On the face of it, identity management should be an easy process. People enter the organization, you give them an ID, they can authenticate themselves and gain access only to the systems they should, and look only at the data you have deemed suitable for their eyes. All users in the organization should come under one umbrella system that tracks all their movements through the infrastructure and various applications that operate on it.
When they leave, you should be able to revoke their rights quickly and easily. But theory and practice never seem to square properly with each other. Why is a seemingly simple problem such a headache to solve?
Many organizations simply do not know where to start. Which system is going to give the most benefit in the least amount of time? What problems will we face?
Every organization has some form of primitive identity management (IDM). Most have several different systems which all have users, applications and devices to manage. Linking all these systems together in a coherent manner is the ultimate goal of IDM. When it is effectively rolled out, the technology can overcome security weaknesses by ensuring efficient, automated, standardized authorization and authentication.
Most analysts agree that the best place to start is in user provisioning, which can deliver real efficiencies and (unusually for any security project) create instant cost savings.
"The benefit is productivity," says Graham Titterington, principal analyst at Ovum. "Getting people up and running quicker means less time and money is wasted with staff waiting to get access to systems."
Fran Howarth, practice leader at analyst Bloor Research, agrees.
"When new resources enter an organization, but cannot work as their access has not been sorted out, you get a lot of waste. Automatic user provisioning avoids this," she says.
Organizations waste a great deal of their resources by not efficiently deprovisioning when someone leaves, she adds. It is often the case that former employees are able to access such things as customer details long after they have left the company.
Titterington says deprovisioning is especially important in areas of high information security. Once an employee has left a company, that company must act quickly to make sure no further access to systems can be made.
But many organizations fail in this crucial area. "For every ten enrollments, there are seven de-enrollments, hence a security hole. This means people still have access to systems where they shouldn't," he warns.
Apart from the security implications, says Howarth, it makes simple business sense to prevent former employees from using resources. "Being able to efficiently and quickly de-provision users improves risk and saves money," she says.
She cites one example of the effects of poor provisioning and deprovisioning, in which a systems administrator left a company, but still had access to other systems with his username and password. He used his knowledge of the system and other users' passwords to gain information about his former company's business plans. He then bought a domain name the company was planning to register. Luckily, the firm discovered his plans and brought in the police.
User provisioning has had a helping hand in getting into the mainstream.
Complying with new rules of accountability is making boardroom executives really sit up and listen to the arguments for IDM.
"Legislation such as Sarbanes-Oxley is making user provisioning and access control generally a prerequisite for compliance," says Neil Chaney, CEO of user provisioning developer Open Systems Management.
Various acts and directives, such as SOX, HIPAA and GLBA, as well as European directives, go hand-in-hand with auditing. Auditing means knowing where everyone and everything in an organization is and having the logs to prove it.
Roger Sullivan, vice-president of development and server technologies at Oracle, says compliance is a "major driving force for the move to identity management because of the need to know who's who and who did what."
Howarth agrees. "The ability to prove compliance with regulations is boosted by IDM systems and this will help firms struggling with the cost of complying with laws such as Sarbanes-Oxley," she says. The use of IDM can help organizations ensure the integrity of corporate data and audit their operations for regulatory compliance.
Chaney says auditing to comply with regulations means "we need to have every single employee who has access to our critical data to be recorded in a central database, along with the details of every access privilege they have."
Starting out on an IDM project means much more than overcoming technical problems – in fact, they are probably the least of your worries.
Software and systems to track users are quite easy to implement, but the big challenge comes in handling company politics. Because IDM means uniting disparate systems, it may be resisted by system administrators who feel that their private fiefdoms are threatened.
"Having a unified directory instead of departmental directories means taking power away from some people in the organization, which needs to be handled sensitively," says Titterington. Chaney adds that IDM is complex and political, and the best way of going about implementation is to start with "a process-led specification of business requirements."
"I would advise all sizeable end-users to ask 'what are we trying to achieve? What is our final goal in business terms?'," he says.
Sullivan suggests starting with the systems that matter most and then spreading out from there. In most cases, it will begin in areas where there are cost savings to be made, such as a call centers where staff turnover is high.
The identity of the user on an IDM system must be able to link to their identity on a human resources (HR) system, according to Chaney.
Titterington agrees. He says HR is the department in an organization most affected by unification of systems. It is also where most efforts need to be directed to ensure the safety of data and that implementation is handled sensitively. He adds that the overall process should be looked upon as a business process more than a technical one.
There are business problems, technical problems and political problems to solve when implementing IDM. And a clear path must be steered through all of them to ensure the project does not get mired in petty squabbling and bureaucracy. Chaney says that, when implementing IDM, proper project control is essential for successful deployment.
"It permeates through all parts of the organization and must have a corporate sponsor at a high level who can cut through the red tape or obstruction," he adds.
A capable project manager is needed who can explain and work with all the affected departments and the deployment needs flexible systems that accommodate organization-specific processes.
Sullivan adds that the project must be designed to fulfil a need. Not every employee of the organization needs to be in the project from the start.
He warns not to get "stuck in analysis paralysis," or create an extra layer of infrastructure, and that an incremental approach is best.
The most pressing matters in IDM are security, efficiency and regulatory compliance.
These all press upon the need to link HR databases with email systems, business applications, CRM and the infrastructure. This can eliminate expensive manual processes and create a single system in which identity is created and maintained.
For this to succeed, it needs boardroom backing from someone who can help tackle any obstruction. But it also needs careful, strategic planning and effective delineation to make a successful project.