StrategyBy Gary Bolles
Technology: Identity Management
Identity Management is complicated for even the simplest of enterprises. But the ROI can be compelling.
In the classic Marx Brothers movie Horse Feathers, Harpo is asked for a password, which the audience knows is "swordfish." If an identity management system had been in place, the silent comedian would first have had to display a smart ID card and give a thumbprint to authenticate who he was, then define what he wanted access torather than simply pulling a fish from his pocket.
Long considered a mundane and esoteric aspect of IT security, identity management is rapidly gaining visibility as the linchpin around which companies are organizing their risk-management efforts. But for most organizations, identity management isn't a simple set of problems with easy solutions. Instead, it's a host of ongoing challenges that must be dealt with over time.
What is identity management? It's "managing all the aspects of a user's online identity in a coherent method," says John Pescatore, research director for Internet security at Gartner Inc. Burton Group, a Midvale, Utah-based consulting firm, defines it as "a set of processes, and a supporting infrastructure, for the creation, maintenance and use of digital identities." Says Burton President Jamie Lewis: "It's about making the right things available to the right people at the right time, and then having audit and logging capabilities that show what happened."
For most companies, the downside of ad hoc identity management is obvious. Giving new employees access to every application they need can take weeks, slowing productivity dramatically. Support costs to provide access to applications can be huge, with analysts claiming that up to 40 percent of help-desk calls concern employee passwords. Managing security changes when someone's promoted or transferred tends to be a complex process that may never be the same twice. And many companies have little or no idea whether employees they fire or lay off can still gain access to the system, creating serious risks until security audit time rolls around.
Substantial costs and looming liability should send a wake-up call to every CIO making clear the need to improve their identity management. Companies need to know who's accessing what data and what it's costing to maintain that accessand provide a bulletproof audit trail detailing how it's all being managed.
Ask Your IT Staff:
What is it costing us to try to keep track of who's who?
Ask Your Vendors:
What is the range of costs for an identity management initiative?
Ask Your Security Auditors:
Which critical identity management issues do you care about the most?
Sure, identity management can be a huge problem. Dare to think small.
Once companies gain a general understanding of their major identity management issues, the natural response is to try to deal with every one of them all at once through a single major initiative. But experts say it's far better to take a step-by-step approach, focusing first on critical areas of security exposure and support costs. How do you make sure, for instance, that an employee who's been fired has actually been removed from every point of access?
That's a huge problem for the average company wrestling with a pile of old and new applications, each with its own proprietary access method. Even the simplest forms of user identitynames and passwordsare often embedded so deeply into legacy applications that coordination of user names and passwords into something that looks like the near-mythical "single sign-on" can be a nearly insurmountable task. Ted DeZabala, a partner in the enterprise research group of Deloitte & Touche's consulting division, recalls one effort at a Fortune 100 financial services firm to determine how many "identity infrastructures" the company was managing through its various applications. The answer: 186.
The right course is to try to standardize and simplify, over time, the many different processes for managing access to critical data. In some cases, this will be a relatively straightforward process. Automated provisioning systems, for example, can take the pain out of adding, changing and deleting permissions and users, saving data entry and help-desk costsfor $20 to $50 a head. But they won't solve every problem. Given legacy systems that can hang on for decades, coupled with the explosion of Internet-era applications, analysts say there will always be programs that resist easy integration.
It's the non-technical issues that cause some of the biggest problems. Political hurdles can impede the effort to integrate identity management, because some corner of the organization or other will inevitably react badly to attempts to enforce cross-department standards. And business processes can be very tough to change, because some users will always prefer to work the way they always have. "We can come up with the niftiest technical solutions possible, but if people don't use them, they don't do the enterprise any good," says Bennett Griffin, CEO of security vendor Griffin Technologies.
Ask your IT staff:
How many "identity infrastructures" do we have?
Ask your chief IT strategist:
How can we get the business side to agree on a more standardized approach to identity management?
Ask your internal audit department:
If we can define the increased certainty we'll gain by increasing control over user identity, will you authorize the budget?
Customer identity management can be an opportunitybut tread carefully.
Only a decade ago, the idea of providing customers access to internal corporate systems was unthinkable to most IT shops. Today, it's standard operating procedure. And with that access comes a raft of identity management problems that can make internal difficulties pale in comparison.
Once a business begins managing information about its customers, it may look for ways to share that information with partners. Take, for example, customers who visit United Airlines' Web site to make a reservation. To offer them rental cars from United partner Hertz, United must seamlessly hand off its customer registration data to Hertz. That kind of integrated identity management, known as "federation," is increasingly being discussed as a golden opportunity for businesses with online presences. "We look at this as a control issue," says Kevin O'Neil, president of the International Security, Trust & Privacy Alliance (ISTPA), an industry consortium. "Who's going to enroll people, who's going to maintain it, who's going to traffic in this data?"
