TMCnet
New Coverage :  Asterisk  |  Call Recording  |  SIP Trunking  |  Fax Software  |  Load Balancer  |  PBX  |  CTIA  |  INTEROP  |  Small Cells
WEBINARS
TMCnet CHANNELS
#1 VoIP Enabler: Risk-free, Quick & Easy Deployment
.NET VoIP
ACD Software
Appliance Deployment
Auto Attendant
BPA (3rd Party Remote Call Monitoring)
Broadband Solutions
Business Ethernet
Business Process Automation
Business VoIP
Call Accounting
Call Center
Call Center Certification
Call Center Furniture
Call Center Hiring
Call Center Management
Call Center On Demand
Call Center Scheduling
Call Center Software
Call Center Solutions
Call Center Training
Call Recording
Cloud Based Contact Center
Cloud Based Predictive Dialer
Cloud Business
Cloud Communications
Cloud CRM
Cloud Management
Cloud Management Software
Cloud Storage
Cloud Telephony
Communication Test Equipment
Consumer Robotics
Contact Center Outsourcing
Contact Center Planning
Contact Center Software
Coordinated Care Management
CRM Cloud Computing
Customer Engagement
Data Center Network
Data Center Power
Deployment and Management Solutions
DID
e911
E911 Hosted Solutions
Enterprise Fax over IP
Enterprise SBC
Environmental Monitoring
Ethernet Extender
Fax
Fax Over IP
Fax Server
Fax Software
Fax VoIP
FoIP
Forensic Accounting
Google Apps - News
Green Builders
HD Voice
Healthcare Robotics
Hosted Billing
Hosted Call Center
Hosted Call Recording
Hosted Contact Center
Hosted PBX
Hosted Predictive Dialer
Hosted Softswitch
Industrial Robotics
Infrastructure as a Service
IP Communications
IP Fax
IP Phone Maker
IP Phone Systems
IP Phones
IP Softswitch
IP Transit
IVR
IVR Service Provider
IVR System
Lead Management Software
Least Cost Routing
Load Balancer
Managed Networks
Master Agent
Metro Ethernet
Military Robotics
Mobile Banking
Mobile Device Management
Mobile Security Management
Mobile Unified Communications
Mobile Video
Mobile VoIP
NERC Compliance
Netflow
Network Diagramming
Network Performance Management
Out of Band Management
Power Protection
Predictive Dialer
Renewable Energy
Roaming Quality
SaaS Licensing
Satellite Optimization
SIM Server
SIP End Points
Small Cells
SMB VoIP
SMS Text Marketing
Social CRM & Mobile Care
Softswitch
Software Licensing
Software Monetization
Solar Power
Spanish Language Contact Center Solutions
Speech Analytics
Switched Access Pricing
System Integrator
Telecom Expense Management
Telecom Platform Deployment
Telemarketing Software
Text Messaging
Unified Performance Management
VDI Virtual Desktop Infrastructure
Video Conferencing
Video Content Management Systems
Virtual Call Center
Virtual Office
Virtual PBX
Voice Management
Voice Peering
VoIP Call Center
VoIP Call Recording
VoIP Gateways
VoIP Management
VoIP Solutions
VoIP Switch
WAN Optimization as a Service
Wholesale VoIP
Wind Power
Wireless Connectivity
Wireless Expense Management
Wireless Management
Wireless Telecommunications
Workforce Management
Workforce Optimization
Share
Exploring the Importance of Identity Management

Channel Term

February 03, 2012

Exploring the Importance of Identity Management


By Susan J. Campbell
Every business today must rely on data captured from customers, interactions in the market and more to try and drive a competitive edge. In the process, they must also pay attention to identity management. To get a better idea of how this plays out in the marketplace, TMC talked with Idan Shoham, CTO of Hitachi ID Systems (News - Alert). Asked how volumes and complexity of this data is protected, Shoham said it’s really dependent upon the type of data captured and how it is stored. Companies can typically rely on specific technologies for ID management, including encryption, access control and audit logs.


