Illena Armstrong looks at the complex and challenging task of managing identities over today’s distributed company systems.
There is no questioning the need for identity management solutions to protect enterprise assets, enhance corporate governance, facilitate compliance with privacy regulations and more. Yet, according to some experts, a sizable portion of the corporate world has yet to fully embrace any of the tools on offer that could aid organizations in provisioning and continually managing their users and the access they have to critical information.
The security benefits, management improvements, fiscal paybacks and other plusses of mapping out a plan and deploying a holistic solution are there. Just recently, a Stanford University study, Exploring Secure Identity Management in Global Enterprises, illustrated some of the dangers of neglecting identity management. For instance, about half of the 200 Global 2000 companies surveyed take longer than two days - and many more, longer than two weeks, to revoke terminated employees' access to the network. Further, the report concluded that implementing a secure identity management solution could drive down help desk costs by about $1 million annually.
Still, despite the frequently mentioned advantages to undertaking such a project, identity management on the whole is no easy task. For one thing, say some experts, companies often underestimate the work involved in taking on identity management and, therefore, leave open a door for political issues, poor planning and other problems to impede the process.
On top of this, companies are trying to address a catalog of business challenges with such solutions, says Wendy Steinle, director of marketing for Novell Nsure identity management solution. Anything from business facilitation, security, efficiency and cost-effectiveness, improved service levels, regulatory compliance and more are making it to the index of things that identity management solutions can solve.
"I do think that while some companies are still relying on manual processes, most are probably in the stage of either implementing or evaluating solutions," says Steinle. "They are realizing that they have a very long list of business challenges that all have identity at the heart of them, and that it is not going to be as quick and dirty to put in an ... identity management solution ... that they may have hoped for."
In addition, companies are looking for a single infrastructure that enables them to control access to web-based and internal resources. Such projects take a great deal of time and money - commonly more than executives bargain for - so implementations taken on by some forward-thinking companies have already failed, says Beth Dabagian, senior director of business alliances with Oblix. Currently, there is a bevy of organizations interested in talking about the problem, but they want it to be much less taxing to solve.
"The definition of identity management is changing rapidly and it just keeps getting bigger and bigger. It actually originated around ... managing very large, complex networks of users [with] flexibility. As you open up your applications to the outside world there comes this inherent need to have a scalable way to manage information, literally, about millions of users," says Dabagian.
The idea of managing identities of partners, customers, contractors and others who might need to gain access through the web continues to evolve, she says. At the same time provisioning vendors developed another concept of identity management as being focused on knowing the individual identities of internal employees so that companies can figure out which of these accounts need access to their back-end systems.
"So, what we see now in the last nine to 12 months is these two worlds colliding - the web and the inside world, [with] companies [wanting] a single infrastructure to drive access to both web and non-web resources," she explains further. "And what that's doing is expanding the definition of identity management to include web access management, identity administration, provisioning and... data synchronization. In my mind, that is indeed what is delaying the rapid adoption of these capabilities because when you talk to customers... about how it's really being done, the process is very manual and very time-consuming. What they're most concerned about - with all the emphasis on security now - is when people leave the organization or change roles, then these accounts end up sitting out there and people have access to information they shouldn't have."
Joining the security issues with administration demands across two worlds that involve various departments exemplifies just how huge and time-consuming an identity management project can be for any organization. According to Current Analysis, Inc. analysts Andrew Braunberg and Shawn Willet in a report they published on identity management trends and players, vendors in the space are in the process of expanding their offerings to meet these demands through internal development, partnerships or acquisitions.
"End-to-end suites are now expected to support sophisticated provisioning capability on top of more traditional functionality. Solutions built on web services will play an increasingly important role in the next few years, as will the advent of 'federated' identity management standards that aim to trade identity information among companies and authentication providers to ease application access," report Braunberg and Willet.
Understanding the scope
Because of the desire to cover a wide range of users, companies, in turn, are breaking implementation down into different stages in an attempt to deploy the overall project more successfully, says Oblix's Dabagian. The trick is realizing from the start that to implement a sound identity management solution fruitfully means time, initial capital outlay and a methodical plan. And, suggests Braunberg and Willet's report, a consultant or two might be a good idea, too.
"Professional services play an important part in the roll-out of identity management projects," they state. "While much of the underlying technology is well-established and well-understood by enterprise IT departments, specialist providers of corporate planning, market strategy, and security are required to promote and support the business vision enabled by identity management solutions."
The identity management market covers the "technical and service infrastructure that allows companies to create, manage and authenticate user identities, and broker services based on those identities for use within an enterprise or in an internet-based context," according to the report by Braunberg and Willet. Enlisting a directory or directory service that organizes users and applications "in a hierarchical structure and serves as a storehouse for identity attributes, including security rights and authentication information," they explain that such a project involves the tasks of authenticating and authorizing users, as well as controlling access and providing the ability for a company to audit what all these users are doing on corporate systems.
But, even getting to this point of understanding is difficult, says a chief technology officer with a large financial institution. His company decided to go with Thor Technologies' Xellerate provisioning software over a year and a half ago. For an organization of about 14,000 employees worldwide that has at least 500 applications important to its operations and sees 20 to 30 people a week leaving the organization for one reason or another, managing access and identities is key.
