Tom King, CISO of Lehman Brothers Holdings, had what seemed like a relatively simple idea. If his company could automatically grant access to financial trading applications from a central provisioning system instead of on an app-by-app basis, it could both increase the efficiency of its workforce and keep better tabs on who was using what applications. It soon became clear, however, that setting up such a system was merely one step in a very long process.
First, King had to develop a single repository for identity information within the company—he had to know who the users were before he could grant them access to the applications. And each application would need links to the new identity repository. King soon found himself mired in a full-scale identity management project.
That was three years ago. King is still far from done. “I don’t see an end to it,” he says. “There are literally hundreds of applications” that should be part of the identity system.
So why bother with identity management at all? Because the returns can be impressive. According to a survey of more than 7,500 top IT execs cosponsored by CIO and PricewaterhouseCoopers, the top two strategic security initiatives for CIOs during the next year are to block unauthorized access to systems and to monitor systems activity (see “The State of Information Security 2003,” Page 79). Identity management systems can help you do both. They also let CIOs provide new employees with almost immediate access to the applications they need (and take away access from former employees just as quickly). And since authentication (you are who you claim) and authorization (you’re allowed to do what you’re trying to do) occur at one location, employees can access all their applications with a single user name and password, a move that can dramatically cut down help desk calls.
With benefits like those it’s no wonder that consultancy NerveWire found that 38 percent of the 145 companies it surveyed expected an ROI of as much as five times on their identity management investment, and another 10 percent expected even higher returns. But few companies have achieved such numbers yet. The CIO-PWC survey, for instance, found that among North American respondents, only 9 percent reported that their identity management projects had achieved their objectives.
Too often, identity management projects become too large or cumbersome to finish on schedule. After all, there will always be more applications to integrate into the system. King has reached that point at Lehman Brothers.
“We’re at a crossroads,” he says. “We have to decide how far we are going to go with it.”
Who Has Access to What
Part of the problem is confusion about what defines identity management. Vendors use the phrase to mean any number of things, from single sign-on applications to certificate authentication. Yet such technologies are really just add-ons to identity management.
Essentially, identity management is a system that serves as the authoritative identity record for an entire company. Each entry in the system should contain all the identity information associated with one individual—an employee, customer or partner—from name to Social Security number to employee identification number. This identity data can then connect to a company’s existing systems, ultimately granting new users automatic access to applications (a process called automatic provisioning), allowing for password consolidation or “single sign-on” to multiple, linked applications, as well as providing the company with a detailed audit trail.
For most companies, however, that vision is far from a reality. “If you don’t have identity management, there are all sorts of ways that people will get [access],” says King. Most often a user calls the application administrator demanding access; if the user is belligerent enough he gets it. In such an ad hoc environment, there is no way for a CIO to guarantee that employees gain access to only the applications they require. Furthermore, access levels can vary within applications. For instance, one of the first applications King linked to the identity management system was a Web-based intranet application that helps employees monitor their benefits. If employees want to view general benefit data on the intranet, their basic log-on credentials are sufficient. But if they want to browse confidential data related to their own benefits, the system requires an additional factor, like a secure ID token.
Beyond mere provisioning, identity management can also track who used what application when, providing CIOs with an application audit trail. That can be instrumental in helping companies comply with government regulations such as the Sarbanes-Oxley Act. Pete Sattler, chief e-business officer and CIO of manufacturing company SPX, says Sarbanes-Oxley is the top driver behind his company’s identity management project. (Sarbanes-Oxley requires that companies certify that no one has tampered with quarterly and annual financial reports, and having audit ability is the only way to guarantee that.) Sattler has other reasons, however. Fifty percent of his company’s help desk calls come from managers and users who have either forgotten their passwords or need their IDs changed—calls that experts say can cost a company up to $25 a pop. “Those go away when this goes live,” he says. In the new system, each employee will have one user name, password and PIN. If an employee forgets his password, he can simply log on to the company intranet, enter his PIN and a key phrase, and automatically reset his password. That alone will pay for the project over time, says Sattler. (Employees may be less likely to forget their PIN because, unlike the password, it doesn’t have to be changed as frequently.)
What Integrates with What
Of course, identity management has more than its share of challenges. The first and most time consuming is integration. Currently, no standards exist for identity records and authentication processes. Security assertion markup language (SAML), an XML framework, is gaining momentum in standards organizations such as Oasis and the Liberty Alliance, but it is awaiting formal standardization. As a result, not only do old applications not have a single format for identity information, but neither do new ones. “I may be psattler in one system, Pete Sattler in another and [something else] in a third,” says Sattler. Identity management vendors have created tools that let CIOs synchronize most Web-enabled applications to an existing identity directory in a matter of hours. Older applications, however, require more time and oversight. In some cases, it may be a simple matter of building an application program interface, or API, that links the application to the identity database so that it can tell the application that psattler is Pete Sattler. But even those cases may require initial (not to mention expensive and slow) human oversight to make sure that one system’s psattler isn’t actually Paul Sattler instead of Pete.