As for the types of vulnerabilities enterprises may be susceptible to, Shoham noted threats can come from both insiders and outsiders. Companies do take on certain risks when they fail to implement access and identity management solutions. According to Shoham, it’s important for an organization to manage data concerning “who is the user” and “what can this user access?” A failure to do this correctly can leave data susceptible. Asked what Hitachi ID Systems’ offers to protect information and support identity management, Shoham pointed to solutions for managing the lifecycle of user profiles, security entitlements, identity information and login credentials.

When asked where companies are going wrong in security breaches and what can be changed, Shoham highlighted that every case is different. At the same time, companies don’t always disclose where they may have dropped the ball. Shoham also highlighted that while the good guys have to keep defenses at 100 percent all the time, the bad guys only have to find one opening to be successful. Hitachi ID Systems brings identity management to companies, focusing on managing identities, entitlements and credentials that exist in the cloud. The company also focuses on hosting the identity management system itself as a service.

Learn more about Hitachi’s identity management solutions in the conversation below:

Data is such an essential part of a business' success. As volumes and complexity of this data grow, how can enterprises ensure they are protected?

It depends on the type of data and where that data is stored.

Data may be structured - organized into tables with rows and columns in a database and it may be unstructured - documents, presentations, images, and so on.  Both structured and unstructured data may be stored on a corporate server, on user PCs or in the cloud.

For any given combination of data type and storage location, there are different technologies that help protect it against unauthorized disclosure, improper changes or loss (in other words, to keep it “secure”).

Key among these technologies are:

  • Encryption, on server and user device filesystems and in databases.
  • Access control, where rules determine who has access to what.
  • Audit logs, showing who did, in fact, access what.


In the access control area, a key problem is to define who should have access to what.  This is called a security entitlement and it takes on a whole life cycle: initial access rights granted to new hires, management of changing access rights as a user moves through an organization and deactivation when a user finally leaves.  This is a large part of the 'identity and access management' problem space.

What types of vulnerabilities are enterprises susceptible to?

Threats come from both insiders and outsiders.  Successful security compromises mean that data was disclosed, altered or destroyed.

Threats by insiders are the most common and consist of simple mistakes, abuses of process and - in a few cases - malicious actors taking advantage of vulnerabilities in systems.  Threats by outsiders are typically technical in nature, “social engineering” (fooling something with valid systems access to do something inappropriate) or both.

I'd say that attacks by outsiders, as recently happened to RSA or Sony, to name a couple of examples, get a lot of press coverage, but compromises due to insiders, such as rogue trading at Societe Generale or UBS, actually cause a lot more harm.

That's interesting because often organizations spend more to defend against outsiders than insiders -- i.e., the security spending is not necessarily well aligned with the frequency or cost of different types of security incidents.

What risks do companies take by not implementing identity and access management solutions?

Identity and access management systems are basically in charge of managing data about “who is this user?” and “what can this user access?”  If an organization doesn't manage this sort of data effectively, then the wrong users will have access to sensitive or mission-critical systems and data. Inappropriate access can be leveraged to cause harm.

That may seem a bit abstract, here are a couple of examples to make it a bit more clear:

  • A publicly listed corporation fails to deactivate access for someone who was terminated from the finance department.  That former employee signs in and modifies the books, causing the company to miss a reporting deadline and have to refile.  The stock takes a nosedive as a result.
  • A government agency fails to segregate “vendor management” for “invoice entry” in their accounts payable system.  A malicious contractor manages to get both rights, creates a vendor record for her spouse's company and proceeds to issue payments to that company for bogus invoices.


These are fairly basic, non-technical controls but they are probably even more important for risk management than firewalls, anti-virus software and so on.

How do Hitachi ID Systems' solutions protect critical enterprise data?

