The Black Book of Identity Access Mgmt
This form does not yet contain any fields.
    « Take control of IAM | Main | Making intelligent IAM decisions »

    IAM: It’s not just for security anymore

    One reason IT staff often has difficulty budgeting for security is the impression that it’s overhead.  They make do with Active Directory for a user store, helpdesk for workflow, tokens for access, Crystal for reporting, and optimism for compliance.

    Every single vendor will say of their product, “We’ll save you money. We’re faster and more efficient and blah blah blah.” And that’s probably true of all those products, if you deploy them to the best of their ability and yours. But let’s discuss that in a little more detail.

    I work mainly with the Oracle security suite. And the Number One thing I’m getting traction on with customers is COMPLIANCE. Twice in the last month I’ve been told by customer contacts (and of course I’m paraphrasing), “I called you in because of our last audit. It’s more important than security.”

    One guy even told me, “I won’t get fired if we get hacked. Everybody gets hacked. But I will get fired if we fail another audit.”

    And it’s true from my side: I can secure your infrastructure and greatly limit the ability for bad guys to gain access to sensitive apps, resources, or data. But there is absolutely no guarantee in life. However, I can provide pretty good assurance that if we have a good inventory of your compliance requirements, I can vastly improve your ability to successfully get through an audit. Again, no guarantees, but if I can see the targets, I can meet them. As opposed to security, where you don’t know if you’ve missed the mark UNTIL you get hacked.

    You absolutely can save money on compliance if you’ve built your compliance processes into the platform. Create and maintain that list of resources, users, and entitlements. Ensure least-privilege. Terminate users in a timely fashion. Provide audit and visibility and reporting.

    Okay, so that’s the money-saving stuff. But how about revenue-generating stuff?

    You may not be in a position to make money through your operations. But there are several situations  where I’ve been able to enhance revenue generation for customers by business-enabling their services, or make their existing services far easier to engage.

    If you make margin by attracting and keeping customers, then here’s a chance for your IAM structure to shine. Make it easy for customers to register, create accounts, establish their access, request new access, and manage passwords, locked-out accounts, and requests.  This is what Oracle Access Manager does best.

    Now, your intellectual property only has value if you can control access to it. So you need policies to lock down access to only authorized users. You need to make it easy for those users to authenticate to your stuff, and impossible for anybody else to do the same.

    You might also want to throttle that access. Not just who can get the stuff, but how many transactions in a given period, how much bandwidth do they get, how many concurrent sessions they can run, what times of day or days of the week they can get that access. And of course measure all the activity.

    If a customer is gold, platinum, silver, if they’re a deadbeat,  if they’re a trial customer, if you’re running a special, if they’re receiving a credit for recommending another customer, ALL of these things can affect access. And you can pull all that off with IAM.

    Improve the customer experience, secure that experience, measure that experience, and do it all compliantly.

    One more thing: offer your security services as just that, services. Make them available to your customers through whatever means they desire. In the new social/mobile world, that’s how a lot of people want it. Don’t write me an app, offer me a service.

    Make IAM work for you. It’s not just an expense, it’s a valuable tool. And it comes in all colors. Ours is red.

    PrintView Printer Friendly Version

    EmailEmail Article to Friend

    Reader Comments

    There are no comments for this journal entry. To create a new comment, use the form below.

    PostPost a New Comment

    Enter your information below to add a new comment.

    My response is on my own website »
    Author Email (optional):
    Author URL (optional):
    Some HTML allowed: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <code> <em> <i> <strike> <strong>