|Innovating The Next Big Thing||June 20, 2013|
• Analyst Insights
• Enterprise Insights
• Network & Information Security
• Enterprise Mobility
• Remembering 9/11
Next Innovator Group
Feedjit Live Web Stats
• Ghost City
Evaluating Your Identity and Access Management Options
Sep 17, 2007 – By Nelson Cicchitto, Chairman & CEO, Avatier Corporation
Who needs identity and access management? At some level, every organization does. But deciding which level of IAM you need, and how to deploy it successful, requires a bit of planning. Based on his years of experience implementing IAM at some of the world’s largest corporations, Avatier Corporation Chairman & CEO Nelson Cicchitto provides his step by step advice for understanding and evaluating the various stages of an IAM deployment.
Three years ago, Linnie Gooch, an IT manager at Wescom Credit Union realized he had a growing security problem. The company’s employee population had grown rapidly in recent years and the IT staff no longer knew everyone in the company. That meant that the usual method of screening employee requests for a new password – by recognizing the voice on the phone – wasn’t working any longer.
“When I first started six years ago there were only 300 users and we knew everyone’s voices,” says Gooch, manager of server administration and helpdesk. “As we grew to 500, 600, 700 users, we couldn’t keep a handle on who we were talking to on the phone. We needed a way to make sure we weren’t re-setting passwords for the wrong person and compromising accounts.”
The solution, Gooch and his staff discovered, was to automate the process via an identity and access management application that employees could access themselves. Employees could prove their identities either by using their current password or an alternate piece of information, and then reset the password, all without having to bother the help desk staff.
Not only did that enhance security, but it also cut help desk calls dramatically – by 75%.
Wescom’s situation illustrates the benefits that organizations can realize by automating identity and access management. Organizations need better automated security solutions not only to decrease their risk from external and internal security threats, but also to take the administrative burdens off of IT and improve the productivity and efficiency of IT and other employees.
Moreover, regulatory requirements have forced organizations to take a hard look at how secure their applications and databases are against theft. Given that virtually all organizations have employee and customer data on their systems – social security numbers, birth dates, credit card accounts, etc – all carry a substantial risk of liability should a security breach occur.
Unfortunately, organizations have been slow to implement IAM controls. According to a recent report by the Aberdeen Group, a Boston-based IT research firm, an estimated 40% of all firms are performing at sub-par levels when it comes to automating access to core business information. And, they note, that’s assuming a fairly modest goal of equipping 40% of a company’s business functions with automated access. If the bar were raised to 60%, says Aberdeen, most businesses would be at a sub-par level.
While most large organizations have begun implementing identity and access management projects, few have fully deployed IAM across the enterprise nor have they deployed IAM at its most advanced capabilities. IAM has ten stages, or layers, of capabilities that can be successively deployed. Most companies attempt to implement several phases at once with limited success or complete failure.
The Ten Stages of IAM Deployment
What, exactly, does identity and access management entail? Identity management involves administration and policy creation, while access management entails enforcement of those policies. Together, IAM is a hierarchical collection of security practices and technologies, each new stage building on the prior one.
Typically, the most efficient and practical way to approach an IAM implementation is by deciding where your organization is currently in this hierarchy, and then deciding whether, and how, to move up to the next level. Ideally, you’ll reach a stage at which 80% of your security needs are met, and the remaining 20 are either low-risk items or have minimal impact on the bottom line. Organizations that attempt to get 100% coverage by implementing all IAM stages in one mega-project inevitably wind up with a nightmare -- a never-ending deployment, ever-increasing costs, and the inevitable political infighting.
Rule number one: Preparation and politics. Understand as your organization implements the later phases there is less a vendor or product can do to prepare your organization for those stages. The later stages require more hands-on involvement by your organization to implement and typically more upper management support.
Rule number two: Pick your benefits. Before selecting any IAM phase determine which of the following four benefits are most important to your organization and then determine which of the four that phase will addressed by deploying that phase of IAM.
The top four main benefits of IAM:
1. Cost Reduction
2. Improved Security
3. Achieving Compliance
4. Improving Efficiency through Automation
Rule number three: Don’t panic. It is easy to become overwhelmed by any IAM project. If possible attack the lowest hanging fruit first. Remember to use the 80/20 rule. Usually 20% of your applications or provisioning processes generate 80% of headaches. Automate them first.
The ten phases of IAM are:
Phase One. Password management. It’s an oft-quoted fact that 30% of all helpdesk calls involve password problems. So the first phase of IAM is aimed at automating that 30% of calls. This first stage is password management -- an automated solution for managing password assignment and resetting passwords via phone or desktop.
