Modernizing Authentication — What It Takes to Transform Secure Access
Identity management is not cheap. According to Yankee Group, the expense of wide-scale deployment in an organization of more than 10,000 employees often exceeds $500,000 and can take 12 to 24 months. This is a long and expensive commitment, so be sure upper management understands all that is involved.
"It's a no-go without senior sponsorship," says Earl Perkins, an analyst at META Group Inc. "You're guaranteed to fail without it."
If the executives upstairs need convincing before they give you the green light, there are some quick fixes you can put in place to prove value.
Automated password reset is relatively simple to roll out and generates an almost immediate return by giving users the ability to reset their own passwords without the assistance of IT. This significantly cuts calls to the help deskwhich cost anywhere from $15 to $50 per calland can save your company millions each year.
"Self-service password reset is an easy way to get your hands around the vendors and understand how well they will support you," says Witty. "There is big money to be saved, especially if you're outsourcing your help desk."
Tom Deffet, who helps lead the identity management program at Nextel Communications Inc., confirms the value of automatically resetting passwords: He estimates that the savings generated from reducing calls to an outsourced help desk will pay for the entire investment in a company's identity management system within 12 to 18 months.
"It's a no-brainer," he says.
Pat Ressa, CIO of Maple Leaf Foods Inc., a Toronto-based food-processing company with more than 23,000 employees, is currently rolling out an identity management system with Netegrity and expects password reset to help his company eliminate more than 16,000 help desk calls each year.
"It provides a lot of the hard payback that you can count on," he says. "It's a real quick win."
After getting the go-ahead from upper management, it's time to take stock of current applications, platforms and users to see who has access to which systems. Sit down with line managers and do an assessment to get a better handle on what access employees currently have versus what access they should have.
The assessment will show you how many "ghost" accounts (fired or otherwise departed employees whose access has yet to be revoked) you're dealing with, as well as where identity passwords and other information is stored (most likely in several different places all around your company). It will also give you a better grip on the integration issues.
"Most large companies have hundreds of applications running on different platforms, and that's the root of the problem," says Phebe Waterfield, an analyst at Yankee Group. "Bringing them into a common framework is a huge undertaking."
The assessment will tell you where the company's largest points of pain are. That will help you develop a strategy for which identity management elements should be tackled first.
If your company is most concerned with regulatory compliance, you may want to look at automated provisioning, which essentially tracks the lifecycle of your employees, and allows the IT department to automatically set up a new user, eliminate old accounts and allocate resources such as computers, phone lines and office space.
Provisioning allows the IT department to keep a detailed record of who has access to what systems, networks and devices, as well as how that access may change.
|The Pieces of the Identity Management Puzzle|
Access Control: Authorization, the ability to manage access on different applications and platforms.
Authentication: The process by which someone proves they are actually who they claim to be. Analysts recommend two-factor authentication with smart cards, biometrics or digital signatures.
Automatic Provisioning: Granting access of specific applications and systems to employees. Includes creating user IDs and passwords and can include provisioning physical items such as cell phones, computers and key cards.
Directory: The storage area for user IDs and passwords. It offers one place for a company to view system access across the company.
Federated Identity Management: The ability to grant system access to parties outside the company's firewall, such as suppliers and outsourcing partners.
Single Sign-On and Self-Service: The ability to sign on to a system once and then move through the company's networks without having to repeatedly re-authenticate. Also includes the ability to reset passwords without the assistance of the IT help desk.
At Nextel, Deffet says software from Thor Technologies and Microsoft allowed the company to get a holistic view of critical systems and of the employees who use them. By organizing employees into specific categories, or roles (an approach analysts almost unanimously endorse rather than tackling identity management person by person), Nextel could better understand who needed access to specific applications and networks, thus ensuring tighter controls.
In addition, the company decreased the time it takes for a new employee to get set up for services like LAN and Intranet from roughly two weeks to a day.
Provisioning software from Computer Associates helped the Louisiana Office of Group Benefits in Baton Rouge, La., a state agency with 400 employees, launch their "Zero-Day Hire, Zero-Day Fire" program, which lets HR and IT work together to automatically grant or revoke access. The initiative was key to ensuring the company was in compliance with HIPAA, says Rizwan Ahmed, the agency's CIO.
When a new employee joins the OGB, data is entered into the HR department's system. Based on the employee's role, the provisioning software grants access to the necessary systems, networks and devices.
At the same time, the system sends an e-mail to the security administrator and HIPAA audit team letting them know about the new employee. HR also takes a fingerprint of the new employee, which becomes his or her access code to just about everything in the organization.
To access the OGB's digital systems, for example, employees press their finger on their mouse, which is equipped with a fingerprint scanner. When an employee leaves or changes jobs within the agency, the HR department can instantly suspend or change access privileges with the click of a button.
Some employees balked at being fingerprinted because of privacy concerns, Ahmed says, but he adds, "I was expecting a lot more resistance than we got."
Once employees learned how the fingerprints were being used and secured, he says, they came on board.
Of course, automation will only take you so faranother crucial element of identity management is educating your employees about information security. Ahmed says that launching an annual employee training program was one of his first steps. .