You’ve got thousands of employees tapping into a dozen internal enterprise applications apiece, a growing base of external business partners and a slew of customers visiting your new portal. You need to give this fluid population the right channel for reaching their authorised resources. You need an identity management system.
An identification management system will help stem a flood of user-access complaints and serve as an essential bulwark to your security system. If you don’t have one, build one. But build it right the first time by addressing your most pressing needs now, with an eye toward adding features in the future. There are proven ways to do this, so don’t be the poor soul who doesn’t get it right the first time.
“I was talking to a client the other day who was developing a very customised proprietary [identity management] solution that didn’t leverage standards,” says Roberta Witty, an analyst at Gartner. “The application was very questionable from an infrastructure perspective. You have to ask, Who’s liable in that case?”
Most identity management projects can be divided into planning, adopting standards, determining when to centralise password administration and when to delegate it, and leveraging early successes to cost-justify future initiatives. Here are some tips for implementing an identity management project.
1 Plan a quick-hit list. Start by determining what portions of identity management will make the most positive impact on your business today. For example, one of the states began looking at its identity management needs in January 2000, its Office of Information Technical Services (ITS) determined that the most important thing to address first were password resets, which chewed up 40 per cent of helpdesk costs, according to Ann Garrett, chief information security officer for the state.
“We have 75,000 users using different systems who were forgetting their passwords, and I couldn’t afford to be in business any longer,” Garrett says.
ITS wanted a tool that would give users the ability to reset their own passwords with a challenge-response system; it chose Oblix’s NetPoint.
“The system has a Resume feature, so when a user forgets their password, all they have to do is answer a secret question, which takes the overhead off the administrator,” explains Brent Roberts, the state’s identity administrator. Now, he adds, password reset requests have dropped to nearly zero.
2 Plan for the long haul. But it wasn’t just the immediate password reset needs that the state looked at, continues Roberts. ITS also took into account the state’s long-term access initiatives, starting with a Web-based portal that state employees can use to access their human resources and other interoffice data, which was recently deployed online.
“We needed an infrastructure that could support the coming on board of agencies in phases,” Roberts explains. “So we put workflow and policy into the system that lets employees change some of the noncritical fields, such as an office phone number. But other fields, like what data resources an employee has access to, are handled by their managers.”
The next initiative is to open certain data first to state-based businesses and later to citizens. For that, the infrastructure must also support a variety of endpoint access controls such as tokens, smartcards and biometrics, which may be coming in 2005, Roberts says.
3 Think standards. The only way to facilitate the state’s short- and long-term plans was to build an identity infrastructure based on standards, which is another reason the state decided on Oblix, Roberts says.
For starters, Oblix works with the state’s current directory standard, Lightweight Directory Access Protocol. But it also supports current and up-and-coming Web-based standards, including an XML-based authentication and authorisation standard called Security Administration Markup Language and an emerging provisioning standard called Service Provisioning Markup Language — both of which come out of the Organisation for the Advancement of Structured Information Standards.
With standards-based infrastructures, you can plug in new rules and roles, and you can add cross-vendor identity management applications as they develop, says Gary Loveland, a partner in the security and privacy practice at PricewaterhouseCoopers in New York. In addition, a standards-based infrastructure makes it easier to grant access to outside business partners without making them use the same products you use, Witty said.
4 Know when to centralise administration. Just as many organisations prefer to centralise administration of user accounts, says Loveland. This choice is usually made when a company determines that its most important identity management problem is inconsistent user data and rogue internal user accounts, particularly when workflow policy is already centralised around the company’s human resources system.
This element of identity management is called user provisioning. For example, ProBusiness Services, a human resources outsourcing services and technology vendor determined that its most immediate ID management problem was cleaning up inaccurate user account information for its 1500 distributed employees whose metadata (telephone numbers, titles, spellings and the like) was often different to that stored in the company’s Siebel Systems human resources system.
Human resources wanted to maintain control of adding new users and provisioning their resources, along with deleting users and deprovisioning their resources upon termination or transfer. In addition, human resources requested a system that could help enforce hiring, staffing and salary guidelines and alert the human resources managers when such policies are violated, says Phil Blank, vice president of IT at ProBusiness.
For this, Blank’s team settled on WaveSet Technologies’ Lighthouse Enterprise Edition because it has built-in connectors to Siebel and because it could provision anything — access to data resources, telephones, office space, even parking spaces. More importantly, it keeps user data consistent from application to application. And it automatically deprovisions access to data resources, ending the dangerous problem of having rogue passwords that trespassers can use to break into systems.
“The payback,” Blank says, “is the human resources folks say they’re seeing tremendous efficiencies in terms of accuracy of user information. And they don’t have to spend so much time doing clerical work.”
5 Work in phases, and justify each through ROI. Baking in money-saving and efficiency features like the human resources policy enforcement tools that ProBusiness added will go a long way toward helping IT departments justify subsequent phases of development, says Wendy Steinle, director of marketing for Novell’s Nsure identity management products.
And identity management is a lot easier to bite off in phases, say IT managers. Start with steps that can show a return on investment or cost savings, such as reduced helpdesk costs, which Garrett believes will pay for the state’s identity management system in two years. She uses these numbers to cost-justify future projects, such as the addition of more robust access controls.
“Identity management done the right way can save a lot of money,” Steinle adds. “That takes planning, evaluating your solution options, building a roadmap and creating measures of success.”
6 Know when to delegate. About half of PricewaterhouseCoopers’ clients start their identity management projects to address Web-based access needs, says Gary Loveland, a partner at the consultancy. Doing this successfully calls for a delegated administration system, which lets end users start the process of registration themselves and delegates management of their user identities to department managers or systems administrators.
Nowhere is delegated administration more critical than in a business like Covisint, an online exchange for vehicle builders, their suppliers and industry trade groups. With so much competitive information at stake, Covisint must guarantee that the 100,000 users logging on to the exchange to bid on work and to access manufacturer specifications and other data cannot skip around to reach their competitors’ data, says Dave Miller, Covisint’s chief information security officer.
But managing all those user IDs was impossible to do centrally, Miller says, and the number will soon double when DaimlerChrysler is added to the identity management system. So, with the help of RSA Security’s ClearTrust identity management suite, Miller has brought the number of user IDs under his domain to a manageable 10,000.
To do this, he established a root administrator at each of Covisint’s member organisations to manage their own in-house users accessing the portal, he says. Importantly, ClearTrust is also able to handle complex hierarchies of delegated administrators, since some of them are also responsible for managing accounts at their subsidiary companies.
Access approvals are finalised through an automated e-mail trail between the requesting administrator, Covisint and the manufacturer. Deprovisioning is also handled through e-mail.