One of the important challenges for network security administrators is managing user identification, authentication and authorization. In a large enterprise, this can be a major headache. Users generally have roles. They can be categorized based on those roles, but they also move from role to role, participate in ad hoc working and project groups, and leave the organization. Keeping track of these movements requires some form of identity management (IdM). That is what this month's group of products offer.
Identity management still is seen by some organizations as a luxury. The addition of an identity management tool often seems to go beyond current budget constraints. However, once the organization starts to grow, there may be no other way to avoid typical problems with user accounts. The best way to think about identity management is as a means of managing passwords for each user in the enterprise.
An identity management system works at the user level. In its simplest form, it allows the security administrator to provision passwords and group memberships and keep track of user movements as roles change. At a more sophisticated level, identity management also allows administrators to track the authorizations for users, including monitoring user access to unauthorized areas on the enterprise.
The ideal IdM system will allow users to self provision once some set of predetermined criteria are met. It will manage transient users, such as meeting attendees and contractors. It will allow the administrator to remove users as necessary, and to move them between roles, including transient roles.
How we tested
This was a relatively straightforward exam this month. First, we set up a test bed that mimicked the enterprise on a small scale. Then we added, moved and removed users, paying close attention to ease of use, smoothness of the password-provisioning process, and difficulty of fooling the system into allowing rights for which the user was not authorized.
Once a user was provisioned, we attempted to bypass restrictions and change user rights without proper authorization, simulating a rogue user. Finally, we checked to ensure that a legitimate user could not accidentally violate our policies. Ease of creating, modifying and deleting policies was an important test, and we paid special attention to the user experience. When users find a task too difficult, they usually will try to find a way to bypass or defeat the control that task manages.
We also were concerned with the difficulty of managing the system. Security administrators are very busy, and adding a set of tasks, such as password management, simply adds to the already overgrown workload. With that in mind, we were concerned with how much time and effort the tool actually saves the administrator. Some form of self-provisioning is a real plus for administrators. This is especially true where transient users are concerned.
Buying ID tools
The usual starting point applies here, perhaps more than with many other types of products: Know your network and your requirements. Often, there is a significant reporting requirement. Regulatory rules may require detailed tracking of user rights and identity management security. If that is the case, be sure that you can generate reporting that satisfies regulatory requirements.
Another important feature is, as discussed above, management of transient users. If that is an important part of your business, be sure to select a tool that aids in managing those identities. Finally, are you using IdM in concert with other tools, such as network access control? If so, how are you going to need to integrate the tools to get the best mix of access controls?
Once you have thought these issues through, consider compatibility with your enterprise and its other access control tools, and you likely will find something in this month's crop that does the job for you.
Mike Stephenson contributed to this Group Test.