If you want to know how not to handle identity management, rent Steven Spielberg’s Minority Report. It perfectly captures the problems that can occur when IT doesn’t take proper care of who gets access to what and when. Tom Cruise plays a fugitive cop whose organization never restricts his access to the company’s building and its gee-whiz applications. Had the organization more actively managed employee identities, it could have cut his privileges as soon as he got the boot, thereby thwarting his efforts.
While we hardly live in the high-tech world of Minority Report, organizations today face the same problem managing employees’ access that Cruise’s company did. In this age of heightened security and sensitive intellectual property, companies must be more diligent about shutting down employee access rights across the enterprise once that person leaves?and the sooner the better. Leave those accounts active, and it opens doors for hackers, not to mention the risk of having former workers access systems later on so that they can share confidential information with their new employer or other interested parties. It’s a scenario that plays out all the time, at least according to vendors in the space. “It’s a common problem. It’s a serious problem. Nobody would deny that it’s happening, but few companies would acknowledge with anecdotal evidence that it’s happening to them,” says Jeff Drake, director of Tivoli Security Strategy and former executive vice president and cofounder of Access360, a subsidiary of IBM and provider of provisioning software in Irvine, Calif.
Two Sides of the Coin
Think of identity management as a combination of two processes. The first is provisioning, where IT provides employees and external partners with user names and passwords, resets passwords when users forget them, and removes user accounts when someone leaves the company or changes jobs internally. After the provisioning process comes access management, which makes sure users are who they claim to be, and then determines access privileges based on company policies or an individual’s role with the organization. Single sign-on applications that let users sign on once while gaining access to multiple systems are a form of access management.
Many vendors tend to straddle both processes, but of the players that reside in the provisioning space, the most familiar names are BMC, Novell and Identity Manager from IBM/Tivoli, along with new companies such as Access360 (which was purchased by IBM last September), Courion, Oblix and Waveset Technologies. While their specific techniques vary, those vendors all automate and streamline the time-consuming, costly and cumbersome manual process of giving new employees identities and access rights, and changing access rights for employees who change roles in the company.
Jonathan Penn, a research director for Cambridge, Mass.-based Giga Information Group, says provisioning can save as much as 50 percent of all IT time spent on user account management, such as creating new accounts, changing accounts and disabling accounts. Add help desk costs for password resets at $25 per incident (by Giga’s estimate), and the cost of provisioning and managing passwords quickly adds up. (Provisioning systems, meanwhile, cost $100,000 and up for pilot projects and $1 million or more for broad enterprise rollouts.)
Management costs were certainly an issue at Burlington Northern Santa Fe Railway (BNSF) in Fort Worth, Texas. The time and resources to provision, deprovision, and modify employees’ identities and access rights were getting out of hand, says Rick Perry, director of enterprise operations and security. Whenever BNSF hired a new employee, the manager in charge of that person would fill out a paper form specifying which applications the employee would need to access. The manager would then send the document to the user registration group. Oftentimes, says Perry, the information on the form was incomplete, and IT would have to call the manager for clarification. Finally, someone in the user registration group would configure every application for access by the new user. Perry says the process could take hours?or even days?depending on the type of user. As a result, the user registration group needed weeks of advance notice to have an identity and access rights ready when an employee came on board. If the group didn’t get enough lead time, new hires could arrive on their first day, only to discover that they didn’t have access to the systems they needed to do their job.
Deprovisioning users was an even bigger problem for BNSF, as it is for most companies that support a large seasonal workforce. In addition to the time-consuming account shut down process, the registration group always ran the risk of missing an account among all the applications that BNSF’s 38,000 employees used. According to a Meta Group survey, most companies shut down access to only 10 out of an average of 16 systems employees have access to.
To combat the confusion, during the second half of 2001, BNSF began using Waveset’s provisioning product, Lighthouse. With a few mouse clicks on the corporate intranet, managers can quickly select which applications their new hires will be able to use. Access requests automatically proceed to any other managers who need to provide further authorization for specific applications. Then the form arrives at the user registration group, where, with another click, Lighthouse collects the form data and syncs it with the appropriate systems. “Now we can manage accounts across multiple platforms from a single workstation,” says Perry. The whole process works in reverse, as well. “When someone leaves the company, we have a single place where we can make changes without having to go to each platform,” he adds.
Once a company provisions identities and users log in to systems with their user names, passwords, biometrics, tokens or digital certificates, access management applications kick into gear. Those products?from companies such as Entegrity Solutions, Netegrity, OpenNetwork, RSA and (once again) BMC, Novell, IBM/Tivoli and Oblix?make sure users are who they say they are and prevent individuals from accessing systems they have no right to use. Like their provisioning counterparts, those applications can also be based on corporate policies or the employee’s role within the company.
The crossover from provisioning to access management by some vendors isn’t accidental. While many corporations currently look for best-of-breed solutions to their provisioning and management needs, some analysts and vendors believe that the market is moving toward the goal of a complete, single-source identity management platform as the various players expand their product offerings. (Courion, for instance, started by providing software to automatically reset passwords, but the company now offers a variety of more advanced provisioning tools. Likewise, IBM expanded its identity management portfolio with its acquisition of Access360.)
That total platform has yet to appear, however, so Dallas-based supply chain software vendor i2 Technologies chose to go the best-of-breed route. The company’s IT department cobbled together applications from different vendors, including Access360, for provisioning along with solutions developed in-house to build an identity management infrastructure. The foundation of the infrastructure is an enterprise directory, which consolidates identity information from most of i2’s corporate systems into one place. John Frazier, director of infrastructure services, says i2 layered Oblix’s NetPoint on top of the directory to control access to webpages on the corporate portal. For instance, using NetPoint, the finance department defined rules that describe which employees can access a file share the department manages and is available via the corporate portal. Those rules go into action when employees log in to the portal. If a saleswoman signs in, for instance, she won’t get access to the file share because her user name and password will match up with the identity information in the corporate directory and with the access rights defined in NetPoint. The benefit of this approach is that i2 can simply define access rights by group, rather than having to do it all on a person-by-person basis.
Not So New
If this notion of managing users and their access to systems from a single place sounds familiar, it should. Identity management is “a new name for an old concept,” says Chris King, an analyst with Meta Group based in Burlingame, Calif. IBM even had an access management offering in the 1970s called Rack F Remote Access Facility. The reason why the topic is getting so much attention these days, according to vendors and analysts, is because it combines three benefits?security, efficiency and productivity. And right now, all three are in vogue with IT, according to King.
It’s easy to understand why that’s the case. When handled correctly, identity management can help CIOs reduce costs, better serve their internal customers and increase security.
“All of this is geared toward efficiency and making [IT] easier to do business with,” says BNSF’s Perry.
Automating provisioning and access management also relieves IT workers of having to respond to niggling requests for new passwords, and frees them up to work on more strategic projects, as was the case at i2. After addressing the company’s identity management woes, i2’s IT group was able to focus its time and effort on high-priority projects for the company, including a sales-force automation system. Says i2’s Frazier, “At the end of the day, that’s what our internal customers want more than anything?for us to give them tools that make their lives better and easier.”