How do you launch a multimillion-dollar identity-management effort at a company that has 129,000 employees in seven business sectors, spread across 50 states and 25 countries? For defense contractor Northrop Grumman, the answer is simple: one well-planned step at a time. “We think it’s better to take a somewhat measured pace and minimize the risk of disruption, rather than go for a big bang,” says Keith Glennan, VP and CTO.
About a year and a half ago, Northrop Grumman began looking into identity-management systems to improve security, facilitate regulatory compliance, make it easier for users to log on to multiple systems (without using multiple passwords), and reduce the cost of provisioning and password-management burden on IT. Glennan’s team ran a pilot with a few hundred users across the company in early 2004. In addition to automated provisioning, the pilot also used smart cards and linked user network log-ins to application log-ins.
The pilot was successful on two fronts: It showed how identity management could make life easier for users and for IT, and it highlighted identity-related policy issues that needed to be ironed-out before such a system could be implemented companywide.
“Policy is at least as big a challenge as the technology, because you have to make a lot of decisions about what rules you’re trying to enforce,” Glennan says. “It gets into cross-functional jurisdictional issues in terms of who can create identity, what is the authoritative source of identity within the company, and how you deal with outside people who need access to your systems.”
When the pilot was completed, a steering committee that included representatives from HR, IT and security debated policy issues. They decided to make the HR system the authoritative source of identity so that it would drive the identity-management process, including e-mail provisioning. “Effective identity management requires the elimination of multiple points of identity creation,” Glennan says.
The team also decided that Northrop Grumman’s procurement organization will create identities for suppliers and business partners that need access to the company’s systems. (In the future, Northrop Grumman plans to move to a federated identity-management architecture to ease the process of working with suppliers and business partners not on its network.
Glennan plans to re-architect directory services and to roll out an automated provisioning capability, which will take about 18 months. Once the infrastructure is in place, he says, his team will work its way through Northrop Grumman’s entire application portfolio, prioritizing which apps should be linked to the identity-management system for user provisioning and sign-on. Apps with the largest number of users will be enabled first, and those with only a few users may never be enabled.
So-called single sign-on is not really Glennan’s goal. “We’re using the term ‘reduced’ sign-on because single sign-on misses the point of linking the objective to business value,” he says. ”We’re interested in single sign-on for applications that really make sense to have single sign-on, in terms of saving time and improving security.”
Northrop Grumman’s identity-management road map looks like a ski slope with two parallel tracks, one charting the rollout of core directory services infrastructure, the other showing the identity-management policy and procedures that will be enabled by that infrastructure. As the tracks wind their way down the mountain, enterprise value increases. The value comes from getting better time to provisioning, and better reporting and analysis for audit, compliance and so on.
Glennan urges CIOs embarking on an identity-management project to make sure they have a clear understanding of how identity management will drive enterprise value in their organizations. “Once you understand that, you can create your own ski-slope diagram that makes sense in your environment.”