ID & Access Mgt. Skills in High DemandAdoption of Cloud Computing, Mobile Tech Pushes Growth
Information security professionals with ID and access management skills are in high demand. That's because the growth in the use of cloud computing and mobile technologies is creating new potential vulnerabilities stemming from remote access to systems.
"No longer is identity just associated with people; devices, applications and services all need identities today," says Alan Ross, an IT security architect at Intel Corp. who focuses on identity and access management issues.
Organizations allowing employees to use personally-owned devices for business purposes must be prepared to manage additional identities around devices and applications. "With mobile, it's a shift to multidimensional capabilities," Ross says. "We now have to manage hundreds of millions of employee relationships based on growing device identities and remote access rights to corporate applications."
That's why security professionals with expertise in ID and access management are playing a more important role. "These experts form a critical backbone of the company," says Sam Curry, chief technology officer at RSA, a security technology company. "Typically they are the ones responsible for getting the company to the next-generation infrastructure."
Security professionals who want to develop ID and access management proficiency should understand the concept of federating identities across the enterprise, learn about provisioning access to the right people and resources, and get involved with managing the end-to-end life cycle of digital identities.
Making the Transition
Transitioning into an ID and access management role is relatively easy for network and application security professionals, says Chris Brennan, chief executive officer and founder of NetAuthority, a provider of identity and device authentication solutions. That's because provisioning and protection of identities requires technical knowledge and understanding of network protocols, digital certificates, passwords, applications, web services, access controls and portals.
"These individuals have the foundation to leverage existing IT assets and build new computing models for future business environments," Brennan says.
ID and access management involves controlling who has authorized access to networks and what information they can view, based on their role. "It's basically about establishing trust," says Tracy Hulver, a senior manager at Verizon's Unified Identity Services Group. The goal is to "ensure that the right people have access to the right resources and are doing the right things with that access."
Those involved in ID and access management also help develop processes for quickly identifying unauthorized access and activity.
"Securing assurance that people and devices coming into an organization's data stores are identified and authorized is a big step in preventing security incidents," Brennan says.
Smaller companies often rely on vendors to roll out their ID and access management technologies. But for companies beyond 5,000 users, hiring a full-time expert in this field makes sense, Hulver says.
Career opportunities are plentiful for practitioners with ID and access management skills. "They are essential hires if businesses want to remain competitive and offer users the next-generation experience of compute on demand," Curry says.
Three Must-Have Skills
Security practitioners need to develop the right skills to help their organizations embrace new IT and business initiatives. Key expertise includes:
- Federation. With the shift to cloud computing and the growth in the use of mobile technologies, ID experts need to understand federated identity management. Federation is an approach that allows individuals to use the same user name, password or other personal identification to sign on to the networks of more than one enterprise to conduct transactions. "Federation is still in its evolution, but expertise in the area can bring high rewards to an ID practitioner's career," Curry says.
- Provisioning. Managing enterprise identity and access information is becoming more challenging as a result of the proliferation of user accounts and granular privileges across multiple platforms and applications. That's why professionals need to clearly understand user provisioning.
Provisioning involves ensuring that the right people get access to the right business resources at the right time. It primarily occurs at three critical points in an employee's relationship with the organization: when the employee joins, changes roles or leaves the enterprise. For example, when an employee transfers from one role to another within the company, its provisioning that removes access to business systems that are no longer appropriate for the employee to use.
"Provisioning has become a critical skill, especially now when we need to be thinking about devices and people combined," Ross adds.
- ID Life Cycle. Professionals must understand the end-to-end life cycle management of digital identities. That includes creation, utilization, re-distribution and termination of credentials, such as passwords, digital certificates or tokens.
User rights and privileges that are associated with identities also must be managed. For example, when an employee receives a promotion, his information access privileges might need to be expanded.
"Professionals that truly understand the ID life cycle maintain a more vigilant IT security posture," Hulver adds.
To develop these skills, ID experts recommend practitioners:
- Develop an in-depth understanding of Security Assertion Markup Language, or SAML, for exchanging authentication and authorization of data among security domains;
- Understand OpenID, a standard that describes how users can be authenticated in a decentralized manner; and
- Become familiar with relevant regulations and governance issues to ensure that information about users, how they are authenticated, and what access rights they have can be maintained more securely.
"One cannot learn by just picking up a book," Curry says. "Pros will have to live and experience it and be cross-functional ... to do well in this field."