Hitachi ID Systems makes software solutions for managing the lifecycle of user profiles, identity information, security entitlements and login credentials.

These solutions can be used in a variety of ways:

  • Ensure that when a user leaves an organization, their access is deactivated promptly, reliably and across all systems.
  • Prevent users from acquiring combinations of entitlements that would violate segregation of duties policies and find users who already had such combinations before policy was defined.
  • Authorize all security change requests, including detailed audit trails.
  • Periodically re-certify user rights, to help managers and application owners find and remove no-longer-needed rights.
  • Ensure that users are reliably authenticated, for example with a voice biometric or PIN sent via SMS to their mobile phone, before they can reset a forgotten or locked out password.


All of these processes support more reliable authentication of login sessions and authorization of user access to data, across every system and application in the enterprise.

We constantly hear about security breaches, sometimes by big companies in which millions of accounts are compromised. Where are these companies going wrong? What can be done to ensure this doesn't happen?

I think every case is different, and companies don't often disclose where they dropped the ball prior to a successful exploit.

It is helpful to remember that the good guys have to ensure that defenses are effective 100% of the time, while the bad guys only have to find a single opening to succeed.

Broadly, the newsworthy exploits seem to be due to:

  • Buggy software, often with available patches not being applied quickly enough (or at all).
  • People being fooled into doing inappropriate things, like sharing passwords or clicking on malicious code.
  • Sensitive data being inadequately protected - without benefit of risk-appropriate access controls or encryption.


So if those are the problems, organizations need to adequately invest in:

  • Patch management.
  • Removal of unneeded software (as all software may be buggy).
  • User education regarding both safe and suspicious behaviors.
  • Robust access controls, on all systems, supported by effective identity and access management processes.
  • Widespread deployment of cryptography.


Since security doesn't generally generate revenue or cost savings -- it is (correctly) perceived as overhead by management -- the trick is to get management to understand the risk that “failure” to invest in security creates and what the economic impact of that risk may be.

How does Hitachi ID Systems plan on handling an increasingly complex business ecosystem in which operations are now in the cloud? Any future projects in the works for doing so?

Hitachi ID focuses on managing identities, entitlements and credentials. Where cloud computing comes up, we talk to our customers about two kinds of things:

  • Managing identities, entitlements and credentials that happen to exist “in the cloud” -- typically on SaaS (News - Alert) applications such as Salesforce.com and on IaaS platforms such as Amazon EC2 or Rackspace.com.
  • Hosting the identity management system itself as a service -- IAMaaS.


Our software already includes a variety of connectors to SaaS applications, including from Google, Microsoft, Cisco (News - Alert), Salesforce.com and others.  Our solutions don't really “care” if a system where identities, entitlements or credentials will be managed is on-premise or SaaS.

Moreover, our privileged access management system is scalable to manage hundreds of thousands of endpoints distributed across multiple data centers in different locations.  This makes it ideal for securing IaaS -- on behalf of either the cloud operator or of the organization that deploys thousands of cloud-hosted systems.

As far as offering our solutions as a service, we have partners doing this already, including global IT service providers such as HP and CSC (News - Alert). Look for additional IAMaaS offerings from Hitachi ID in the near future. 


Want to learn more about the latest in communications and technology? Then be sure to attend ITEXPO East 2012, happening now, in Miami, FL. ITEXPO (News - Alert) offers an educational program to help corporate decision makers select the right IP-based voice, video, fax and unified communications solutions to improve their operations. It's also where service providers learn how to profitably roll out the services their subscribers are clamoring for – and where resellers can learn about new growth opportunities. For more information on registering for ITEXPO registration, click here.

Stay in touch with everything happening at ITEXPO. Follow us on Twitter.


 


Susan J. Campbell is a contributing editor for TMCnet and has also written for eastbiz.com. To read more of Susan’s articles, please visit her columnist page.

Edited by Jennifer Russell


› View all Channel