Yet growing government oversight and customer concerns about safeguarding personal information mean corporations must think through all the ramifications of their actions before venturing too deep into processes that make customer data more widely available. For example, the Health Insurance Portability and Accountability Act of 1996 (HIPPA) clearly defines rules for sharing patient information between healthcare organizations, such as requiring that only authorized people can see specific data. Without explicitly defined marching orders for healthcare IT departments, the way applications manage identities can open an institution up to substantial risk.
But analysts say most discussion of federation is still just thatdiscussion. Though Microsoft's .NET Passport is already in use, much criticism has been leveled at its centralized identity database. And efforts such as the Liberty Alliance, a group of vendors attempting to streamline cross-corporation identity management, are still nascent. "That's two to three years away from being anything useful," says Gartner's Pescatore.
Ask Your E-Business Constituents:
How much does the ability to share customer information with our partners matter today?
Ask your legal department:
What are the laws in our state that govern our identity management actions?
Ask your business colleagues:
Can we save money by streamlining the process by which we buy and sell product with other businesses?
There are a lot of moving parts involved in identity management, and it's going to get worse.
Despite the fact that many companies are juggling access by so many different users to so many different applications, we may all look back at this period as a time when life was simple.
CIOs today benefit from a number of advantages, say experts. Though many of the public key infrastructure, or PKI, initiatives of the past decade were nonstarters, certain standards are more widely accepted today than they were even a few years ago. For example, there is no more argument about the standard protocol for gleaning information from directory services: LDAP, the Lightweight Directory Access Protocol, has won. That means organizations are free to standardize methods for sharing data between directories.
But many standards are not yet solidified. "There is such a standards free-for-all going on, with different standards bodies grabbing different pieces of the elephant," says ISTPA's O'Neil. "As long as that Tower of Babel continues to go on, there will be confusion."
Internally, corporations have to struggle with the complexity of their own custom and legacy applications in order to simplify the business rules used to control access. Say, for example, a particular user is authorized to purchase no more than $50,000 of goods a day. Right now, analysts say, enterprise access management systems can't effectively manage that. So even straightforward but critical user access controls can't be completely centralized.
Meanwhile, the regulatory landscape continues to shift. The Sarbanes-Oxley Act, which mandates stricter financial reporting, will have a seismic effect on identity management in public companies. As CIO Insight pointed out in the December 2002 issue, IT departments are coming to realize they'll need to increase spending to respond to the law's stricter financial reporting rules and faster deadlines. But companies must also guarantee that sensitive information that might affect a company's stock price cannot be viewed by any but sanctioned people, significantly raising the bar for both internal and external digital identity management.
How can IT departments manage all of this complexity? Analysts say it comes down to good planning. The corporation's overall risk-management plan must encompass all major aspects of employee and customer identity. The security model built from the risk management plan has to anticipate a broad range of both users and applications all attempting to access critical corporate data. And because major identity management issues can only be solved over time, IT departments need to work from an identity management roadmap that helps determine what problems must be solved, and when.
Ask your CTO:
What critical technical standards are affecting our identity management efforts?
Ask your CFO:
How much legal risk do we run by providing internal access to our financial systems?
Tell your it architect:
We need a roadmap for identity management.
Please send questions or comments on this story to firstname.lastname@example.org.
The Burton Group points to four phases of employee identity management. Trying to separately "provision" names and passwords through each of these steps, for a variety of security-related software, can be a nightmare. The solution: Centralized processes that update identity information automatically.
: Mount Sinai NYU Health">
Strategic Profile: Mount Sinai NYU Health
Mount Sinai NYU health is a five-year-old health services organization comprising six hospitals and 17 affiliates on two main campuses. After an exhaustive analysis aided by Gartner Inc. And theBurton Group, the company chose Novell Directory Service (NDS) to power a digital identity directory service supporting a physician's portal.
CIO: Stuart Sugarman
Problem: Doctors were logging into a variety of critical systems, such as operating-room scheduling and patient profiles, requiring them to remember difficult user ID and password combinations. And they couldn't connect to those systems remotely.
Goal: MSNYU Health wanted to build a central directory service that would authenticate users for a broad range of activities, giving them the feel of a single sign-on for a variety of applications.
Strategy: Integrate all the remote and portal access identity management processesfrom linking to the physicians' virtual private network to accessing portal applicationsinto a single system.
Challenges: Programmers had to use centralized programming methods, so getting them to code new applications to NDS's system was tough. And integration to a centralized health service Oracle database, which would allow more sophisticated identity management by centralizing a broad range of employee information, is yet to be done.
ROI: No formal ROI was calculated, but management readily signed off on the project because sign-on simplification was clearly so valuable.
Assessment: "I think of it as more of a user-driven requirement than an IT initiative that we just came up with on our own," says Sean Welsh, director of core engineering for Mount Sinai NYU Health.