If my organization is starting from scratch, having almost no identity management features and only very traditional access control coded on the legacy mainframe systems, how should we begin to implement an identity management program?
Explaining how to build an identity management and access control program from scratch could easily stretch beyond the scope of these few short paragraphs. But, generally speaking, there are four broad steps to implementing an access management system: asset inventory, risk assessment, architecture review and implementation. These steps should flow from your information security policy, something that your company should already have drafted.
Before you begin an implementation, you have to know what you want to protect. Start with a complete inventory of all of your IT assets. The first thing that comes to mind when thinking about what to protect is hardware — servers, routers, and workstations, for example — but other assets include data and information hosted and stored on your hardware, so don’t forget to include databases. Beyond that, there’s also software, applications and more specific data, like customer and employee information, proprietary company statistics and transaction records.
It sounds pretty complicated, but it can be simplified in the next step, the risk assessment phase. The data classification scheme from your information security policy should drive risk assessments. First, take your inventory and break it down into categories based on risk. Data, for example, should be classified somewhere on a three- or five-point scale that ranks low, moderate and high risk. Risk can be determined by assessing the value of the data and figuring how much damage its loss or alteration could cause. Risk assessment is a broad field, but there are online resources available from the National Institute of Standards Web site. This site provides templates and procedures for conducting assessments.
The important point to remember is that your access control policy should be based on your level of risk. High-risk assets need stronger controls, and low-risk data can get by with less strict ones. For example, you wouldn’t implement an expensive two-factor authentication system for access to publicly available marketing information. You might, however, for access to a customer database, where the risk of identity theft is great.
The third step is the architecture review. Simply put, what systems are you running? Are they Windows- or Unix-based? For Windows, Active Directory might be the access management system of choice, since it’s primarily designed for Windows architectures. For Unix and Linux systems, the answer might be LDAP. There are no cut-and-dried answers; it depends on your architecture, and there are options for many diverse platforms.