It enables users and customers to do limited self-service management of their accounts without bothering IT. For instance, they can reset passwords if they’ve forgotten them or as passwords expire.
Because a password management system is fairly easy to cost justify to a CEO (that 30% reduction in help desk calls translates into hard payroll dollars), it is represents the “low hanging fruit” of IAM and should be implemented before moving on to other phases.
Phase Two. Password policy enforcement. Every organization needs security rules, including rules about how passwords may be created, used, reset, and so forth. In phase two, you need to create policies that will protect passwords from being stolen or guessed by outsiders, but which don’t over-burden users. An automated policy manager will enforce those password policies, for instance by not allowing a user to put his user name as the password, or create a password of less than seven letters, or use common words and names. Easy-to-guess passwords are extremely vulnerable to exploitation by outside thieves, so ensuring the enforcement of corporate security rules is critical to network security.
Phase Three. User de-provisioning. Once you’ve got password management and password policy enforcement in place, you’re now in a position to move up to a de-provisioning solution. De-provisioning is much more than simply pulling the plug on a user ID. It involves terminating access to multiple accounts across various systems, archiving mailboxes and directories that may be required in case of an audit, and deleting the account from the system. It eats up time the IT staff could use for other projects and, conversely, if left undone exposes the system to access by disgruntled ex-employees. Automating the de-provisioning process increases security and takes one more administrative burden off of the IT department’s shoulders.
Phase Four. User provisioning. This involves the automating of account creation across multiple systems and platforms. It’s a big step up on the ladder, because this is the first stage that requires you to define user naming conventions, roles for employees, and what levels of access to various systems each role requires. However, the benefits of automating this level are significant, because once you’ve defined the roles, you no longer have to manually provision each new employee. You can simply assign them a role or job code and the provisioning software will handle the rest. No more guessing if the new HR assistant is supposed to be able access individual payroll information or not, or trying to remember which printer is closest to the new persons’ desk. Conversely, some products allow you to simply select and copy a source user to a target account. For organizations that cannot afford to reap the benefits of User Provisioning and do not have the time to define roles, this option works well.
Phase Five. Self-Service Role Matrix and Rights Management. This stage is even more dependant upon systems your organization must have in place prior to deploying this type of solution. In this phase the concept of automated self-service password management is taken one step further, to enable your end users to request access to specific systems and accounts and have the authorization handled automatically by a predetermined workflow. For instance, an assistant accounting representative might submit a request for access to a sensitive system such as payroll, or to certain restricted functions such as the ability to change data or tables. The employee request is then forwarded, based on the preconfigured workflow, to managers authorized to approve such access. This also enables new employees to self-provision themselves, by inputting their name and job code and getting the necessarily approvals to access whatever systems are part of his or her job code. Existing employees also benefit because they will have a self-service method for updating their employee contact info. However, this phase is impossible to achieve without an organizational chart, defined roles, and for some products a high level workflow design in place prior to rollout.
Phase Six. Metadirectory. Many organizations believe they need a single directory that contains identities of all of their disparate directories. Metadirectory is, as it sounds, a combined directory of the metadata on all enterprise data located on all of the organizations’ servers. It sounds like this phase could be fairly automated, however that is far from the truth. To bring all of these identities together on a scheduled basis requires someone to manually check identity mappings of critical identities as well as monitor the automated process. For environments with over 200,000 employees and several unique identity repositories this technology does not scale well.
Phase Seven. Enterprise Reduced Single Sign-On. From a user perspective, it’s considerably more convenient to sign on just once for access to all applications and databases, rather than h having to log on to each system separately. So enterprise reduced single sign-on is a phase that can help boost user productivity by reducing security-related tasks. But just like the prior phases, this phase requires even more preparation by your organization before it can be successfully deployed. Prior to deploying any SSO technology you must identity the apps you want to enable, record the logon process of each app, test sso, determine who you should distribute the app too, and maintain the sso process as interfaces to web apps change. Additionally, it is best to rollout sso applications from the easiest to most difficult. The easiest apps includes recording the logon macros for your internal Web applications; next easiest application to tackle are your external Web applications (such as Expedia, Partner sites, and other Web sites); moving on the third is to automate your Windows 32-bit applications; and fourth phase requires automating would legacy or java applications.
Phase 8. Authentication Services. For highly security conscious firms, authentication is a key element of identity and access management. As the traditional “Who you are, what you know and what you have” saying illustrates, a user ID and password are only two of three possible ways to make sure the correct person is gaining access. The third, required along with the first two, is some hardware element – a smart card or dongle or VPN—that determines which applications will be accessible to you. Many organizations never get this far up the security latter, and many don’t need to. However, if you do decide to implement this phase be prepared for even more planning and a disruptive change to existing authentication procedures.
