|Innovating The Next Big Thing||April 23, 2014|
• Analyst Insights
• Enterprise Insights
• Network & Information Security
• Enterprise Mobility
• Remembering 9/11
Next Innovator Group
Feedjit Live Web Stats
• Ghost City
Evaluating Your Identity and Access Management Options
Sep 17, 2007 – By Nelson Cicchitto, Chairman & CEO, Avatier Corporation
Who needs identity and access management? At some level, every organization does. But deciding which level of IAM you need, and how to deploy it successful, requires a bit of planning. Based on his years of experience implementing IAM at some of the world’s largest corporations, Avatier Corporation Chairman & CEO Nelson Cicchitto provides his step by step advice for understanding and evaluating the various stages of an IAM deployment.
Three years ago, Linnie Gooch, an IT manager at Wescom Credit Union realized he had a growing security problem. The company’s employee population had grown rapidly in recent years and the IT staff no longer knew everyone in the company. That meant that the usual method of screening employee requests for a new password – by recognizing the voice on the phone – wasn’t working any longer.
“When I first started six years ago there were only 300 users and we knew everyone’s voices,” says Gooch, manager of server administration and helpdesk. “As we grew to 500, 600, 700 users, we couldn’t keep a handle on who we were talking to on the phone. We needed a way to make sure we weren’t re-setting passwords for the wrong person and compromising accounts.”
The solution, Gooch and his staff discovered, was to automate the process via an identity and access management application that employees could access themselves. Employees could prove their identities either by using their current password or an alternate piece of information, and then reset the password, all without having to bother the help desk staff.
Not only did that enhance security, but it also cut help desk calls dramatically – by 75%.
Wescom’s situation illustrates the benefits that organizations can realize by automating identity and access management. Organizations need better automated security solutions not only to decrease their risk from external and internal security threats, but also to take the administrative burdens off of IT and improve the productivity and efficiency of IT and other employees.
Moreover, regulatory requirements have forced organizations to take a hard look at how secure their applications and databases are against theft. Given that virtually all organizations have employee and customer data on their systems – social security numbers, birth dates, credit card accounts, etc – all carry a substantial risk of liability should a security breach occur.
Unfortunately, organizations have been slow to implement IAM controls. According to a recent report by the Aberdeen Group, a Boston-based IT research firm, an estimated 40% of all firms are performing at sub-par levels when it comes to automating access to core business information. And, they note, that’s assuming a fairly modest goal of equipping 40% of a company’s business functions with automated access. If the bar were raised to 60%, says Aberdeen, most businesses would be at a sub-par level.
While most large organizations have begun implementing identity and access management projects, few have fully deployed IAM across the enterprise nor have they deployed IAM at its most advanced capabilities. IAM has ten stages, or layers, of capabilities that can be successively deployed. Most companies attempt to implement several phases at once with limited success or complete failure.
The Ten Stages of IAM Deployment
What, exactly, does identity and access management entail? Identity management involves administration and policy creation, while access management entails enforcement of those policies. Together, IAM is a hierarchical collection of security practices and technologies, each new stage building on the prior one.
Typically, the most efficient and practical way to approach an IAM implementation is by deciding where your organization is currently in this hierarchy, and then deciding whether, and how, to move up to the next level. Ideally, you’ll reach a stage at which 80% of your security needs are met, and the remaining 20 are either low-risk items or have minimal impact on the bottom line. Organizations that attempt to get 100% coverage by implementing all IAM stages in one mega-project inevitably wind up with a nightmare -- a never-ending deployment, ever-increasing costs, and the inevitable political infighting.
Rule number one: Preparation and politics. Understand as your organization implements the later phases there is less a vendor or product can do to prepare your organization for those stages. The later stages require more hands-on involvement by your organization to implement and typically more upper management support.
Rule number two: Pick your benefits. Before selecting any IAM phase determine which of the following four benefits are most important to your organization and then determine which of the four that phase will addressed by deploying that phase of IAM.
The top four main benefits of IAM:
1. Cost Reduction
2. Improved Security
3. Achieving Compliance
4. Improving Efficiency through Automation
Rule number three: Don’t panic. It is easy to become overwhelmed by any IAM project. If possible attack the lowest hanging fruit first. Remember to use the 80/20 rule. Usually 20% of your applications or provisioning processes generate 80% of headaches. Automate them first.
The ten phases of IAM are:
Phase One. Password management. It’s an oft-quoted fact that 30% of all helpdesk calls involve password problems. So the first phase of IAM is aimed at automating that 30% of calls. This first stage is password management -- an automated solution for managing password assignment and resetting passwords via phone or desktop.
It enables users and customers to do limited self-service management of their accounts without bothering IT. For instance, they can reset passwords if they’ve forgotten them or as passwords expire.
Because a password management system is fairly easy to cost justify to a CEO (that 30% reduction in help desk calls translates into hard payroll dollars), it is represents the “low hanging fruit” of IAM and should be implemented before moving on to other phases.
