impossible for ideas to compete in the marketplace if no forum for
Security Management Solutions Buyerâ€™s Guide: Purchasing Criteria
Contributed by IBM - Tivoli Group
Your company needs identity management — now what?
Organizations of all sizes, across all industries, are realizing that the complexity of todayâ€™s IT security demands a robust solution. A solution that manages the growing variety of users who now require access to your IT resources. One that enables your organization to comply with regulations and audit requirements. One that does more even as it reduces costs.
The solution lies in managing identities. Identity management establishes centralized control to enable consistent execution of your security policies across the breadth of your organization. But it facilitates administration in a decentralized mode, giving the right amount of responsibility to the right individuals and groups — wherever they are.
Choosing to implement identity management is one thing. Figuring out how to get started toward the identity management solution thatâ€™s right for your organization is another. It can be intimidating to identify what kind of software you initially need to invest in, let alone to choose the best vendor in the area you select — a vendor that can support you throughout the process of implementing your total solution.
Help locating the right first step
If you identify the security concern that most affects your business priorities, then you can focus on the kind of security solution that directly addresses that concern. Later, over time, you can expand into the other security areas that support your business goals.
This document helps you get started. It outlines the most common challenges that lead companies to invest in identity management, then indicates which components directly address each challenge. For each component, the document provides a guide for assessing whether a particular vendorâ€™s solutions are sufficiently robust. This buyerâ€™s guide also helps you analyze whether the vendor can provide the support you will need when you expand into other areas of identity management.
The overall goal: manage more users and more regulations at a lower cost
Becoming an on demand business requires giving more users more access to your IT systems. Your IT staff must manage the access not only of your employees but also of your customers, your business partners and even of unknown users in unsecured locations who access your companyâ€™s public Web site. And itâ€™s not simply a matter of assigning each user one set of rights. You need the flexibility to shift rights as frequently as an employeeâ€™s responsibilities change, for example.
Managing that much complexity is a substantial challenge. Itâ€™s made even more difficult by the increasing numbers of regulations and audit requirements with which you must comply. Furthermore, the situation is complicated by IT-cost-reduction directives that include the consolidation and streamlining of IT, outsourcing efforts, providing more customer self-service, and automating more and more IT tasks.
Meet these challenges by implementing identity management solutions
Companies turn to identity management solutions because they address the full range of todayâ€™s security challenges. Identity management is a way to address two key questions: who are you and what can you access? It helps you manage the growing number of users that come in contact with your IT systems, and consistently administer access to those users in alignment with your business requirements. Plus, it can do so in a manner that is not just cost-effective but actually provides a substantial return on your investment.
Identity management involves functions in three main areas:
When you establish an authoritative source of identity information, efficiently manage changes to both that information and the accompanying rights, and effectively implement your security policy — then you have a basis for access decisions, self-service, authorization and personalization.
The total identity management cycle encompasses all three of these areas — each reinforces the others. For example, the more authoritative your data stores are, the more confidence you can have that your security policy will be administered correctly. And when you establish user accounts that incorporate privacy preferences, that helps you to properly balance the protection and disclosure of private information in accordance with each userâ€™s desires.
Three places to get started with identity management
Each of these three main categories of identity management provides a way to start to implement an identity management solution — to move toward exerting full control over the total identity management cycle. You can begin by:
To identify the ideal starting point for your organization, it helps to see what each category encompasses. Doing so also gives you a sense of how your initial investment in identity management provides a foundation for implementing a complete identity management solution.
The next section of this buyerâ€™s guide can help you identify which of these three starting points — fixing identity data, user management and provisioning, or access control — best meets your business needs.
To begin with identity management, address your most pressing security challenges
Drawing on its own research and experience working with clients of all sizes and in all industries, IBM has identified eight challenges that frequently drive companies to implement identity management solutions. Each of these eight challenges is addressed by one or more of the three identity management starting points. The challenges are listed on the next page with their corresponding starting points.
Which of these challenges is most relevant to your business priorities? When you identify the challenge (or multiple challenges) that are most important to your company, then you will know where your company should concentrate its initial investment in identity management.
Identifying a starting point is important, but as the next section shows, it is also important to keep in mind how you will achieve your overall security goals. That way, you can use the remainder of this buyerâ€™s guide to help you select the best solution provider for the starting point you prioritize — and still position your company to succeed when youâ€™re ready to address other security challenges.
Because todayâ€™s security challenges are so complex, most companies choose to establish an overall architecture and then deploy it in stages. Each of these companies acts tactically and implements a solution in one area. But if the company loses sight of how that initial solution will help with the full range of the companyâ€™s security goals, then it risks investing in a solution that becomes merely a short-term step — without a long-term return on investment.