Phase 9, Enterprise Access Management. Enabling restricted access to web applications is the primary goal at this phase. In this phase you must identify which web apps and end users you want to provide restricted access to, enable those apps, test restricted access, monitor access of resources, and distribute the restrictions to end users.
Phase 10, Federated Identity Management. There are hardly any organizations which have implemented the last phase, federated identity management. Like phase 6, the majority of firms don’t really need this phase for better security or work efficiencies, and it can be both expensive and problematic to implement.
Federated identity management gives users the ability to log onto one network and be able to then access all trusted networks. While all of the prior phases of IAM provide elements of federated management, full federated identity management also entails access to networks of trusted partners, and their access to your network. The complexity of enabling partners to access internal systems is enormous. It requires not only technology for ensuring secure and automated access by outsiders, but also requires negotiation and agreement between the two organizations first. There are liability issues to be considered, contracts that must be drafted, and, finally, the technical details how the partners will access systems, what level of access they will be granted, and what their responsibilities are in the event an employee loses a password, leaves the firm, etc. For most organizations full federated identity management is unnecessary. For a few, however, who engage in constant data exchanges with highly trusted partners, it is becoming a necessity.
Deciding on the Next Step
How can you tell if your organization really needs to move to the next phase of IAM? What factors will tell you which of the phases is the “ideal” one to aim for as part of your long-term security roadmap?
Fortunately, determining the benefits and ROI of moving through the funnel isn’t really all that complicated. In fact, it boils down to just four basic factors, or questions, that can be used to evaluate a planned deployment. If it rates well on even one of the factors, it may be a good move if that particular factor happens to be a high priority for the organization. But if it does well on three or four, then the considered deployment is probably long overdue.
The four factors for considering an IAM investment are:
Cost savings. Does the organization save money by implementing the new solution? Certainly in the case of Wescom Credit Union, there was a savings in terms of reduced help desk calls and an implied savings in preventing a security breach, which could have proved costly.
A second company, Circles, a provider of loyalty management programs, implemented password management to reduce the number of help desk calls from employees who had lost or forgotten their passwords. In the first year, they estimate that the savings achieved amounted to $4,100 and, at the end of year three, close to $26,000, primarily in staff time.
To determine if there is a cost savings to be had, evaluate the major costs associated with your current way of handling IAM and how much those might be reduced through automation, deducting any yearly maintenance costs or license fees that the new software will incur.
Increase in security. Does the solution provide better protection for the network or the enterprise? One measure of that is whether it provides extra accountability and audit trails for system access and authorization.
Compliance. Does the solution help your organization meet new security requirements, such as by archiving records or logging details of all user activity on the system in case of a future investigation?
Efficiency gains. This overlaps somewhat with cost savings, although not all efficiency gains are easily translated into hard dollar savings. But any solution that automates a formerly manual activity is likely to be increasing efficiency and, at the same time, reducing the chance of human error.
As already noted, each IAM technology phase will likely have different factors driving its adoption. At Circles, for instance, Ian Roche, technical operations analyst, says that the company plans to implement single sign-on and, eventually, user provisioning and de-provisioning.
The single sign-on is needed, says Roche, to improve employee efficiency and to improve security. .
“We have a number of different applications that require users to log in with unique user names and passwords. They’re not going to remember them all, so they may be inclined to tape them to their monitors or write them on their desk – not good security practices,’ notes Roche.
The user provisioning and de-provisioning, however, would mainly improve the efficiency of the IT department. As Roche explains, “It take a lot f time to set up user accounts, delete user accounts, and do all of those sorts of things in a timely manner. We tell the business we need two weeks to provision a new user now, to be on the safe side.”
Obstacles to Success
#1. Lack of Management Buy-in. This is the number one reason that all IT projects fail. The problem many IT managers and project leads have, of course, is figuring out how to get executive buy-in and how to know when you’ve really got it. Getting management buy-in entails proving to upper executives that the IT project you propose will either A,) save the company money like automate process to avoid outsourcing or B) make the company money like facilitate integration of an acquired firm’s billing system . If it doesn’t somehow link to either of those two options, then their enthusiasm is bound to be weak. While IT people often have a hard time proving a return on things like better security, there are nonetheless many hard and soft-dollar returns. As already noted in this article, the cost of a security breach can be huge, and likewise a fine for non-compliance with a government regulation can be expensive and detrimental to the company’s public image. There are also easy-to-show efficiency gains and cost savings from reduced staff time, maintenance, lower bills from outsourcers, etc. Just get out your calculator and start looking.
