The Evolution of Online Data Access: Keeping It Secure
Dec 12, 2011 6:00 AM PT
Access to data has never been easier than it is today. With a few easy steps, it's possible to uncover just about any type of information you can imagine, even data that is supposedly legally protected, such as personal, financial, healthcare and government records.
However, individuals with nefarious intent have successfully found their way around safeguards designed to keep sensitive information under lock and key.
The delicate balance between enabling ubiquitous access to public data while keeping the bad guys away from private data continues to challenge organizations and their IT departments. How these IT managers walk that tightrope and utilize technology to do so remains a critical component of an organization's security strategy.
Catalysts for Rethinking Data Management
Consider how different today's world is from just a decade ago. In light of the many changes in the security landscape over the past 10 years, we have witnessed the U.S. government renew its commitment to improving the way knowledge and data is shared among government agencies. For example, the Federal Information Security Management Act (FISMA) introduced in 2002 brought much-needed attention to the critical nature of cybersecurity and its impact on national security within the federal government.
But what remains the government's most critical task in securing data management is the ability to manage user identities. It is critical to accurately verify the identity of individuals who attempt to access secure online sites and Web portals. Users need to be able to set up their identity and want the ability to sign on to the applications just once. As such, many organizations take a federated approach to identity management, which enables multiple applications to share users' credentials.
As part of a federated identity management system, an organization's IT department implements enterprise-wide mechanisms for policy-based user authentication, such as single sign-on (SSO) and Web access management.
Federated SSO, for example, enables users to sign onto the sites of multiple businesses and organizations by using one set of credentials. By establishing trusted relationships across these IT departments, a user can log on using a single identity and password to access all of the services -- providing secure and seamless entry to disparate Web-enabled applications, whether from within an organization's on-premise intranet or an off-premise extranet.
Consider the scenario of a government revenue agency that needs to be able to share information with individuals, and also with business partners such as the providers of tax preparation services and other entities. In this case, a number of users -- both inside and outside the agency -- will need access to Web applications through a Software as a Service (SaaS) and cloud-computing data environment. If one of these entities is operating in a public cloud environment, for example, they must be certain that the party requesting information really is the government revenue agency or tax preparer they claim to be, and not a cybercriminal trying to access someone's personal details. Federated access-control measures built into an organization's existing identity and access management technology infrastructure helps to ensure this.
Considerations Beyond Meeting Minimum Requirements
In today's reality of numerous high-profile data thefts, the last thing an IT manager or department head needs is their company becoming part of the news headlines and the next big data breach. Thankfully, there is no shortage of solutions and techniques to consider for maintaining data security.
As government departments continue to provide integrated services, both for their own employees as well as their citizens, federated identity management can serve as a key part of this strategy as an easy-to-use, effective mechanism to tie together the underlying IT infrastructures. Key considerations and best practices for government organizations looking to implement a federated identity management system include:
- Linking HR systems with identity and access management: By linking HR systems to identity and access management, any changes made to items such as policies or personnel are quickly reconciled within the system to ensure access integrity and de-provision unauthorized users as appropriate.
- Ensuring secure application access: Federated identity management systems can strengthen application usage and reduce administrative tasks such as password resets and user account management within cloud-based infrastructures. Federated identity management protects critical applications with auditable access controls, arming only authorized personnel with permissions to retrieve critical or sensitive applications and related data.
- Conducting regular access audits: To ensure proper usage, government agencies must consistently monitor user activity and facilitate compliance with organizational policies and regulatory mandates. This will significantly reduce the risk of internal threats and quickly identify any abnormal behaviors that need to be reviewed and remediated.
No matter what the motivation, forward-thinking government organizations clearly recognize the need for effective data and identity management. Of course, challenges remain -- costs, IT readiness and evolving threats, just to name a few -- but increased vigilance and a willingness to respond to the demands of our data-hungry world will pay off for the organizations that make the effort.