Mobility Management solutions, or EMMs, are a general name for products that help IT staff manage the workflows and security for mobile devices in the enterprise. The three components, or approaches, to managing mobility are Mobile Device Management (MDMs), Mobile Application Management (MAMs) and Mobile Information Management, or MIMs. Using MDMs, IT teams can manage the lifecycle of mobile devices in the enterprise (provisioning, updates, revocation), control which devices are permitted to access corporate resources, and which configurations these devices must have, for example requiring that anti-virus and operating system software be up to date. MAMs, on the other hand, control access at the application level, ensuring that only authorized users can access apps from authorized mobile devices. And finally, MIMs are usually deployed alongside MDMs or MAMs, with the objective of ensuring that corporate data remains encrypted while at rest, and that it is transmitted only by authorized apps.
Identity and Access Management (IAM)
While covered as a single discipline in recent years, identity and access management is actually composed of two separate data security disciplines—that of Identity Governance and Administration (IGA) and that of Access Management (AM).
IGA solutions help answer the questions, “Who should receive access (or who is ‘entitled access’) to which application?” and “Who in practice was granted access to which application, by whom and when.” For example, an IGA solution may help establish that R&D staff are entitled access to certain development applications. A user may be automatically provisioned access to some applications, based on their R&D group membership. The R&D user may also request to be provisioned access to other applications, a request which would then go through a management approval process.
Access management (AM) solutions, on the other hand, mainly help answer the question, “Who accessed what and when?” They cover the workflows involved in provisioning access to certain applications, the provisioning of hardware or software tokens, and access policies such as what is considered high or low risk behavior in an authentication decision.
IAM solutions provide a methodic framework for granting (and requesting) access to applications, enforcing access controls, and ensuring visibility into access events. Given that most organizations deploy the IGA and AM components separately of each other, these disciplines are now being treated as distinct, standalone solution families, rather than being considered a single IAM suite.
The Convergence of Identities and EMMs
Enterprises have been deploying EMM solutions to help them manage the exploding number of smartphones and tablets in terms of security and access policies. At the same time, IAM-as-a-service solutions have been gaining traction to enable a quicker-time-to-value for organizations seeking to centralize identity management and access controls for their entire IT ecosystem of applications. Analyst firm Gartner predicts that IAM and EMM are on their way to converging, so that devices will be linked to employee identities, and these solutions will work in concert instead of as separate silos. In fact, some IAM-as-a-service solutions already offer built-in EMM capabilities.
***
More technologies for IT perimeter security in our next installment of the IAM Trends blog series, so stay tuned.
Increase your understanding of the IAM world, check out our Gemalto Access Management Handbook.
