Keeping IT secure.

Having the right tools to control who has access to what information within an organisation has never been more important--both from an operational and a legal point of view. However, as regulatory issues such as Sarbanes-Oxley, HIPAA, Basel II and Visa/CISP come into play, a lot of organisations are struggling to develop a compliance process that delivers the required visibility and traceability across their IT infrastructure that doesn't have a negative impact on ROI and costs. To achieve this, companies must initiate significant structural change in IT business processes, which is no easy task for any organisation--large or small.

An application lifecycle management (ALM) solution with built-in Identity Access Management (IAM) can provide that crucial structure to internal data access without hindering business development efforts, delivering the security that IT needs. Strong IAM technology allows organisations to securely manage software development and assets while providing legitimate access for employees, partners and customers to the business systems they need.

The time is right for these discussions. Today, everyone from C-level executives and compliance managers to SOA architects and developers are trying to find ways to ensure that crucial data in their IT systems is secure at all times.

As IT systems become increasingly open and complex, they also risk becoming more exposed. With the rise of open source development, the internet, outsourcing, software as a service (SaaS) and service-oriented architecture (SOA), a lack of structure around internal access to data and applications is threatening the integrity of enterprise systems.

There is little doubt that open source components in business applications bring great productivity benefits to application developers. However, when the source comes from third parties, organisations must ensure that it complies with company quality, security and coding standards. It's also imperative that open source code isn't included without understanding the licensing requirements.

As the relentless tide of globalisation continues the trend for outsourcing and geographically distributed development (GDD) means that companies have to manage teams and systems in remote locations. Proprietary software and valuable intellectual property must be secured against procedural error, fraud and piracy. Code must be secured by limiting access to only those projects that are relevant.

With the rise of SaaS and the development of internet business transactions, enterprises need ways to manage secure access to information and applications across multiple systems, delivering online services to employees, customers and suppliers without compromising security. Companies must be able to trust the identities of users requiring access and administer user identities in a careful and cost-effective way. And at a time when development teams are transitioning toward SOA, companies must also control access to services and enforce company policies across the infrastructure.

Securing IT is basically a process of implementing the four as:

* Authentication -- ensures that users are properly identified and that their identities are validated to IT resources.

* Authorisation -- means that users can access only what their job function allows them to access.

* Administration -- is the management of user access policies.

* Audit -- ensures that all activities associated with user access are logged for day-to-day monitoring and regulatory purposes. It's the necessary trail to explain who, what, when, where and how resources are accessed across the network.

Security and governance have become vital business functions. Business success is now irrevocably tied to information and data protection. As access to data comes through software applications, organisations need software development processes to ensure their information assets are being accessed appropriately. These processes need to be built in, structured, repeatable and auditable. Compliance and security depend on setting up, enforcing and reporting on these processes.

In its forecasts for 2007, analyst firm IDC predicted that enterprises will increasingly focus on defining their internal processes in detail and having proper policies in place to protect the core business operation. As a result, this year will see the IAM market grow at a rate of 31 percent, with the market set to be worth approximately $4 billion by 2009.

IAM defined

IAM merges business processes, security policies and technologies to help organisations keep their IT resources available yet secure. It combines software-enabled processes, technologies and policies allowing users to manage and specify how they are used to access resources across an organisation. IAM allows organisations to securely manage software development and assets while providing legitimate access for employees, partners and customers to the business systems they need. Meanwhile, compliance enforcement and reporting become a natural by-product of daily operations.

An ALM solution with built-in identity access management can provide the crucial structure to internal data access and the security that IT needs--without hindering business development efforts. For application development, the right IAM technology provides authentication, role-based access control, audit trails and policy management. It offers more fine-grained control over the data and applications users are permitted to access, and the level of those privileges. Meanwhile, compliance enforcement and reporting become a natural by-product of daily operations.

To make sure all users have the right access and privileges required to carry out their duties and responsibilities, enterprises need to take a comprehensive approach to IAM. End-to-end IAM includes the following elements across all platforms and for all application types:

* User account management -- the IAM system must provide ways to identify authorised users and assign them to specific roles in the organisation. Administrators must be able to contact users, activate and deactivate their accounts and view relevant user information.

* Privilege management -- privileges are the functional authorities users are granted either individually or through their assigned roles. Role-based access control associates permissions with roles rather than individual users. This permits use based on individuals' roles and responsibilities in the organisation--users occupy specified roles--when they start a session, they activate these approved roles.

* Password management -- IAM includes management and administration of user passwords.

While it can be labour intensive to implement, IAM delivers tangible business benefits to an organisation, for example:

* it delivers more streamlined user authentication to verify and control data access while reducing burdensome IT administration and enforcement

* it enables flexible access control to accommodate the changing roles and responsibilities of users, ensuring resource availability without sacrificing security

* and it allows customised views based on the relevance and authority of users, as well as follow-me preferences for ease of use and improved user productivity and automated auditing to meet compliance regulations with ease.

For both compliance and security, IT organisations must implement strong process management. The auditing process for large enterprises can become highly complex, involving both IT and business units. IT organisations must maintain an audit trail of all activities and requests, document workflow processes and give feedback to the many departments that rely on or are affected by their efforts.

Fortunately, these requirements can be met by implementing an enterprise-wide software ALM solution. ALM helps automate, track, manage and control changes during software development. The right ALM solution allows managers to specify the processes and automated approval workflows they wish to implement through a point and click set-up function. From that time forward, an ALM solution will automate and enforce those processes. It can provide complete traceability of the approval process that conforms to audit requirements and shows managers who's accessing the system. The ALM solution's central repository keeps track of all change history, project data and assets.

IT organisations that can control their software development process while maintaining productivity and availability in the face of today's challenges will be rewarded. Successful implementation of IAM in tandem with business process improvements and compliance initiatives can give IT departments the protection they need without sacrificing agility--ensuring a secure future for the IT department and the organisation.

Daniel Magid, CEO. Aldon Software. www.aldon.com

RELATED ARTICLE: SOA, Outsourcing and Compliance Cited as Top Drivers for Aldon ALM Adoption