Gone are the days when securing sensitive business information meant locking up documents in the company filing cabinet. Modern organizations are rapidly recognizing that even user names and passwords aren’t enough to limit access to networks and applications.

Businesses and government agencies are struggling to figure out the best way to adapt to these changes and redefine their Identity and Access Management (IAM) policies.

As mobile devices and cloud-based access gain momentum, organizations have to rethink these policies for employees who need to access business networks and apps. Additionally they need policies for consumer and vendor access as well.

“We’ve got 40 to 50 years of security practitioners thinking within the four-walled fortress model. Access control is not about that,” says Jeff Nigriny, CEO and president of CertiPath LLC.

In the past six to eight years, there has been a shift from all applications and IDs being safe and secure within an enterprise. Now much of that information is external in the cloud. “That changes the way you think about handling policy,” says Andrew Hindle, Director of Worldwide Technical Marketing for Ping Identity.

Large enterprises are suddenly finding that the only way to protect access is by using standards and ID policies to make sure only the right people are accessing the right things at the right times, he says.

Some businesses and agencies are adapting their approach to access. If someone is trying to access an app outside of business hours, an organization might ask for an additional piece of authentication, Hindle says.

Given the many changes in technology, progressive enterprises are building policy and deploying tools that layer on top of existing infrastructure, Hindle says. Companies don’t want to have to rip out and replace all of their existing technology.

IT-business disconnect

Building policy around an organization’s old and new infrastructure is not a simple task. Earl Perkins, research vice president for Gartner Inc., sees a disconnect between companies’ IT departments and the managers who run business operations. It is a divide that enterprises are having to learn how to bridge. That disconnect, he says, creates a lack of awareness on the part of the business on how to create Identity and Access Management policies.

Businesses have long depended on their IT departments to provide guidance on IAM. The problem, Perkins explains, is that while IT understands the technical issues that surround implementing these policies, they don’t fully understand the business implications. At the same time, the business side doesn’t fully grasp the technical issues.

For example, a business manager might want to equip one of the company’s engineers with certain access privileges, but that manager might not know how to have the conversation with IT regarding mapping and setting up those privileges. “Business and IT speak two different languages,” Perkins says.

The IT vendors who make IAM software are gradually improving their products to make them more business friendly, Perkins says. In the meantime, however, businesses have to rely on consultants and integrators to help configure and apply IAM policies and products.

“As long as there’s that complexity in terms of changing business policy into tech policy and those product vendors don’t fix it, you’ll always need these consultants,” Perkins says.

---

Related articles:

What it takes to issue PIV-I credentials It’s not your enterprise IAM What is an identity ecosystem?