Identity and access management planning is essential because midmarket companies are often more at risk than larger enterprises, as they often have minimal or no formal identity management policies in place.
Identity and access management is a complex issue: it's technology, it's policies and it's checks and balances by IT professionals. And in these days of heightened security, identity management is becoming more prominent in the security food chain. Properly identifying users of your systems, whether they are within your organization or external, is key to protecting your data and business. Browse through our resources, articles, tips and expert advice columns on identity and access management for midmarket CIOs.
For free advice and resources on more IT and business topics, visit our list of Midmarket CIO Briefings.
Table of contents
High-profile data breach incidents, such as those at The TJX Cos. and the U.S. Department of Veterans Affairs, have brought the need for effective identity and access management (IAM) into sharp focus for many IT departments and executive boardrooms. Still, with adoption rates at no higher than 30%, comprehensive IAM products are only in the "early mainstream" phase, according to Jonathan Penn of Cambridge, Mass.-based Forrester Research Inc. "I've yet to meet anyone who has it all," Penn said.
But that may be changing, as the Sarbanes-Oxley Act and other compliance regulations have ignited a new push in the IAM space. Framingham, Mass.-based IDC estimates that revenues in the IAM market will increase nearly two-thirds between 2005 and 2010 to an estimated $5.1 billion. Even for companies not grappling with compliance issues, IAM has become increasingly important for protecting data both internally and externally.
Small and medium-sized businesses (SMBs), however, should proceed with caution when selecting and implementing an IAM product. "Many SMBs don't have the expertise to execute a project like this because of the intricate levels of integration involved," noted Sally Hudson, research director for identity and access management at IDC. "A company has to understand the skill sets required to monitor and maintain the system."
Learn more in "Identity and access management provides security and more."
For a relatively small medical center, Good Samaritan Hospital is a sophisticated user of medical technology. The 247-bed community hospital based in Vincennes, Ind., has had bar-coded medication at the bedside for nearly a decade. But capital IT expenditures compete with equipment such as CT scanners and lab analyzers that actually generate revenue. So when CIO Chuck Christian looked into implementing single sign-on (SSO) solutions a few years ago, the argument that SSO was prudent security for a HIPAA-regulated institution was compelling but insufficient.
Christian doesn't have IT money to throw around, recession or no recession. The CIO of Good Samaritan hospital and medical center, which serves five counties in west central Indiana and southeastern Illinois, runs IT with a $3 million annual budget, a staff of 27 and an all-hands-on-deck approach. "I have two managers and everybody works," said the aptly named Christian, who develops software as needed and is deeply involved in IT purchases.
With SSO, "We needed to find something that fit into our budget and was not cumbersome to operate and maintain," he said. Many of the high-profile single sign-on solutions in the marketplace came with a lot of add-ons and the assumption that if you bought the one, you bought them all. He needed a solution that integrated with Microsoft's Active Directory and allowed users to log on to workstations one time to be given access to all the applications they would need.
Find out more in the full story, "A CIO's advice for implementing single sign-on solutions."
Network access control (NAC) first got the attention of security pros in the wake of the Blaster worm in 2003. Here was a technology that checked student machines at the network gate and kept the sick and dangerous at bay. As one academic we interviewed gushed, who wouldn't want NAC on their network?
Six years later, still lacking a single standard and proving more difficult to implement than it first appeared, network access control is nonetheless being hailed as a valuable, if not critical, security technology. Indeed, Forrester Research Inc. is predicting a blockbuster year for NAC, claiming in a recent report that this watchdog technology is fast becoming "a critical component in making many security initiatives efficient and a seamless part of the network infrastructure." Gartner Inc. research director Lawrence Orans calls NAC "a valuable defense that you can add to your network," adding "our advice is start doing NAC now."
The technology has moved beyond simply checking and isolating an endpoint device that doesn't have up-to-date security protection to compliance, according to Forrester analyst Robert Whiteley. Now companies are using NAC to check endpoints continually for anomalous behavior and even to monitor employees' roles and rights to network access. NAC can shine a light on stuff you never knew or long forgot belonged to you, thus also helping with asset management.
Learn more in "Network access control: Pointers for getting the knack of NAC."
