A Perspective on Identity Management

Organizations have many mundane tasks that are crucial to the organization’s ability to function efficiently on a day to day basis. These tasks such as provisioning and de-provisioning of user accounts are driven by internal and external changes in the organization due to policy, personnel changes and regulatory compliance mandates.

While these tasks can be done by manually by your internal IT staff it does not enable the organization to timely and consistently execute on these repetitive and mundane tasks like an Identity Automation system. Further, these tasks are also a direct expression of what the organization policy is in regards to providing access to physical and electronic resources. What must be considered is that internal IT Staff may be very good at providing these services, what happens when they are sick, on vacation or leave for another job. More likely, what if they are swamped with infrastructure project are over worked or buried in other day to day tasks.

Regardless of reason for the absence of these key personnel it impacts the organization negatively. The result is access permission (keys) to the organization’s services are not properly maintained resulting in potentially security breaches, delay in servicing request and impacting other projects or departments. For example, a terminated employee may gain improper access to data or services while the operational personnel are struggling to with day to day workloads. Correcting these issues will result in an expenditure of time and effort from employees, managers and support personnel to identify and correct the required access controls. Take an afternoon to perform the exercise of quantifying this type of potential breach, and then multiply it by the number of times per week this could (and probably does) happen. Congratulations, you just found your IDM budget!

When you look at it from this perspective, providing an Identity Automation system to address these key day to day tasks is an critical organizational objective. However, making the best technological choice to support the organization short term, medium and long term goals in this space is not quite as easy as it seems.

We will be addressing these questions in upcoming posts, so please subscribe.

3 Reasons Identity Management is a “MUST”… and strategies to make it affordable

(Repost from Digital Avenger Blog http://digitalavenger.wordpress.com)

Let me be clear about what I’m saying. Identity Management for companies with employees that have access to critical data is a MUST, not a want.  Over the years I have had the privilege to work with many companies large and small, who have different business needs.  In many cases I hear all the reasons, (and sometimes excuses) for not implementing a solution, policy or methodology. Sometimes these reasons even make perfect sense!  In making any business decision, the choice to do, or not do anything is weighed by what I call the “risk vs. reward scale”.  Regarding Identity Management (IDM), if you have employees with access to critical business information, you MUST put at least basic IDM in place!

So what is Identity Management? Bill Brant, CEO of Directory Service, Inc. says “IDM is the technological automation and enforcement of business policies and processes to manage the lifecycle of electronic credentials, entitlements authorization and compliance mandates.”  If you are in management like me, let me translate in English. IDM automates your logins so your company is secure, and you don’t lose millions of dollars, PLUS it increases productivity so you can make millions of dollars. The following are my top three reasons IDM is a must, not a want.

Reason One (1):   Provision of new employee credentials

Companies that do not have Identity Management spend days to weeks to properly provision a new employee, and with a high probability of improper provisions.  The popular method used to accomplish this task is a simple email request.

Typical email thread:

HR to IT Admin:  “Jack is starting today with us, can you get him a login?”

IT Admin to HR: Sure what does he need?

HR to IT Admin: “He is working in Sales, ask his supervisor.”

IT Admin to Supervisor: “Jack is starting today, and I need to get him a login, what accesses does he need?”

Supervisor to IT Admin: “I don’t know, how about just copy the access rights from Jill, she’s been here a while, so whatever she has must be right?

Risk to the company:  Jill was the Engineering Manager and Marketing Supervisor before becoming the top sales person in the company.  Each new position gave her role specific rights that were never properly taken away as she changed roles.  Now she is being used as the “template” for user rights to new hires.  Jack the new hire, just gained access to engineering blueprints, and new “go to market” strategies. In addition, the back and forth emailing took two weeks because the supervisor was on vacation.  Adding a face slap to a poke in the eye, Jack the “new hire” is still being paid even though he had no access to do his job. Sound familiar?

IDM to the rescue:  A company with IDM could implement automated provisioning of credentials by role.  A company would define the accesses any given role can have, and further, lock out accesses for roles they should not have i.e. the janitor does not need access to the accounting system.  The IDM system’s automatic provisioning process tool performed this task in seconds, and Jack was properly provisioned before he sat at his new desk.

Reason Two (2): Deprovisioning of terminated employee credentials.

In a company without Identity Management the same situation occurs as in the scenario above, but with more immediate consequences.  The popular method of conducting deprovisioning of credentials in a company without Identity management is by way of a simple email request.

Typical email thread:

Supervisor to HR: “Jack has been terminated immediately for bad attendance. Please put all the termination protocols in place. He has been removed from the facility, but he did not have his badge with him.”

HR to Supervisor: “Out of Office Reply” I’m sorry, but I’m out of the office the next two weeks on my honeymoon.  I my absence please contact the supervisor”.

Supervisor to Manager: “I just fired Jack, and need the termination protocols, but HR is out of the office, what now”?

