The Changed Era of Information & Access Management in 2014
With the deluge of mobile computing devices and the rapid adoption of cloud technologies, IT security today is an illusion and corporate IT can no longer control the ways in which we access and share data.
Amit Shah Jan 15th 2014

This vendor-written article has been edited by ComputerWorld to eliminate product promotion, but readers should note it will likely favor the submitter's approach.


With the deluge of mobile computing devices and the rapid adoption of cloud technologies, IT security today is an illusion and corporate IT can no  longer control the ways in which we access and share data. Earlier, controlling the access to the network was easier and devices used to access the network were owned, configured and controlled by the organization. Today, things have changed and are more intricate than before. Accessing data has changed the way the organizations look at the issue of security. The nature of devices accessing the network has changed vastly and they are no longer limited and owned by the organization. Many new trends in technology have also contributed to the fact that security is not limited to just having a firewall.

Today, the biggest challenge is that the requisite for security and regulations demand much more than before and do not care whether the data is stored on a server or on a cloud or accessed by a variety of different devices. This contributes to the fact that controlling the access has become much more complex than it was a few years back. This complexity has led to an endless stream of disclosure of critical business data and other security hazards faced by organizations from inside as well as outside the organization.

The current identity management and access control approaches are insufficient to secure corporate data. Today, three mega-trends are changing the way identity and access management solutions are being set up and positioned:

Mobility:
Not too long ago, all devices used to access the corporate network were owned by the corporation and controlled by IT. Then employees began to have laptops and PCs at home, which they also used to access corporate data and applications. Now they use a wide variety of devices, from smartphones and tablets to netbooks and laptops, to access corporate systems from anywhere in the world. And with the loss of these portable devices, they instantly expose the company’s sensitive data. This mobile device tsunami means that IT can no longer control either the device we use or the location from which we access corporate data and applications.

Although many organizations have policies that are intended to prevent access with smartphones and other devices, in practice they do not work. IT simply cannot control these devices anymore, and therefore we must think differently about security and access management. Our focus needs to move from managing the devices to identity and access governance.

Cloud Computing:
More and more organizations are moving at least some of their data and applications to the cloud. Software-as-a-Service (SaaS) applications and online data hosting offer a variety of benefits. Foremost among those benefits are significantly reduced upfront and ongoing costs since there is no software of license and maintain and no hardware to plan for, purchase, and support. Plus, the cloud offers faster scalability and performance guarantees. But moving data and applications to the cloud introduce new risks, because security is beyond IT’s control.

The cloud requires much more sophisticated and comprehensive solutions for identity and access management in order to provide security while maintaining a familiar, smooth experience for end users.

Consumerization of IT:
Corporate IT infrastructure is perceived to be bulky, slow to change, inflexible, and expensive. The cloud, on the other hand, is seen as agile, exciting, flexible, and cheap. Therefore, when people today have a computing need, they tend to bypass IT and use free or cheap cloud resources to meet the needs quickly. Using Dropbox, for instance, can be far easier than waiting for a SharePoint enhancement from IT. Of course, putting corporate data and applications in the cloud entails risks. IT can’t control what happens to data beyond the enterprise boundaries – once the company file is uploaded to Dropbox, all the security that used to be associated with it is gone.

But it’s hard to explain that risk to a user who is waiting for IT to deliver the desired service.

These trends have resulted in a world in which our corporate IT systems are simply not secure, because the current IAM model is insufficient. Hardly a week goes by that the press doesn’t report the successful breach of some company’s IT systems, along with the loss of sensitive corporate documents, personally identifiable information, or financial data. Even well-run IT organizations, both inside and outside the commercial sector, suffer massive data breaches.
When you give up ownership of the end points to your users, you give up ownership of your servers to a hosting service, and you give up your applications to cloud providers, all that is left to manage is the data.

That is as it should be, because the data is really the only truly valuable corporate asset that IT manages today. Computer systems, networking equipment, and most applications are commodities with little intrinsic value. They are organization’s intellectual property assets, including trade secrets, project plans, financial data, customer information, and privileged communications.

Therefore, in the future, IT has to focus on securing the data rather than the devices. We must create identity and access governance solutions that are much more data – centric than solutions of the past.The current model of IAM is static, focused on controlling access by consolidating a user’s identities and then managing the rights granted to the resulting corporate identity. This identity-centric model is focused on consolidating each user’s identity and building processes around that identity–for instance, your group membership gives you access to certain data. But this model is static and doesn’t adapt well to a world of mobile devices and cloud services.

A better model retains the identity consolidation, but layers on adaptive authorization and contextual authorization to reduce risk of data breaches. The world of computing is changing dramatically, with cloud technologies, the proliferation of new devices beyond the control of corporate IT and higher expectations from users. These trends radically change our IT security landscape, and we need to look at how we secure our data in new ways.

Today, the biggest challenge is that the requisite for security and regulations demand much more than before and do not care whether the data is stored on a server or on a cloud or accessed by a variety of different devices.