Sure, identity management can be a huge problem. Dare to think small.
Once companies gain a general understanding of their major identity management issues, the natural response is to try to deal with every one of them all at once through a single major initiative. But experts say it's far better to take a step-by-step approach, focusing first on critical areas of security exposure and support costs. How do you make sure, for instance, that an employee who's been fired has actually been removed from every point of access?
That's a huge problem for the average company wrestling with a pile of old and new applications, each with its own proprietary access method. Even the simplest forms of user identitynames and passwordsare often embedded so deeply into legacy applications that coordination of user names and passwords into something that looks like the near-mythical "single sign-on" can be a nearly insurmountable task. Ted DeZabala, a partner in the enterprise research group of Deloitte & Touche's consulting division, recalls one effort at a Fortune 100 financial services firm to determine how many "identity infrastructures" the company was managing through its various applications. The answer: 186.
The right course is to try to standardize and simplify, over time, the many different processes for managing access to critical data. In some cases, this will be a relatively straightforward process. Automated provisioning systems, for example, can take the pain out of adding, changing and deleting permissions and users, saving data entry and help-desk costsfor $20 to $50 a head. But they won't solve every problem. Given legacy systems that can hang on for decades, coupled with the explosion of Internet-era applications, analysts say there will always be programs that resist easy integration.
It's the non-technical issues that cause some of the biggest problems. Political hurdles can impede the effort to integrate identity management, because some corner of the organization or other will inevitably react badly to attempts to enforce cross-department standards. And business processes can be very tough to change, because some users will always prefer to work the way they always have. "We can come up with the niftiest technical solutions possible, but if people don't use them, they don't do the enterprise any good," says Bennett Griffin, CEO of security vendor Griffin Technologies.
Ask your IT staff:
How many "identity infrastructures" do we have?
Ask your chief IT strategist:
How can we get the business side to agree on a more standardized approach to identity management?
Ask your internal audit department:
If we can define the increased certainty we'll gain by increasing control over user identity, will you authorize the budget?