Identity Management: Who are You?By CIOinsight | Posted 09-01-2004
Identity Management: Who are You?
You know the nightmare: A few thousand credit card numbers are stolen from your company's customer database. After digging into your systems to see how security was breached, you learn that the crime was perpetrated not by an anonymous hacker, but by a recently dismissed employee.
Worse, the former employee gained access to the customer database simply by using his old user ID and passwordwhich was not deleted when he was discharged.
Before long, your company is facing a public-relations disaster: The media is spreading the word about your firm's vulnerabilities, furious customers are threatening lawsuits, and your CEO is demanding an explanation as to why the IT department wasn't practicing good identity management.
But consumer fraud isn't the only reason you should be concerned with identity management. Companies are finding that complying with such regulatory issues as HIPAA, Sarbanes-Oxley and Gramm-Leach-Bliley means authenticating and tracking all employees who have access to sensitive data, such as patient records and financial documents.
Although identity management is not specifically cited in any of the federal regulations, most companies agree that in order to ensure compliance, stricter controls are necessary.
"Sarbanes-Oxley is driving a lot of the conversations I have with clients," says Roberta Witty, a research director at Gartner Inc. Currently, many IT departments are so focused on upgrading identity management that purchases in other areas of the business are being put on hold.
There is good reason for all the urgency around identity management.
According to Gartner, more than seven million Americans were victims of some form of identity theft during the 12-month period ending June 2003a whopping 79 percent increase over a similar Gartner survey concluded in February 2002. The issue has gained enough attention that, in July, President Bush signed into law an identity theft bill that adds two years to the prison sentences of criminals convicted of using stolen credit card numbers or other personal data.
Unfortunately, identity management is no easy task, and it can be a major challenge if your company's systems operate on different platforms.
More than 100 identity management vendors are currently peddling their wares; some offer application suites that promise to meet your every need, others provide specific expertise. And because there are several pieces to the identity management puzzlesuch as single sign-on, self-service, authentication, access control and automated provisioningknowing which area to tackle first presents yet another stumbling block.
Additionally, privacy issues and employee resistance are always a concern, especially when your authentication tools include biometrics or other invasive technologies.
But the biggest headache may be getting all the key departments to sit down and discuss the policies and procedures that will govern identity management.
Still, the benefits usually outweigh the headaches.
Identity management gives your firm greater control over processes and programs, tighter security around sensitive information and better management of employeeswhether they are new hires, recently fired or changing their role within your organization. It also cuts down help desk costs, which can mean significant savings, and can free up your staff to do more important things.
Identity management is not cheap. According to Yankee Group, the expense of wide-scale deployment in an organization of more than 10,000 employees often exceeds $500,000 and can take 12 to 24 months. This is a long and expensive commitment, so be sure upper management understands all that is involved.
"It's a no-go without senior sponsorship," says Earl Perkins, an analyst at META Group Inc. "You're guaranteed to fail without it."
If the executives upstairs need convincing before they give you the green light, there are some quick fixes you can put in place to prove value.
Automated password reset is relatively simple to roll out and generates an almost immediate return by giving users the ability to reset their own passwords without the assistance of IT. This significantly cuts calls to the help deskwhich cost anywhere from $15 to $50 per calland can save your company millions each year.
"Self-service password reset is an easy way to get your hands around the vendors and understand how well they will support you," says Witty. "There is big money to be saved, especially if you're outsourcing your help desk."
Tom Deffet, who helps lead the identity management program at Nextel Communications Inc., confirms the value of automatically resetting passwords: He estimates that the savings generated from reducing calls to an outsourced help desk will pay for the entire investment in a company's identity management system within 12 to 18 months.
"It's a no-brainer," he says.
Pat Ressa, CIO of Maple Leaf Foods Inc., a Toronto-based food-processing company with more than 23,000 employees, is currently rolling out an identity management system with Netegrity and expects password reset to help his company eliminate more than 16,000 help desk calls each year.
"It provides a lot of the hard payback that you can count on," he says. "It's a real quick win."
After getting the go-ahead from upper management, it's time to take stock of current applications, platforms and users to see who has access to which systems. Sit down with line managers and do an assessment to get a better handle on what access employees currently have versus what access they should have.
The assessment will show you how many "ghost" accounts (fired or otherwise departed employees whose access has yet to be revoked) you're dealing with, as well as where identity passwords and other information is stored (most likely in several different places all around your company). It will also give you a better grip on the integration issues.
"Most large companies have hundreds of applications running on different platforms, and that's the root of the problem," says Phebe Waterfield, an analyst at Yankee Group. "Bringing them into a common framework is a huge undertaking."
The assessment will tell you where the company's largest points of pain are. That will help you develop a strategy for which identity management elements should be tackled first.
If your company is most concerned with regulatory compliance, you may want to look at automated provisioning, which essentially tracks the lifecycle of your employees, and allows the IT department to automatically set up a new user, eliminate old accounts and allocate resources such as computers, phone lines and office space.
Provisioning allows the IT department to keep a detailed record of who has access to what systems, networks and devices, as well as how that access may change.
|The Pieces of the Identity Management Puzzle|
Access Control: Authorization, the ability to manage access on different applications and platforms.
Authentication: The process by which someone proves they are actually who they claim to be. Analysts recommend two-factor authentication with smart cards, biometrics or digital signatures.
