No wonder then that identity management is rapidly heading up most corporate agendas. Microsoft, for one, has made it clear it has big plans for Active Directory, which manages the identities that make up a network. At February’s RSA Conference 2006 in San Jose, Calif., the company said that starting with Longhorn Server in 2007, it will begin the process of unifying its directory services, which includes rights management, certification services and the metadirectory that resides in its Internet Information Services feature pack.
Most security professionals see added value in managing all customer identities from one centralized platform. Maxine Holt, senior research analyst at Butler Group, says having such a system in place can make big savings.
“The initial savings are made from automating password resets from users,” she says. “Up to 40 percent savings can be made just in helpdesk costs. This is not an unrealistic figure.”
While the savings are compelling, the biggest trick is knowing where to start. Simon Perry, vice president of security strategy at Computer Associates (CA), says that this is the major problem for many of his clients.
“Very often, we see clients trying to do too much at the same time when they should look at identity management as a staged process with some stages having dependencies on others. Companies need to start with the business side of the equation, not the technology side,” says Perry.
Peter Jopling, head of Tivoli Security Management at IBM, agrees with this point, adding that businesses have to understand their own operation before rolling out IDM.
“The biggest inhibitor to IDM is the ability for organizations to truly understand how their business operates. It has been seen time and time again that few businesses actually understand who has access to what resource, something their auditors will verify,” says Jopling.
The main problem Perry often comes across is that companies neither agree on the definition of job roles within the organization, nor establish any clear internal agreement on the access rights that people in different positions should have.
“Technology can only enforce the rules that the business decides it needs. The best place to start is often ISO [International Organization for Standardization] 9001,” he says.
This equates to breaking down the problem into manageable chunks to deal with one at a time.
“Companies should take a logical stepped approach to IDM. We call this the IDM maturity model and we use it to take a client through the lifecycle of IDM deployment — from basic password management and provisioning through to FIM [federated identity management],” says Perry.
Often an organization will expect that they can implement everything at once, but this is just not practical. The most practical approach then is to concentrate on a limited set of functions offering the most business benefits first. Once these are well in hand, the company can move onto other functions as needed.
“On one occasion it took us over one year to persuade a customer that doing everything at once would not work. This cost the customer a serious delay in achieving the benefits that they could have achieved with a more pragmatic approach,” says Perry.
Many companies are in the middle of compliance efforts. This means the company and the way it operates is under close scrutiny by its own employees and external auditors. Far from being a drain on resources, such an analysis can unearth useful information on the internal workings of the company and its employees, helping to more formally define who does what and to what they should have access.
Companies must understand how corporate data needs to be accessible across the organization, which is especially true for multi-national businesses, adds Paul Gribbon, a consultant for LogicaCMG’s Electronic Identity practice.
So basing access rights on roles may not be the next step to take. CA’s Perry says that role-based access control is good in theory, but is difficult to implement in practice given the many different dimensions that often are part of an individual’s job. A better approach, he says, is a combo of rules and roles.
Explained Gribbon: “If identity management is dealt with in silos, then there will be a series of problems. For example, Miss Y is an international traveler within Bank X, but her employee card won’t work when she travels to France or Germany, negating the domestic benefits,” explains Gribbon.
Knowing what people do and where they work should then be followed by knowing what applications and systems they need to access. When installing IDM, many experts recommend looking at the most important applications in the infrastructure.
Most obvious, and probably most important, is the directory, such as Microsoft’s Active Directory, Netware or LDAP [Lightweight Directory Access Protocol]. These have information on users and can be cross-referenced with other applications, such as databases, to find out who’s who.
Gribbon says this information, along with people proving their identities, is important for the enrollment process.
“Enrollment is crucial to a successful ID management deployment — the corporation must be confident that the person presenting themselves at enrollment is who they say they are,” says Gribbon.
When accounts go bad
The flip side of enrollment is de-provisioning. Any system that can get a user up and running quickly also has to deal with the termination of ex-employees’ access rights so systems and applications are not open to them after they’re gone.
“This is a major part of IDM. Over time an employee can amass a number of passwords to different applications,” says Alan Rodgers, research analyst at Butler Group. “Were there no centralized IDM, there would be no way of the company knowing what the employee had access to.”
Rodgers says that companies need to be able to switch off access, especially when an employee has left an organization under a cloud.