The problem was that up until a couple of years ago, internal systems that were grown for a period of about 20 to 30 years had become "very messy." On the other hand tight control was maintained over external clients and the company web infrastructure, through RSA Security's ClearTrust identity management solution.
Being able to answer the questions
"We came up with our requirements for what we needed from a provisioning point of view for managing users. It was difficult to actually define the problem to begin with because people kept confusing it with single sign-on ... the ID/password section of the system, but at the end we realized we were looking at an identity management problem ... from the provisioning side of things," says the company's CTO.
"The real problem for us was [that] we were being audited quite a lot and were failing our audits on the points of: Why did the person get access to this system? Who approved their access? And, actually, who has access to what? So, if you came and asked us about John Smith working for department X, tell me what applications he has access to, tell me his user IDs for applications, we couldn't answer those questions. It was taking us a lot of man hours to come up with these answers to audits."
His team developed a scoreboard by which they gave points to different solutions for achieving the associated tasks their company required. Proposals were received from Thor and three other top tier providers in the market. As part of the selection process, each company offered demos and participated in a week-long full integration with company systems. Based on a set of pre-defined tests, the company scored their performances and chose the one that best suited their needs.
Simply explained, the identity management system automates the establishment of initial accounts and access and handles requests for modifications made to existing ones. For first-day accounts, information is entered by human resources employees into the PeopleSoft directory, which is passed on to the Sun LDAP directory. All the while the Thor product listens to these additions of new users or deletions of the old, automating the process of ensuring that employees have the right access to the right applications. For current employees, data is being reconciled and whenever users need access to certain applications they simply request access through a self-service web site. The solution also ensures that no rogue accounts exist or are created
The project is currently being implemented in stages, with a mandate for workflows involving 190 applications to be automated by the end of the year. So far, 40 have been completed.
Implementation by steps
"The challenges are definitely there. ...Fortunately, we've had the mandate from our CIO. Not to mention, we have our audit guys behind us. ...We've had laziness [as part of the approval process for access requests], but what we've never had is a negative reaction of 'I won't do it.'"
Burton Group analyst Jamie Lewis, author of the recently published Enterprise Identity Management: It's About the Business, says that most organizations still rely on poor identity management processes - a fact that their audits bear out. Because failure to tackle this problem creates "a pervasive, gaping vulnerability," the creation of full-scale identity management infrastructures within enterprises is inevitable.
"The evolution will be painful at times, occurring in fits and starts," he states in his report. "While we're in the early days, however, it's clear that the era of digital identity management in the enterprise has arrived, and tools and techniques are emerging that will help companies address the issue."
And, while complexity, scalability and other issues might crop up, these are not responsible for derailing a typical identity management project when its scope has been defined in the initial stages, says David Frogel, director of professional service for Courion Corporation. What is typically happening these days is that organizations are not moving forward with pilot deployments, but are instead "embarking on a test phase with the scope of a full-scale deployment."
Novell's Steinle says when moving to a full implementation, people must get the right stakeholders in the room from the start, identify and prioritize their pain points and seek out solution-providers that can serve them long term. While it may sound simple enough, the process is long, sometimes longer than companies might expect, she adds.
Beyond these steps companies must accept that such projects are all about people, processes and policies, says Michelle Drolet, CEO of Conqwest, an IT security policy and assessment services firm in Massachusetts that helps companies with identity management projects. "It's not an IT issue. It's not an HR issue. It's a business development issue. It's actually re-engineering the whole organization," she says, which is an end that is best achieved when companies involve the right people, conduct security assessments, establish well-thought-out plans/procedures, buy into a product that can grow with them, and, above all, simply take their time.
Illena Armstrong is U.S. and features editor for SC Magazine.
What you should ask an identity management vendor
Mark McClain suggests the following:
How committed is your company to identity management? Is the solution the focus of the company, only one of several product lines, or an OEM solution?
What product/architectural characteristics have you built into your identity management solution to address the complexity of an IT environment?
Can you provide end-to-end identity management (from the portal to legacy applications)?
Does your solution facilitate interfaces for non-technical business users such as hiring managers, supply chain managers or distribution partners?
Is your identity management solution capable of maintaining secure access and administration with a more sophisticated, cross-organizational and transaction-based business model?
Mark McClain is president and founder of Waveset (www.waveset.com).
Measurable identity management results
David Frogel gives some key points:
David Frogel is director of professional services, Courion Corporation.
Rogue account detection
Rogue accounts, says Brad Hildreth, are user accounts that are created without regard for an organization's pre-defined business processes.They may grant a new or increased level of access, on enterprise platforms, applications and systems.
Often, a network or platform administrator may grant access to a user's request and bypass the usual workflow policies.
Finding accounts created outside business rules requires manually tracking down all permissions in the enterprise to see who's been granted access to what applications and systems. When you factor in user groups and their associated permissions, this task can require one or two people solely dedicated to monitoring permissions and doing nothing else.
A cost-effective measure would be a provisioning system which can detect rogue account creation almost instantaneously and take appropriate action.
Brad Hildreth is senior director of product management for Thor Technologies.