Managing access to protected resources (applications, services and their data) for users in the extended enterprise (which consists of employees, temporary employees and contractors, business partners, and customers) can be a daunting task. New applications and services are continuously being developed and deployed; new users join the extended enterprise, change roles within it, and eventually move on. To the extent that policies regarding access must be managed on a user-by-user, application-by-application basis, the effort involved is exceedingly large, and the probability of implementation without error is infinitesimally small.
The sheer diversity of resources to be protected speaks to the complexity of the access management problem. The average organization participating in Aberdeen’s study attempts to manage literally hundreds of applications and services. As if this weren’t enough, different stakeholders have different perspectives and objectives when it comes to managing access:
- End-users need convenient and reliable access to protected resources to carry out their day-to-day business activities.
- Business owners use policies to express their objectives for the business as a function of strategy, risk, cost and compliance.
- Auditors use roles and rules to demonstrate that the right users have the right access to the right resources at the right time.
- IT uses roles (groupings of users) and rules (groupings of policies) to simplify the management of increasingly complex computing environments (more users, applications, platforms and compliance requirements), and to support higher scale at lower cost.
Abstracting Access From the Applications
Aberdeen’s benchmark research in “Managing Access: Roles, Rules, Privileges and Entitlements” shows that the Best-in-Class companies (i.e., the top 20 percent of all study participants) are 10 times more likely than all others to enforce access policies external to applications and services, as opposed to enforcing access policies using their embedded native capabilities. The strategy of abstracting common elements of identity and access from applications and services themselves is the key to breaking the cycle of perpetually “setting the clocks” yet never quite being in sync or on time. With both the number and variety of applications expanding — and the business depending on the right users having the right access to the right applications and services at the right time — this centralized approach to access management improves security and compliance, reduces the overall cost of management, supports greater complexity, and enables higher scale.
Common approaches to managing access include the following:
- Under discretionary access control, each user controls access to his own respective resources, and each resource has an associated access control list. This is the default access control mechanism for most endpoint operating systems.
- Under role-based access control, access to resources is allowed or denied based on membership in a set of roles which have been defined by an administrator. Each user (or group of users) is assigned to a pre-defined role, which in turn has been bestowed with specific access permissions.
- Under rule-based access control, access to resources is allowed or denied based on a set of rules which have been defined by an administrator. For example, current location may determine your access to print services.
Where roles are being used, the research shows that they are defined in many ways (e.g., by job function, department, task, level, title, business unit and project). Over time, this can contribute to a general accumulation or “creep” in the number of roles being managed. In this study, the average number of roles was 650 for the top performers, as compared to 1,700 for all others (Industry Average and Laggards combined). To paraphrase the great mathematician Blaise Pascal, “We have more roles than are needed, only because we have not had the time to make them fewer.”
50 Percent Higher Scale at 17 Times Lower Cost
Best-in-Class and all others in the study were similar in terms of the number of employees for whom access is being managed. However, they are supporting more than twice the number of temporary employees and contractors, and more than six times the number of users from business partners. In other words, the top performers are able to manage expanded access for more than 50 percent more total users across the entire “extended enterprise,” in support of the company’s objectives for increased collaboration, innovation and business growth. They are doing so with far fewer administrative resources, giving the top performers in the study a 17-fold advantage in terms of the total cost of managing access, while supporting higher scale. The average full-time equivalent administrator cost per user per year for the top performers in the study was just US$40, compared to a whopping $680 for all other study participants. The strategy of abstracting common elements of identity and access to be managed externally from the applications themselves is the key to supporting greater complexity and higher scale at lower cost.
Balancing Risk and Reward
Aberdeen’s research in IT security has consistently noted that companies are compelled to make investments for security and compliance (these are unrewarded risks), but most are not realizing meaningful returns. They have started down the path, but they are basically running in place and are painfully distracted from managing the type of rewarded risks that really matter: those that create value for their customers and ultimately grow the business.
Once the business processes for security or compliance are accepted as tasks that must be done, top-performing companies seek to optimize them for efficiency, allocate resources to minimize their ongoing operational cost, and maximize the remaining investments that are in alignment with their strategic objectives. Toward this end, the Best-in-Class organizations in managing access are four times more likely than Laggards to have workflow-based approval for authorizing access rights — effectively pushing the responsibility for authorizing access out of the hands of IT and into the hands of the business owners.
Challenges to Come
Two additional insights from Aberdeen’s research regarding access management technology are notable:
- The importance of privileged users: Consistent with Aberdeen’s November 2008 research on “Managing Privileged Users,” among Best-in-Class organizations in the current study, only half (52 percent) are actively managing an important but frequently overlooked area of security risk: highly skilled users with highly privileged access. Examples of this include administrator on a Windows system; root on a Unix server; enable on a Cisco device; sa (system administrator) on SQL servers; and embedded passwords commonly found in databases, applications and scripts. Although such privileged users are much fewer in number, they represent significantly higher risk, as they represent high access privileges granted to administrators with high technical skills. Contrary to current practice, access for privileged users should be among the first to be taken under proactive management.
- The impact of cloud-based computing: The research indicates strong interest and solid growth on a relatively small base for cloud-based applications; 20 percent of all respondents indicated current use of Software-as-a-Service, with another 6 percent planning deployment in the next 12 months and 24 percent evaluating. Moving more and more applications and services to the cloud should be a wake-up call for the need to externalize access management; companies should expect the same level of access assurance they have in place for in-house applications and services as they do for those they choose to deploy in the cloud.
Derek Brink is vice president and research director of IT security at the Aberdeen Group.