Kathy Gibson reports from SMEXA 2014 – IT is seeing massive changes – but the reason is because consumer expectations are changing.
NetIQ’s Connie Grobler points out that too often IT is unable to meet consumer needs, so users simply go out and rent services on the cloud.
This adds a new dimension to system management; and
The key trends within the industry are cloud, mobile, BYOD and social networks, but they must be governed properly.
“Cloud is just software that can be purchased with credit card – anyone can do it,” Grobler says. “Companies need to think about ways to control and manage these applications or services.
“As IT we need to figure out how we can embrace the cloud.”
Mobility is the ability for users to work from anywhere, and its driving the concept of work as an activity rather than a place.
“For IT we need to control access to our data regardless of where those people are; or to control what they can see depending on where they are.”
BYOD has forced possibly the biggest change in IT’s life, simply because users have insisted on using their own devices.
“The devices are everywhere. Multiple people have multiple devices, they access information on any device.
“It also changes the way people work. But the organisation still needs to control the access to corporate data from these devices. And IT has the balance the dilemma of controlling access without infringing user rights.”
Another big driver of change is social identity, Grobler adds, and IT needs to have a strategy on how to embrace these social identities and offer people access to corporate information.
“There is a big change that has happened,” says Grobler. “For the past 20 or 30 years, IT was in control and they made the decision on what would be used and how it would be used in the organisation.
“IT also developed and enforced the policies that would be used.
“But that has all changed. Control has shifted to the user. There are more than 2-billion internet users and 5,6-billion mobile subscribers – this all impacts IT.”
IT has to find a balance between allowing users to do business in a way convenient for them, but has to balance the business risk.
“So where do you start?” Grobler asks.
She recommends starting with people: with users or customers or stakeholders.
“In order to be secure, it doesn’t help to have firewalls. If you don’t know who you are working with you may as well not have a firewall in place.”
But the “who” alone is not good enough. “You need to understand the why, when what, how and where related to the person as well, Grobler says.
All of this adds up to intelligent access, she adds. This is made up of access fulfilment, access authorisation and access monitoring.
Access fulfilment involves managing a user’ access over their entire lifecycle based on policy. Products to enable it include access governance, user provisioning and directory management.
Access authorisation means authenticating and enforcing access based on policy. Products to enable it include access management, enterprise single sign on and privileged user management.
Access monitoring lets IT track and observe how access is being used. Products include security information and event management, log management and configuration management.
“To deliver enterprise assurance is about maximising the value of identity to provide access to the right resources for the right individuals from any device, anytime and then to monitor the usage of this access in real-time,” Grobler says.
She defines identity as someone engaging with the organisation, and they could be held on authoritative resources. When there’s a change it needs to happen in the authoritative resources.
Because people’s roles and interactions change over time, IT needs to be on top of changing the roles and authorisations on the systems. So it’s important that identity provisioning takes place throughout the use lifecycle – managed centrally and controlled effectively.
Policy, software, infrastructure controls and education are the elements required to manage the challenge of BYOD.
This means the IT organisation must centrally control access to all resources, including those in the cloud. It must also centrally control access from mobile devices into corporate application, on premise or in the cloud, Grobler says. Internal access policies must be extended into the cloud.
Importantly, access needs to be reviewed on a regular basis, it should monitor actual usage and manage it accordingly.
If possible, Grobler urges IT organisations to leverage social identities wherever possible.
Grobler points out that there are intelligent solutions that will allow IT to gain insight and focus on areas where there might be a risk.
It’s vital to have a centralised view of risk and compliance, she adds. Equally important Is the need for reporting and analysis.