Automatic Provisioning: Granting access of specific applications and systems to employees. Includes creating user IDs and passwords and can include provisioning physical items such as cell phones, computers and key cards.
Directory: The storage area for user IDs and passwords. It offers one place for a company to view system access across the company.
Federated Identity Management: The ability to grant system access to parties outside the company's firewall, such as suppliers and outsourcing partners.
Single Sign-On and Self-Service: The ability to sign on to a system once and then move through the company's networks without having to repeatedly re-authenticate. Also includes the ability to reset passwords without the assistance of the IT help desk.
At Nextel, Deffet says software from Thor Technologies and Microsoft allowed the company to get a holistic view of critical systems and of the employees who use them. By organizing employees into specific categories, or roles (an approach analysts almost unanimously endorse rather than tackling identity management person by person), Nextel could better understand who needed access to specific applications and networks, thus ensuring tighter controls.
In addition, the company decreased the time it takes for a new employee to get set up for services like LAN and Intranet from roughly two weeks to a day.
Provisioning software from Computer Associates helped the Louisiana Office of Group Benefits in Baton Rouge, La., a state agency with 400 employees, launch their "Zero-Day Hire, Zero-Day Fire" program, which lets HR and IT work together to automatically grant or revoke access. The initiative was key to ensuring the company was in compliance with HIPAA, says Rizwan Ahmed, the agency's CIO.
When a new employee joins the OGB, data is entered into the HR department's system. Based on the employee's role, the provisioning software grants access to the necessary systems, networks and devices.
At the same time, the system sends an e-mail to the security administrator and HIPAA audit team letting them know about the new employee. HR also takes a fingerprint of the new employee, which becomes his or her access code to just about everything in the organization.
To access the OGB's digital systems, for example, employees press their finger on their mouse, which is equipped with a fingerprint scanner. When an employee leaves or changes jobs within the agency, the HR department can instantly suspend or change access privileges with the click of a button.
Some employees balked at being fingerprinted because of privacy concerns, Ahmed says, but he adds, "I was expecting a lot more resistance than we got."
Once employees learned how the fingerprints were being used and secured, he says, they came on board.
Of course, automation will only take you so faranother crucial element of identity management is educating your employees about information security. Ahmed says that launching an annual employee training program was one of his first steps. .
In addition to the time and investment required to get identity management done, there are several other challenges.
According to Yankee's Waterfield, there are more than 100 software vendors. Small niche vendors own corners of the market, but suite vendors such as IBM and Computer Associates are developing software that addresses all areas of identity management.
Deciding which type of company you should partner with depends on the size and complexity of your firm, how far along you are in deployment and how extensive your rollout would be.
A Fortune 50 company with 50,000 employees and 12 divisions, for example, may be better off with a suite of tools from one vendor. If your company operates mainly on one platform, then it's probably best to go with the suite from that same vendor.
Not surprisingly, integration of different platforms is a constant frustration.
"Where it gets wild," says META's Perkins, "is when you want to buy one product that can, say, provision the users of applications that run on different platforms. There are vendors that provide capabilities to do that, but it's no trivial activity. The suite vendors may allow you to mix platforms, but let's face it, it's going to work best on the vendor's own platform."
Jaime Sguerra, second vice president and chief architect at Guardian Life Insurance Co., says integration issues presented the largest problem in his firm's identity management rollout.
"We had data in a proprietary repository, and we spent quite a bit of time extracting it."
Eventually they were able to integrate the systems with identity management software from IBM.
Smaller companies should generally look at targeted solutions, but don't limit yourself. If your business uses a lot of contract or part-time employees, you may need more than one tool.
Gartner's Witty says that managing the identities and access controls of part-time or outsourced workers is a growing issue that many companies overlook.
Perkins adds that data cleanlinessand consolidationis also an important consideration.
"Look at where your directory, authentication and authorization services are. How clean and structured are they? You don't want to do identity management in a company that has 300 directories and databases of identity repositories. Know what your identity infrastructure looks like and get the data integrity as clean as possible."
Finally, systems and applications might briefly slow down if many people log in to the system at the same time (in the morning when employees first sign on, for example) or if a hacker attempts a denial of service attack.
But generally "identity management isn't considered a system performance issue," says Perkins.
Many companies will want to explore federated identitya system that grants one company's employees access to another company's systems without re-authorization. This works particularly well for firms that collaborate with many people, or have outsourced partners who require access to data inside the company.
John Jackson, director of software technology at General Motors Corp., says the automaker is looking at federated identity for its outsourced 401(k) plan, expense reports and travel services.
More strategically, though, GM is considering ways to securely connect engineers with suppliers to encourage collaborationwhich could speed development of new cars. The task is not without roadblocks, however.
"A big part of it is really working with your partner to decide how to handle issues around authentication," as well as session time-outs and co-logoff issues, Jackson says.
"You need to make very clear what those levels of trust are."
Emerging standards such as SAML (Security Assertion Markup Language) and those developed by the Liberty Alliance are making federation easier for companies.
According to Yankee's Waterfield, another trend is to tie in digital identity management systems with physical ones. In other words, the same card that lets you into your office would provide access to your company network.
Nextel's Deffet agrees. He says plans are under way to merge the company's physical and network security functions.