Manager to Supervisor:  “Who is her Backup in HR?”

Supervisor to Manager:  “I am, but I don’t know the protocol.”

Manager to HR:  “when you get back from your honeymoon, please terminate the supervisor, he hired Jack who we think may have stole engineering plans and sold our marketing plan to the competition after he was terminated because he still had his accesses for the last two weeks! Of course we cannot prove it.” (side note to reader Yes IDM applies here too for compliance and auditing, but that is another article… Marc).

Manager to CEO:  “I have no idea how our engineering blueprints and our marketing plan got into the hands of our competition?”   It must have been Jill, she has rights to both of those areas. By the way, I’m hearing our client list is being aggressively called by our competition as well.  It couldn’t have been Jack, he’s been fired for weeks now.”

Ok obviously I was on a little bit of a roll there with the Manager reply, but I think you get the picture.

IDM to the rescue: A company with IDM could implement automated deprovisioning of credentials by Identity.  In this scenario, Jack could have been deprovisioned before he was even out the door.  If he tried to access his client database from home, he would have been locked out.

Reason Three (3): Identity Synchronization and Password management

Did you ever think that 3M would produce the world’s largest and most used Identity Management and password vault tool! It is true! Its call the “Post-IT” note, and it can cost you millions.

Some people may get basic Directory Services and Identity Management confused. Directory Services are a key part of IDM because this is where the Identities are managed. For example, Active Directory, eDirectory, LDAP, are all network directory services.  What about your applications that maintain their own “directory service database? This may be your custom built Inventory application, or ERP system for example.  How do you get these systems to talk?  If you do not have Identity management, you create separate login credentials for each sub system, and have your end users become the (Identity Management).  This becomes the Identity Management by “Post-IT” note that was mentioned earlier.

IDM to the rescue:  With IDM, companies can synchronize their user passwords between directories and application directory databases giving your end users a single password to manage for all systems.  The next step would be to implement SSO, or single sign on, which automatically uses a single login event to sign into multiple databases eliminating the need to manually login to multiple systems many times. I stop short of saying SSO is a “MUST” for all businesses, but it sure is up on the list of “should haves”.  I reserve the right to be on the fence on the “SSO vs. Identity sync only” discussion depending on the client needs.

Password management is bundled into this category, but I could add this to the list on its own.  Some may argue that this is not IDM because it is a directory service component, but I believe it is a component of IDM, so take it for what it is worth.  Password management in this scenario would be more than just enforcing strong password policies; it would include “self service password” assistance using challenge response questions and secure authentication methods like multi factor authentication and one time passwords.

Strategies that make it affordable:

There are many different products out there that can facilitate Identity Management and Access Controls. Some of the best are made by Novell, Sun, Oracle and IBM.  Recently, the Identity Management space has become somewhat commoditized in what I would call the “basic IDM” space. This would be the space I touched on today, with provisioning / deprovisioning, password management, and synchronization of identities. Some of this functionality is being built into the OS and Directory Services of some vendor products from Novell and Microsoft.  Novell has Domain Services for Windows, eDirectory, and the IDM bundle edition that ships with Novell Open Enterprise Server 2 (OES2).  Most major directory services vendors have free self service password management tools available for eDirectory, Active Directory, Sun Directory Server etc).  New companies are building targeted IDM solutions based on open source like, GreyTower from Directory Services, Inc., and Sun. These solutions can be implemented without licensing costs, but also sell support and maintenance if you need it.

Take the first steps. Contact your trusted Identity Management advisor and discuss your options. Make sure they are not tied to any single vendor or you will get a single option presented that may not fit your business.  Remember, IDM is a MUST!

Hello, from your new contributor... New things in store.

I'm happy to have been invited to contribute to the Directory Services Blog.  In my blog "Digital Avenger, I have written a few articles from my point of view on subjects including Identity Management.  In the upcoming months I expect to contribute some of my thoughts here on some of the Identity Management strategies and methodologies that I hope help educate and challenge your views of Identity Management.  I'll be the first to admit, I'm not the nuts and bolts guy.  That would be Bill Brant, CEO of Directory Services whom I've been working closely with over the years.  I'm the big picture guy, and at the end of it all, I'll do my best to be honest and forthcoming.

I'd like to leave you with a taster.  Bill and I have been working on some new tool sets and methodologies for Identity Management and integration by leveraging a product authored by Bill that will add flexibility and agility to your Identity implementation, while bringing existing licensing costs down.  The foundation Open Source product has been in use for years in some very large companies all over the world, but we are expanding the focus and scope to solve several business processes over several market segments.  Our simplest goals are always to fulfill at least one of the following, and hopefully all:  1. Reduce Costs 2. Increase Productivity 3. Minimize Risk.

To keep informed, please subscribe.  We are looking for Case Study Organizations and Early Adopters.

I'm looking forward to hearing from you.  Take care, and I hope you enjoy.

-- Marc Potter