Organizations have to ensure that employees have the right level of corporate data access to do their jobs, but not so much that they can potentially abuse their privileges. IBM's newest security software promises to make role management a breeze for IT staff.
Called "Security Role and Policy Modeler," the new software provides customers with a "sophisticated approach" to managing what kind of information an employee can access, IBM said Jan. 11. The software comes out of work done by IBM Research and is released by the new IBM Security Systems division, announced last fall.
In most organizations, IT staff relies on various user management tools to assign employees roles, often based on their department or job titles, that define what applications or databases they are allowed to access and what they can't. Groups of employees, such as the human resources department, should not be allowed to access applications belonging to the finance department, for example.
Sales staff may have access to cloud services or social media accounts that shouldn't be granted to other divisions. If an employee has unauthorized access to client information, the organization is vulnerable to security breaches and audit fines. To make the task even more challenging, user roles may change during the course of a year.
"If an organization doesn't know who has access to their data, how can they meet compliance regulations, let alone be secure?" said Marc van Zadelhoff, vice president of strategy and product management at IBM Security Systems. He called identity management a "hot button" for IBM customers.
Security Role and Policy Modeler looks at existing applications, such as Salesforce.com, Oracle Finance and Active Directory, among others, and detects how many permissions each user has. The users are then grouped into roles based on the access permissions they have, and then assigned a "blanket" scheme reflecting the privileges they already have. The roles aren't based on the job title or description, but on what is actually in place, IBM said.
The new software allows companies to efficiently collect, clean up, correlate, certify and report on identity and access configurations, according to IBM. It's important for IT departments to be able to have up-to-date information about user access rights, which will also allow the staff to fix situations where an employee was granted incorrect rights or excessive permissions.
A large hospital may grant access to financial and human resource systems only to specific administrators with a need to work with the data, IBM said in a sample scenario. The Security Role and Policy Modeler software evaluates all the users in the hospital and identifies appropriate groupings based on permissions. This automated process makes it easier to see all the users who have the "administrator" role, as detected by the software and compare it to the actual list of administrators.
The administrator can also tweak the blanket schemes on an individual basis to create specialized exceptions, IBM said.
In the earlier hospital example, the individual administrator's access must be revoked if the person's job changes or moves to a different part of the organization. The software can also "certify" the employee by checking on a periodic basis whether that user should continue to have that role, considering new job responsibilities, Ravi Srinivasan, program director of IBM Security Solutions, told eWEEK.
The correlation capability helps identify any anomalies and potential compliance issues, especially around separation of duty violations, Srinivasan said.
Regulated industries, such as finance and health care, often have to show auditors how they manage changes as users changing job responsibilities. It may be difficult to be compliant when user permissions are spread across a number of different applications. The new software would simplify that process to meet auditor requirements.
Security Role and Policy Modeler is now available as part of IBM's security identity management software, Tivoli Identity Manager version 5.1, according to Srinivasan.