Hereâ€™s how you can think strategically about your long-term solution even as you begin to implement identity management:
In the following sections and for each starting point, this buyerâ€™s guide provides checklists that you can use when evaluating vendors and their products. As you look for the solution that best addresses the challenge youâ€™ve prioritized, keep in mind the importance of a provider who will be able to support the full breadth of your identity management solution.
Implement a solution for fixing identity data that turns user information into a powerful business asset
With more and more users requiring access to your systems, information about those users is stored in more and more places. Your human resources department may keep up-to-date information about your employees. Your sales staff may maintain definitive information about prospective clients. Other databases may house current client and business partner information.
To administer security consistently across your organization, you require some way to synchronize user information in a highly efficient fashion. If an employee changes her name, both the human resources database and all the databases that deliver information about your company to your customers should reflect the change. When a prospective client or business partner becomes an active client, changing the status in one information store should initiate the same change in all other stores.
An identity integration solution synchronizes data across your organization. It enables you to maximize the accuracy of the data you maintain and to reduce the costs associated with manually updating that data. With a superior identity integration solution, you establish rules that identify which groups and individuals have the authority to change which data fields. The solution then pushes changes made by those with authority out to all the other databases where the same data is stored and utilized.
Among its key benefits, identity integration:
In short, identity integration helps reduce the cost of establishing an authoritative store of information. Your company can use that store to help maximize the usability of your systems for your employees and deliver outstanding service to your customers and partners.
To find a superior identity integration solution, look for one that:
Implement high-performance 24x7 directory infrastructure for global enterprise applications
To enable comprehensive identity management solutions, your infrastructure needs to be able to drive identity data to an increasing number of directory-enabled applications. The situation is analogous to critical highway infrastructure. The more comprehensive and reliable the road network, the more value can be derived from all the cars that use it. Similarly, the more comprehensive and reliable your identity data infrastructure, the more value you can derive from all the identity management and enterprise applications that use that data.
What on demand businesses require for their identity data needs is a data engine that is open, reliable and scalable:
To locate a directory infrastructure solution that meets these three standards, seek one that:
Deploy a user management and provisioning solution to cost-effectively establish consistent security
Without a system for managing security across the breadth of your enterprise, your organization can face any number of challenges. Rights may be granted to accounts for people who no longer need access because they left the company or changed roles. Your IT staff may spend an inordinate amount of time granting and limiting user rights on a case-by-case basis — draining resources away from projects that deliver greater business value. Or your company may find it costly and time-consuming to gather the information you require to comply with security audits.
User provisioning and management solutions help your company establish consistent security while reducing the cost of security administration. These solutions automate the provisioning and de-provisioning of user accounts. For example, when a new employee is added or an employeeâ€™s status changes, the employeeâ€™s access rights must be properly assigned or reassigned. A user provisioning and management solution applies rules about which groups of users should have which rights to automatically provision access to each employee. Automation reduces the cost of having IT staff perform a repetitive task and helps ensure that security is administered in a uniform manner.
Because user provisioning and management solutions administer access rights in a centralized, organized fashion, these solutions provide visibility across your enterprise into exactly who has what rights. This visibility enables you to track everyone who has access to your systems, and to properly align the degree of access you grant with your business priorities and needs. User provisioning and management solutions also maintain accurate records of access-rights changes for auditing purposes — reducing the cost in terms of staff time and money of complying with audit requirements.
These solutions can also integrate with privacy management solutions to help your company ensure compliance with regulations and secure the private information distributed throughout your organization.
Make sure that the user management and provisioning solution you select:
Select an access control solution that minimizes your vulnerability and facilitates ease of use
The reason that so many more users need to access your systems is that you are offering greater numbers of more robust applications to your customers and partners. To maximize the value of these applications, they should be easy to use. To spend more time developing applications that deliver business value, your IT staff should spend less time on administration of your existing applications.
Access control solutions enable you to improve the usability and security of your customer-facing and partner-facing applications. By providing single sign-on not only for your employees but also for your partners and suppliers, access control solutions minimize a number of password-related problems:
Access control also provides a foundation for personalization of content to enhance the quality and efficiency of the user experience.
By taking security development out of the application development process, access control solutions help your IT staff focus on high-value activities. When developers create security for every application, it increases the cost of development and reduces the consistency of security across your enterprise. With a centralized access control solution, your developers can call on the solution to administer security — and thereby achieve highly effective security at a minimal cost.
Additionally, access control solutions enable you to consolidate multiple access-control and authorization solutions, close security back doors into operating systems, and audit access and privacy requests.
The access control solution you choose should:
Identify an access control solution for UNIX- and Linux-specific security challenges
Access control for UNIX and Linux environments faces the particular challenge of controlling super-user and root accounts. The top security threat that enterprises face is misbehavior by internal users and employees. Super-user accounts are particularly vulnerable to abuse because traditionally there are no controls on the access rights of these accounts, and no way to audit the actions taken by people using these accounts.