Phase Two. Password policy enforcement. Every organization needs security rules, including rules about how passwords may be created, used, reset, and so forth. In phase two, you need to create policies that will protect passwords from being stolen or guessed by outsiders, but which don’t over-burden users. An automated policy manager will enforce those password policies, for instance by not allowing a user to put his user name as the password, or create a password of less than seven letters, or use common words and names. Easy-to-guess passwords are extremely vulnerable to exploitation by outside thieves, so ensuring the enforcement of corporate security rules is critical to network security.
Phase Three. User de-provisioning. Once you’ve got password management and password policy enforcement in place, you’re now in a position to move up to a de-provisioning solution. De-provisioning is much more than simply pulling the plug on a user ID. It involves terminating access to multiple accounts across various systems, archiving mailboxes and directories that may be required in case of an audit, and deleting the account from the system. It eats up time the IT staff could use for other projects and, conversely, if left undone exposes the system to access by disgruntled ex-employees. Automating the de-provisioning process increases security and takes one more administrative burden off of the IT department’s shoulders.
Phase Four. User provisioning. This involves the automating of account creation across multiple systems and platforms. It’s a big step up on the ladder, because this is the first stage that requires you to define user naming conventions, roles for employees, and what levels of access to various systems each role requires. However, the benefits of automating this level are significant, because once you’ve defined the roles, you no longer have to manually provision each new employee. You can simply assign them a role or job code and the provisioning software will handle the rest. No more guessing if the new HR assistant is supposed to be able access individual payroll information or not, or trying to remember which printer is closest to the new persons’ desk. Conversely, some products allow you to simply select and copy a source user to a target account. For organizations that cannot afford to reap the benefits of User Provisioning and do not have the time to define roles, this option works well.
Phase Five. Self-Service Role Matrix and Rights Management. This stage is even more dependant upon systems your organization must have in place prior to deploying this type of solution. In this phase the concept of automated self-service password management is taken one step further, to enable your end users to request access to specific systems and accounts and have the authorization handled automatically by a predetermined workflow. For instance, an assistant accounting representative might submit a request for access to a sensitive system such as payroll, or to certain restricted functions such as the ability to change data or tables. The employee request is then forwarded, based on the preconfigured workflow, to managers authorized to approve such access. This also enables new employees to self-provision themselves, by inputting their name and job code and getting the necessarily approvals to access whatever systems are part of his or her job code. Existing employees also benefit because they will have a self-service method for updating their employee contact info. However, this phase is impossible to achieve without an organizational chart, defined roles, and for some products a high level workflow design in place prior to rollout.
Phase Six. Metadirectory. Many organizations believe they need a single directory that contains identities of all of their disparate directories. Metadirectory is, as it sounds, a combined directory of the metadata on all enterprise data located on all of the organizations’ servers. It sounds like this phase could be fairly automated, however that is far from the truth. To bring all of these identities together on a scheduled basis requires someone to manually check identity mappings of critical identities as well as monitor the automated process. For environments with over 200,000 employees and several unique identity repositories this technology does not scale well.
Phase Seven. Enterprise Reduced Single Sign-On. From a user perspective, it’s considerably more convenient to sign on just once for access to all applications and databases, rather than h having to log on to each system separately. So enterprise reduced single sign-on is a phase that can help boost user productivity by reducing security-related tasks. But just like the prior phases, this phase requires even more preparation by your organization before it can be successfully deployed. Prior to deploying any SSO technology you must identity the apps you want to enable, record the logon process of each app, test sso, determine who you should distribute the app too, and maintain the sso process as interfaces to web apps change. Additionally, it is best to rollout sso applications from the easiest to most difficult. The easiest apps includes recording the logon macros for your internal Web applications; next easiest application to tackle are your external Web applications (such as Expedia, Partner sites, and other Web sites); moving on the third is to automate your Windows 32-bit applications; and fourth phase requires automating would legacy or java applications.
Phase 8. Authentication Services. For highly security conscious firms, authentication is a key element of identity and access management. As the traditional “Who you are, what you know and what you have” saying illustrates, a user ID and password are only two of three possible ways to make sure the correct person is gaining access. The third, required along with the first two, is some hardware element – a smart card or dongle or VPN—that determines which applications will be accessible to you. Many organizations never get this far up the security latter, and many don’t need to. However, if you do decide to implement this phase be prepared for even more planning and a disruptive change to existing authentication procedures.
Phase 9, Enterprise Access Management. Enabling restricted access to web applications is the primary goal at this phase. In this phase you must identify which web apps and end users you want to provide restricted access to, enable those apps, test restricted access, monitor access of resources, and distribute the restrictions to end users.
Phase 10, Federated Identity Management. There are hardly any organizations which have implemented the last phase, federated identity management. Like phase 6, the majority of firms don’t really need this phase for better security or work efficiencies, and it can be both expensive and problematic to implement.