The second problem is how to know you’ve really got buy-in, and not just a smile and a pat on the head. Years ago, I was charged with deploying a new application for a large petroleum company. Most of the users were highly paid experts who were not interested in changing their work habits. Thanks to strong support from upper management – in the form of a company-wide email as well as a printed letter from the top boss – they adopted the new application with a minimum of complaints. Achieving management buy-in means getting printed letters and emails directly from the top executive explaining the new implementation and why it is good for the company. Anything less than that and you don’t have management support -- and you won’t have the support of end users either.
#2. User Adoption. This is the second most common obstacle, and one that is closely linked to lack of management buy in. The first rule in getting users to adopt a new IAM implementation is to make it clear that the boss’ boss’ boss is mandating it for the good of the company. They need to understand that it’s not your pet project; IT is simply carrying out the boss’ orders. The second is to use either a carrot, or a stick, or both to encourage compliance. For example, you might tie enrollment into the password management program to a work-from-home program. Employees who enroll can work remotely. Those that don’t, can’t. Or, like Wescom Credit Union, you might simply tell the helpdesk to turn away users who call for help resetting their passwords and to tell them to reset their own passwords from their desktop.
“The hardest part was getting users to use it and not call us,” says Linnie Gooch of Wescom. “We had to send memo after memo. And finally people started to realize that we won’t do it for them anymore.”
In addition, he says, the password management application had been programmed to send an automated reminder email to all users every single day until they enrolled. The nag factor was a big element in achieving an eventual 100% enrollment.
#3. Competing Departmental Needs. This is a political problem that will arise with just about every new IT implementation in an organization with more than a few dozen employees. Every department has its own mission and its own set of problems and, given that IT implementations inevitably touch every department, each will want to exercise control over the project. The key here is not to cede control, but to take the time to get input from every major stakeholder and device a plan that aims to satisfy the core needs of most groups. Ask each to develop a short list of fundamental requirements and see how many of those can be combined into a workable solution.
#4. Scheduling Conflicts and Reorganizations. Inevitable, just when things are going along well, your top engineer gets sick, or has a family emergency. In these cases, you can’t change events but you can have a Plan B and Plan C ready for the loss of important team members. Good documentation and information-sharing between IT staff helps to ensure critical deployment information doesn’t reside only in one employee’s head.
When it comes to re-organizations, there is even less that you can do to prevent the inevitable. However, assuming that you’ve gotten full management buy-in and this is still a priority, the mere fact of a reorganization shouldn’t derail the project. Continue to show how your IAM project will streamline or assist in the re-organization.
The Long-Term View
Regardless of whatever phase of IAM your organization happens to be at, the long-term strategy should be to regularly evaluate your security needs and decide how well the current IAM technologies are meeting those needs.
Few organizations have completed the entire IAM funnel. But the ones that are successfully mitigating their security risks are those that know why they are at their current level, and under what circumstances they would consider investing in the next layer of IAM technology.
Remember the IAM field is constantly being redefined. Even though IAM has been around for quite sometime new technologies are streamlining this aging industry. Keep an open mind and open eye even after you have settled on an existing solution that met your needs for today. New technologies will drive down your maintenance cost and streamline your processes even further. Most of today’s older IAM technology is revolutionary to deploy and disrupts your current business processes. The next generation of IAM technology allows your organization to evolve as the technology is deployed avoiding costly business disruption.
Nelson A. Cicchitto, a career information technology leader, joined Avatier Corporation in 1995 as chairman and CEO. He has over 20 years of experience setting information technology for fortune 100 companies such as Chevron and Pacific Bell.
» Send this article to a friend...
» Comments? Tell us what you think...
» More Network & Information Security articles...
Commentsblog comments powered by Disqus
Support This Site
• 6/17 McAfee Blogs: The Defense Department Lists Mobile Security as a Top Priority
• 6/17 McAfee Blogs: The Strategic Consumer
• 6/17 McAfee Blogs: Keeping Your Small Business Safe from Cyberattacks
• 6/17 McAfee Blogs: Exciting Times for SMBs at National Small Business Week!