“This has to tie in with human resources systems, so the minute the user leaves, they no longer [can have] access,” he says.
Without IDM, it can take up to 12 months to properly de-provision a user.
“The savings made from not having a disgruntled ex-user compromising a system they still have access to could possibly run into millions,” says Butler’s Holt.
Rodgers says that companies also may want to integrate IDM with asset management, so company laptops or cars can be tracked and returned promptly. He adds that such a function is added into IDM systems at the later stages of a project.
The big trick in implementing IDM is “to go for the 80/20 rule,” adds Jopling.
“Look for the most visible application in the business that will show the greatest need for IDM. Once this has been addressed then roll-out to the other applications in order of importance,” says Jopling. “Don’t try to boil the ocean and rush to cover all the applications from day one. This is a potential career-limiting move. Less is more in the early days with IDM. More will be gained for the business, and the return on investment in IDM will be realized faster.”
Tying it in properly
There is definitely a financial need to get applications corralled into an IDM system. Ray Stanton, global head of BT’s business continuity, security and governance practice, says that on average large companies have more than 75 applications, databases and systems that require their own authentication.
And the bigger the company, the bigger the problem. Fortune 1000 companies typically depend on around 200 databases or directories of user information to control access to their systems.
“[Access] errors rarely become public knowledge, but when they do, the results are both comical and disquieting,” says Stanton. “For example, months after a CFO left, one major company’s system administrators found that a cleaner with the same name had been given access rights to all its financial systems.”
And while administrators have to quell the large numbers of directories, users have to cope with passwords for every single one of them. Users, often not being security-conscious, have ways of remembering them that would make many administrators cringe.
“On one occasion, we found the [chalkboard] in an office displayed a convenient table of people, applications and passwords,” says Perry. “There is no substitute for single sign-on, with a human-friendly password policy. A large U.S. bank implemented single sign-on and this resulted in savings of $1 million in help desk costs, and led to an improvement in end-user satisfaction.”
René Millman is based in SC Magazine’s U.K. office.
MANY MINDS: Singular results
What companies should bear in mind before implementing an IDM solution:
1. Make sure that you have a concrete project plan with clear deliverables, attainable milestones and objective acceptance criteria. The key to being successful during an identity management solution deployment is in the preparation for the project itself — early success leads to better corporate backing and team alignment.
2. Invest in training on the identity management solution, environments and fundamental technologies. Future success will be determined by the deployment team’s ability to maintain and expand the initial implementations of the identity management process into your environment.
What companies should bear in mind during the process of rolling out an IDM solution:
1. Focus on the identity management lifecyle process as the key. The identity management solution is an enabling technology, but should not drive your business process.
2. Keep the ‘customer’ engaged in the roll-out. Allow for your end-users, internal champions and other stakeholders in your project to review the progress, interfaces, business process flows and milestone deliverables in order to retain the initial buy-in that existed at project kickoff time.
And what they should bear in mind after rolling out an IDM solution:
1. Continuous identity lifecycle management is something that is crucial to the ongoing success of any identity management implementation. You must constantly review your environment to understand the changes that have occurred. The initial deployment of the identity management solution must provide the required functionality to adapt to the new processes, entities, or resources that have been, and may be, introduced.
2. The objective of any long-term identity management project should be to control, monitor, measure and improve the identity and security policy models, business processes and compliance/audit information involved in the project. A consistent review cycle must be maintained in order to ensure that the policies, processes and tools are providing business value.
— Bob Worner, director, BMC Software
BEFORE THE ORDER:Considerations
Identity management solutions enable sustainable compliance, improved security and reduced administrative costs. However, not all solutions are created equal.
Comprehensive suite: A vendor that offers a suite of best-in-class functionality, spanning web access control to enterprise user provisioning promises to be the best long-term partner.
Heterogeneity: Commitment to supporting leading platforms and applications is a must. Avoid those whose interoperability is limited.
Vision: A roadmap should include emerging technologies, such as application driven identity, web services security and fine-grained entitlements.
Viability: Make sure the vendor will be around tomorrow and has a global infrastructure to support your worldwide operations.
Ease-of-implementation: Look for solutions that are easy to deploy. Stay away from solutions that require an army of consultants.
— Hormazd Romer, manager, Oracle Identity Management