An access control solution for your UNIX and Linux systems enables you to secure the applications, files and data on these operating platforms, as well as the platforms themselves. It applies the same business policies you use to control access throughout your organization, and creates a sophisticated audit trail for tracking your system administrators. For your business-critical applications that reside on UNIX and Linux systems — and especially for companies in security-sensitive and regulated industries — an access control solution targeted at these environments is crucial if you want to implement an end-to-end security policy.
To find a superior access control solution for your UNIX and Linux environments, look for one that:
Choose a solution that enhances the security of your IBM WebSphere Business environment
Companies that use WebSphere MQ to process personally identifiable information and other types of sensitive data often seek to extend WebSphere MQâ€™s native security services to protect message data end to end. Additionally, as they use WebSphere MQ to tie together more and more line-of-business applications, these companies look for a way to centrally manage both data protection and access control policies across all the systems in their enterprises.
An enhanced security solution for WebSphere MQ enables these companies to demonstrate the integrity and confidentiality of messages not just while in transit from system to system, but also while under the control of WebSphere MQ itself. Moreover, such an enhanced security solution can apply business policy to provide the desired level of confidentiality and integrity for each transaction.
When analyzing enhanced security
solutions for your WebSphere MQ environment, make sure you select a
Control disclosure of sensitive information with a privacy management solution
For example, companies that use common identifiers — such as Social security numbers in the United States, or taxpayer ID numbers in other countries — as ways to identify users need to hide those numbers from all employees who are not authorized to see the numbers. But in most cases, it is cost prohibitive to rewrite applications and databases to eliminate the usage of certain sensitive data. Recoding existing applications has another drawback: this process may have to be repeated if there is a policy change in the future. An infrastructure solution is needed — one that can intelligently manage data according to policy and user preferences, without depending on individual applications for compliance.
In todayâ€™s marketplace, it is hard to find one solution that encompasses a full range of privacy management capabilities — both to meet todayâ€™s privacy challenges and to flexibly address future privacy requirements. Look for a privacy management solution that:
Superior integration enables IBM security software to support your long-term security strategy
When you begin to evaluate vendors for whichever identity management starting point you prioritize, youâ€™ll find that IBM offers not only a best-of-breed solution in that area, but also unsurpassed breadth and integration across its security solutions. What does that mean for you? It means that when youâ€™re ready to expand into other areas of identity management, IBM can best support your long-term security goals.
IBMâ€™s leadership in integration is
manifested not only in the way that its solutions work together seamlessly.
Additionally, IBM solutions are built from reusable components. When you deploy
a new solution that shares underlying functionality with your already-installed
solution, you donâ€™t need to run two instances of the same component. IBM helps
minimize the software footprint of your integrated solution, and thereby helps
maximize efficiency. That is especially important when you want to deliver
highly usable applications to your employees
When you select IBM, you can have confidence in your partnerâ€™s stability and viability. Years from now and decades from now, IBM will be there to deliver leading solutions that simplify the administration of security, no matter how complex it becomes.
Enter into identity management with superior security solutions from IBM
For every phase of the identity management cycle, IBM offers software that meets all of the criteria of a superior solution:
IBM Directory Integrator and IBM Directory Server for fixing identity data:
IBM Tivoli ® Identity Manager for
user management and provisioning — centrally coordinates the creation of user
IBM Tivoli Access Manager software for access control — provides consistent identity-driven control from a single administration console, enabling single-policy access management across a broad range of resources; Tivoli Access Manager family includes:
For an overview of how identity management can work as a cost-effective security framework across your enterprise, read the IBM executive brief on identity management:
IBM also offers more detailed buyerâ€™s guides you can use when considering user provisioning and management, and access control solutions:
DB2, Lotus, IBM, the IBM logo, the On Demand Business logo, Tivoli, TotalStorage and WebSphere are trademarks of International Business Machines Corporation in the United States, other countries or both. UNIX is a trademark of The Open Group in the United States and other countries. Microsoft, Windows and Windows NT are trademarks of Microsoft Corporation in the United States, other countries or both. Other company, product and service names may be trademarks or service marks of others. Each IBM customer is responsible for ensuring its own compliance with legal requirements. It is the customerâ€™s sole responsibility to obtain advice of competent legal counsel as to the identification and interpretation of any relevant laws and regulatory requirements that may affect its business and any actions the customer may need to take to comply with such laws. IBM does not provide legal advice or represent or warrant that its products or services ensure compliance with any law or regulation. Software products and services provided by third parties are sold or licensed under the terms and conditions of the third-party providers. Product availability, warranty services and support for third-party products are the direct responsibility of the third-party providers. IBM is not liable for and makes no representations, warranties or guarantees regarding third-party products or services.
Visit the Authors Web Site
Click Here for The Business Forum Library of White Papers
Search Our Site
Search the ENTIRE Business
Forum site. Search includes the Business