Recently there's been a new development in the information security world: content-aware identity and access management (CA-IAM). CA-IAM is the integration of two established, usually separately administered security domains -- identity and access management (IAM) and data protection. The combination of these two domains allows the integration of user access rights and data permissions. Combining these two domains in turn simplifies three separate areas of information security: compliance, data transformation and intelligent user rights. So is it appropriate for your customers?
Today, CA-IAM is a concept, not a product. While a formal deployment is not yet available, solution providers can help customers understand the data and access requirements, user roles and responsibilities and how to classify data. Customers will also need assistance to understand the business benefits, requirements and deployment issues. Solution providers have the envious position of having a broad customer base and experience implementing emerging technologies in diverse environments. This experience has imparted a certain wisdom that's difficult to come by within an enterprise with limited and singular deployment experiences.
Solution providers can act as a trusted partner to help organizations understand why they should take an initial look at how they can reconfigure their existing IAM infrastructure to achieve CA-IAM functionality. This functionality is realized through the integration of the data context analysis capabilities of data protection, the reporting services of security information and event management (SIEM) and the enterprise's access control tools melding with policies and processes to automatically do fine-grained authorization control down to the data level. Even though an enterprise may have all these tools, it's not easy to determine if an organization is at a level of maturity to take advantage of these services. Solution providers can offer an experienced, unbiased estimation on whether CA-IAM functionality is right for an organization. But before a company can start the process of adopting the concept of CA-IAM, solution providers will pose several questions to customers in order to decide whether they would benefit from a CA-IAM architecture:
- Does the customer have the minimum base-level of IAM services needed to take user access to the
next level of granularity?
- Is the customer's information classified and is the solution provider able to understand the
workflows for the information?
- Are customers willing to take a leadership role in looking at this new concept?
- Will deploying a CA-IAM project affect the company's operations in a positive way?
- Does the customer have a corporate culture that will allow it to change its policies, processes and procedures to take advantage of CA-IAM?
If the answer to all of these questions is yes, the organization may be a good candidate.
So what role can the solution provider assume as organizations decide to proceed? All IAM deployments, including CA-IAM, require changes to people, processes and technology. Solution providers can figure out what steps need to be taken and the order to take them in to minimize risks of maintaining the current level of information protection and disruption to the business while providing new functionality. For instance, CA-IAM success demands that an organization understand and have defined processes for its user and data classifications. Solution providers can offer an unbiased evaluation of these processes and classifications as well as advice and help shoring them up prior to moving forward.
CA-IAM can offer benefits for a solution provider's own business, as well. By working with organizations to define their path toward CA-IAM, it develops a deeper understanding of the complexities of the organizations it works with. This allows a solution provider to potentially get involved with other initiatives within the organization and develop the coveted "trusted advisor" status. As the organization identifies new security opportunities in other areas, solution providers can then offer additional guidance to move the organization toward a more mature infrastructure while minimizing mistakes. CA-IAM may not be for everyone, but having a trusted advisor to lead the way will greatly help those that are taking the plunge into the future of IAM.
About the author
Randall Gamby is an enterprise security architect for a Fortune 500 insurance and finance company who has worked in the security industry for more than 20 years. He specializes in security/identity management strategies, methodologies and architectures.
This was first published in October 2009