Furthermore, older applications that don’t have APIs, as well as mainframe applications lacking Web front ends, will require manual integration. This fact has driven many CIOs to phase in identity integration, starting with the most important applications. Sattler, who has so far linked only his company’s identity directory to the company’s white pages application, says that his plan is to go after “the applications with the biggest influence up front and then slowly start chipping away.” That means tackling Lotus Notes and the virtual private network first. He then expects to add the company’s three ERP systems and the HR system to the list.
“I don’t envision ever having all of my systems [integrated],” he says. In some cases, the cost of integration is prohibitively expensive. In such cases, he’ll just let the applications run the way they’ve always run.
Who Owns the Data
Terry Howell, enterprise portal program manager for the U.S. Navy, which is currently undertaking its own massive identity management project, agrees with Sattler. “The problem is that [integrating the legacy system with identity management] is pretty much a manual process,” he says. “It is going to be hard. But that’s not the scary part. The scary part is the politics that are on top of that.” In fact, the biggest obstacle to identity management is the battle over who owns identity data and who controls access to it.
For example, the Navy’s identity management effort has been hamstrung by the process by which IT projects get funding: Each project has to be approved by Congress, have a dedicated administrator, and until now, it usually has had its own infrastructure. The fragmented framework gives individual administrators carte blanche to choose their own identity standards, as well as the power to grant and deny user access.
Howell says that so far, Naval administrators have been reluctant to let his team take away that control. The Navy has “tried everything under the sun” to get them to migrate to the new identity system. It has even slowed the project so that the estimated finishing date has been pushed back from 2004 to 2009. Moving forward, however, often requires a heavy hand. “We beat them up until they do it,” Howell says, only half-joking. He has, in fact, had to “publicly guilt” someone, openly naming him to higher-ups as impeding Naval modernization.
Most private-sector CIOs haven’t had to take such drastic steps, but they do acknowledge that getting people to commit to new identity systems requires a lot of convincing. And in some cases, it’s simply not worth the effort. Such is the case at Nucor, a $4.8 billion, highly decentralized steel producer. CIO Scott Messenger says he didn’t even try to wrest control of divisional HR applications away from their long-time owners—he knew that would be a losing battle. Instead, corporate made its own identity database, which contains all the employee information from the divisions, but the database interacts with divisional applications only in a few places, such as the financial reporting function. “We need centralized reporting,” says Messenger, who simply added a layer on top of the existing divisional software. The divisions still control the applications, but corporate can tell who is using what and when, while simultaneously controlling access. The integration was still reasonably complex, says Messenger, but it wasn’t anywhere near as complex as running all the divisional applications off of the identity management system—and it didn’t require a lot of politicking.
What’s the Password?
Even after the problems of integration and politics have been licked, a larger issue looms: security. Whenever you have one system responsible for authentication—regardless of whether you have a single sign-on—you create a single point of failure. With an identity management system in place, a hacker would potentially need only one user name and one password to access multiple applications.
Identity management can increase security (by automatically deprovisioning former employees and keeping users from needing to do dumb things such as writing passwords on sticky notes), but only if you demonstrate the proper diligence. “You can think of [identity management] as the ultimate Trojan horse,” says Lehman’s King. “This has got to be the most secure system on your network.”
Having a single database responsible for identity and authentication information—and a single sign-on for access—requires that you enforce use of complex passwords and password updates. Sattler recently tested his new system, which requires employees to use complex passwords containing numbers and letters, against the old approach. “I ran a hacker tool I downloaded, and it guessed my old password in two minutes,” says Sattler. But it would be impossible to enforce the new system if people had to remember 12 such passwords, he says.
Thus, while the single sign-on system is a risk, CIOs agree that the opportunities it presents for cost savings, increased efficiency and better usage-tracking outweigh the potential of an attack. “You are always balancing convenience and access to business applications with risk,” says King.
There’s one last hurdle that CIOs pursuing identity management need to consider: finding a single vendor that can provide you with a full identity management suite. That will be difficult, if not impossible. It’s getting better, says Earl Perkins, vice president of security and risk strategies for Meta Group. There has been substantial consolidation during the past year, but right now the muddled vendor landscape just adds to the confusion. Many CIOs are forced to create patchwork solutions with software that handles the identity database from one company, while another company deals with provisioning and a third implements security. Gartner lists only four vendors—IBM, Netegrity, Novell and Oblix—that can deliver anything like a full range of products, with IBM, which went on an identity vendor shopping spree last year, on top of the list. Niche players, however, remain the largest category in the identity industry.
“We don’t expect there to be just one vendor,” says King. “A lot of this will have to be homegrown.”
Still, it hasn’t prevented King from doing identity management. It may require piecing together, but all the pieces fit. “There is huge ROI,” he says. “It’s silly not to do it.”