This is the first in a two-part series on identity and access management options for small and midsized businesses (SMBs).
The steps for setting up an access management system in an SMB are similar to that of larger enterprises. The difference, as with many IT issues, is that SMBs have more limited resources and smaller budgets. However, the approach is essentially the same.
There are three steps: evaluation, planning, and implementation and provisioning.
Take a close look at what you must secure and who needs access to it. You will need a complete inventory of the systems your users will be accessing, which includes hardware (desktops, workstations and servers) and software (specific applications). You'll also need a list of the individuals inhabiting your network, which includes the number, names and job functions of active users.
Next, you'll need to do good risk analysis. Determine and rank the systems accessed based on the risks of unauthorized access. Which systems contain the most sensitive data? Which contain payroll or, say, confidential engineering or marketing plans, and which contain less sensitive information that's already available to the public? Also consider your email system. This will determine how much effort is required and where you should direct your access management dollars.
Gather the following information about your user base:
- Determine how you will split your users into groups based on their job functions and the systems they need to access. Users can be members of more than one group, but each group's access should be restricted to the necessary systems, also known as the "principle of least privilege." This is especially important for implementing Active Directory, which requires extensive initial planning of user groups and hierarchies.
- Decide if your users will need remote access. For those who require remote access, which systems do they need to access while out of the office? Are they accessing the network from their homes, or from hotel rooms in some strange city? How are they remotely accessing the system -- with laptops or with personal digital assistants?
- Determine where to install your access management system and its user database. Whether you use Active Directory or Lightweight Directory Access Protocol (LDAP), your system should be centrally located on your network. It should be secure and installed on hardened servers.
Implementation and provisioning
Pick a system in preparation for the implementation phase. Here are some questions you'll need answered:
- Should the system use Active Directory, or LDAP? Which fits in better with your current network architecture?
- Are the risks high enough to warrant two-factor authentication (smart cards or One-Time Password tokens) for access to some systems, or is that overkill?
- What type of remote access should you set up? A traditional virtual private network (VPN) with IPSec, or Secure Sockets Layer (SSL) VPN? Are SSL VPNs right for your SMB?
- Do your users have multiple user IDs and passwords for accessing different systems? Is single sign-on an option?
- Will the system scale as your business grows and becomes larger?
Finally, determine who on your team will be responsible for the identity and access management system, and how it will be maintained. Chances are, your network staff may double as both your information security department and your help desk. In these roles, they are probably setting up user access and provisioning user IDs -- skills that are necessary to successfully implement and deploy any identity and access management system.
Read part 2 of this series: Implementing an identity and access management system.
Joel Dubin, CISSP, is an independent computer security consultant in Chicago. His specialty is Web and application security. He is a Microsoft MVP in security. He is also the author of The Little Black Book of Computer Security, available from Amazon.com, which has tips on setting up an access management system.