Adaptive Security IAM in the Era of Big Data

The digital universe is growing at an incredible speed. Thanks to the evaluation and linking of data, new possibilities keep emerging for companies and institutions. How can they leverage these possibilities without losing control over their data?

Today, companies, organizations and authorities are facing constantly increasing data volumes. At the same time, these companies, their customers, their employees and also citizens want to use the data to realize new business models or other projects. It is essential, therefore, to control access to this data, not only with respect to data protection but also commercial use.

Which Data Is Worth Protecting?

Due to the possibilities big data offers, it has become rather difficult to define which data is worth protecting. By linking them, generally uncritical data may reveal more information than intended and, as a result, be considered worth protecting. In addition, it is increasingly simple to transfer data and inexpensive to save data. This results in a tendency to keep data in a decentralized way or in the Cloud and to replicate them. As a consequence, it is no longer possible to simply consolidate data in a network within an organization and to manage them centrally. This is why traditional access management mechanisms such as role-based access control, proxies or VPN are approaching their limits.

Simultaneously, the user community is more and more distributed as departments and authorities cooperate on projects or exchange data and customers and suppliers want and shall be able to use the services at their discretion both online and via mobile. Central management of the internal and external users’ identities and access rights is hardly possible. How can data under these circumstances be protected and made available systematically and with reasonable effort for data owners and users?

Wanted: Data Ownership

The growing flood of information and decentralization require a change of paradigm from application and system managers to data ownership, i.e., the responsibility for data across systems and applications. The first step will be to gradually extend the established IAM systems by adaptive methods such as risk-adaptive access control (RAdAC). These methods dynamically evaluate environment factors of the users, taking into account meta data such as the worthiness of protection. For this to be possible, it is necessary to reconnect applications, data bases and IAM systems that have been separated for security reasons for decades. Ultimately, identity and access management will enable companies to better understand their users’ needs and to optimize their offering.