• 6/17 McAfee Blogs: Why whitelisting is ready for Enterprise desktops
• 6/13 Gartner Says Cloud Office Systems Total 8 Percent of the Overall Office Market and Will Rise to 33 Percent by 2017
• 6/13 Gartner Says Worldwide External Controller-Based Disk Storage Market Grew 0.6 Percent in First Quarter of 2013
• 6/13 Faultline: Vodafone Kabel Deutschland talks confirmed, deal could be dusted in days
• 6/13 Faultline: Comcast sneaks in Homespot revolution as “Neighborhood Hotspots”
• 6/13 McAfee Blogs: Two Steps are Better Than One: Make a Hacker’s Job Harder with Two-step Verification
• 6/12 Gartner Announces Keynote Speakers for its Supply Chain Executive Conference 2013 in Australia
• 6/12 Gartner Says by 2019, 90 Percent of Organizations Will Have Personal Data on IT Systems They Don't Own or Control
• 6/12 iSuppli: Doing What It Does Best: Apple Reinvents Existing iPhones with iOS7 and Competitive Music Launch
• 6/12 McAfee Blogs: Moving up with McAfee Complete Endpoint Protection
• 6/12 McAfee Blogs: Can you answer these three smart business questions about authentication?
• 6/12 HP Security lab Blog: Top 10 things for security people to do at HP Discover 2013 - Las Vegas, NV
• 6/12 HP Security Lab Blog: HP introduces HAVEn to combat $4 billion cyber-theft in Big Data space
• 6/11 Gartner Says Worldwide Security Market to Grow 8.7 Percent in 2013
• 6/11 Gartner Says Less than 10 Percent of Enterprises Have a True Information Strategy
• 6/10 Ovum: Analyst view: Google to buy Waze
• 6/10 Ovum: Analyst view: Apple acknowledges the need for user interface refresh and is willing to do something pretty dramatic
• 6/10 Gartner Forecasts Indian Business Intelligence Software Revenue to Reach $113 Million In 2013
• 6/10 iSuppli: It’s a Tie: Bosch and STM Hold Joint Honors as No. 1 MEMS Suppliers for 2012
• 6/10 iSuppli: 1.3GW of PV Installations Eliminated by EU Anti-Dumping Duties in 2013; Double-Digit Global Growth Still Likely
• 6/10 Wireless Watch: Small Cell World Summit: industry poised to kickstart volume roll-outs
• 6/10 Wireless Watch: Cisco seeks leading role in wireless via small cells
• 6/10 McAfee Blogs: Syrian Crisis Reminds Us to Beware of ‘Charity’ Scams
• 6/9 Frontline Sentinel: Whistleblower (Edward Snowden) Behind the NSA Surveillance Speaks Out [Interview]
• 6/9 Slate: If the NSA Trusted Edward Snowden With Our Data, Why Should We Trust the NSA?
• 6/8 Gartner Says Business Analytics Will Be Central for Business Reinvention
• 6/8 Frontline Sentinel: Practical Tips to Improve Network Security with What You Already Have: Part 2 of 2
• 6/7 Gartner Says India Enterprise Software Market To Reach $3.92 Billion in 2013
• 6/7 iSuppli: Event Cinema Market Takes Off in Europe
• 6/7 McAfee Blogs: Koobface Count Correction
• 6/6 Ovum: Ovum announces winners of inaugural “BYOX Strategy” awards
• 6/6 Ovum: Analyst view: SFDC acquisition of ExactTarget is expensive, but offers significant product synergies
• 6/6 Gartner Says Worldwide Business Intelligence, CPM and Analytic Applications/Performance Management Software Market Grew Seven Percent in 2012
• 6/6 Faultline: Cloud browsers to gut the set top market – ActiveVideo leading the chase
• 6/6 Faultline: TiVo wins its biggest ever settlement - share price barely nods
• 6/6 Canalys: Canalys launches ‘Partner Program Analysis’ service - The latest addition to Canalys’ leading channels research offerings
• 6/6 McAfee Blogs: Forgo Pressure to ‘Share’ and Boost Your Privacy
• 6/6 McAfee Blogs: Summer Web Safety: A Cautionary Tale About The Internet
• 6/6 McAfee Blogs: Malicious Dating, Ad Services Plague Japanese Users
• 6/6 McAfee Blogs: Locking Down Desktops With McAfee’s Application Control
• 6/6 McAfee Blogs: Fraudulent Adult Dating Services Turn 10 Years Old, Still Evolving
• 6/6 HP Security Lab Blog: Combating professional security threats
• 6/5 Ovum: Ovum warns BYOD is here to stay and urges CIOs to respond with a clear strategy
• 6/5 What to Expect at Apple's WWDC
• 6/5 Gartner Says Organizations Must Treat Information as an Asset in its Own Right
• 6/5 Gartner Looks At The Impact of U.S. Visa Legislation on India Offshore Outsourcing in Upcoming Webinar