Risk within Identity Infrastructure
I’ve often heard vendors and analysts address the risk of an identity management project, but there seems to be a lack of discussion about the risk within the identity management infrastructure. Identity management has an increasingly important role within IT infrastructure. If we perform a risk assessment on your existing identity management infrastructure, what would be the areas of vulnerabilities?
I’ve listed some characteristics of identity infrastructure that could help identify risk:
* Integrated with many aspects of business process from request, registration, transfer, suspension, access, termination, and compliance assurance. What is the impact of business operation if the infrastructure you rely on for many aspects of business process should fail? What if your system should fail and no one can request new access or remove terminated employee?
* Contained sensitive personal information or keys to unlock privileged access to sensitive data systems. How is the information being kept confidential and accessed only by the authorized personnel? What if you found your name on a report of a list of people to be terminated in a week? How are the administrative account and password to sensitive data systems being kept confidential? What is the impact if the identity infrastructure can be leveraged to gain privileged access or disclose sensitive records?
* Developed many lines of custom code with no one left to manage once the original implementation project has completed. What is the contingency plan to improve the sustainability of your identity infrastructure?
* Depend heavily on AD. The challenge with such a model is enabling users accessing externally hosted applications. The model doesn’t work well because one would have to expose some part of AD.
Does your identity infrastructure today expose you to unnecessary risks? And are you aware of the adequate countermeasures?