Federated identity management gives users the ability to log onto one network and be able to then access all trusted networks. While all of the prior phases of IAM provide elements of federated management, full federated identity management also entails access to networks of trusted partners, and their access to your network. The complexity of enabling partners to access internal systems is enormous. It requires not only technology for ensuring secure and automated access by outsiders, but also requires negotiation and agreement between the two organizations first. There are liability issues to be considered, contracts that must be drafted, and, finally, the technical details how the partners will access systems, what level of access they will be granted, and what their responsibilities are in the event an employee loses a password, leaves the firm, etc. For most organizations full federated identity management is unnecessary. For a few, however, who engage in constant data exchanges with highly trusted partners, it is becoming a necessity.
Deciding on the Next Step
How can you tell if your organization really needs to move to the next phase of IAM? What factors will tell you which of the phases is the “ideal” one to aim for as part of your long-term security roadmap?
Fortunately, determining the benefits and ROI of moving through the funnel isn’t really all that complicated. In fact, it boils down to just four basic factors, or questions, that can be used to evaluate a planned deployment. If it rates well on even one of the factors, it may be a good move if that particular factor happens to be a high priority for the organization. But if it does well on three or four, then the considered deployment is probably long overdue.
The four factors for considering an IAM investment are:
Cost savings. Does the organization save money by implementing the new solution? Certainly in the case of Wescom Credit Union, there was a savings in terms of reduced help desk calls and an implied savings in preventing a security breach, which could have proved costly.
A second company, Circles, a provider of loyalty management programs, implemented password management to reduce the number of help desk calls from employees who had lost or forgotten their passwords. In the first year, they estimate that the savings achieved amounted to $4,100 and, at the end of year three, close to $26,000, primarily in staff time.
To determine if there is a cost savings to be had, evaluate the major costs associated with your current way of handling IAM and how much those might be reduced through automation, deducting any yearly maintenance costs or license fees that the new software will incur.
Increase in security. Does the solution provide better protection for the network or the enterprise? One measure of that is whether it provides extra accountability and audit trails for system access and authorization.
Compliance. Does the solution help your organization meet new security requirements, such as by archiving records or logging details of all user activity on the system in case of a future investigation?
Efficiency gains. This overlaps somewhat with cost savings, although not all efficiency gains are easily translated into hard dollar savings. But any solution that automates a formerly manual activity is likely to be increasing efficiency and, at the same time, reducing the chance of human error.
As already noted, each IAM technology phase will likely have different factors driving its adoption. At Circles, for instance, Ian Roche, technical operations analyst, says that the company plans to implement single sign-on and, eventually, user provisioning and de-provisioning.
The single sign-on is needed, says Roche, to improve employee efficiency and to improve security. .
“We have a number of different applications that require users to log in with unique user names and passwords. They’re not going to remember them all, so they may be inclined to tape them to their monitors or write them on their desk – not good security practices,’ notes Roche.
The user provisioning and de-provisioning, however, would mainly improve the efficiency of the IT department. As Roche explains, “It take a lot f time to set up user accounts, delete user accounts, and do all of those sorts of things in a timely manner. We tell the business we need two weeks to provision a new user now, to be on the safe side.”
Obstacles to Success
#1. Lack of Management Buy-in. This is the number one reason that all IT projects fail. The problem many IT managers and project leads have, of course, is figuring out how to get executive buy-in and how to know when you’ve really got it. Getting management buy-in entails proving to upper executives that the IT project you propose will either A,) save the company money like automate process to avoid outsourcing or B) make the company money like facilitate integration of an acquired firm’s billing system . If it doesn’t somehow link to either of those two options, then their enthusiasm is bound to be weak. While IT people often have a hard time proving a return on things like better security, there are nonetheless many hard and soft-dollar returns. As already noted in this article, the cost of a security breach can be huge, and likewise a fine for non-compliance with a government regulation can be expensive and detrimental to the company’s public image. There are also easy-to-show efficiency gains and cost savings from reduced staff time, maintenance, lower bills from outsourcers, etc. Just get out your calculator and start looking.
The second problem is how to know you’ve really got buy-in, and not just a smile and a pat on the head. Years ago, I was charged with deploying a new application for a large petroleum company. Most of the users were highly paid experts who were not interested in changing their work habits. Thanks to strong support from upper management – in the form of a company-wide email as well as a printed letter from the top boss – they adopted the new application with a minimum of complaints. Achieving management buy-in means getting printed letters and emails directly from the top executive explaining the new implementation and why it is good for the company. Anything less than that and you don’t have management support -- and you won’t have the support of end users either.
#2. User Adoption. This is the second most common obstacle, and one that is closely linked to lack of management buy in. The first rule in getting users to adopt a new IAM implementation is to make it clear that the boss’ boss’ boss is mandating it for the good of the company. They need to understand that it’s not your pet project; IT is simply carrying out the boss’ orders. The second is to use either a carrot, or a stick, or both to encourage compliance. For example, you might tie enrollment into the password management program to a work-from-home program. Employees who enroll can work remotely. Those that don’t, can’t. Or, like Wescom Credit Union, you might simply tell the helpdesk to turn away users who call for help resetting their passwords and to tell them to reset their own passwords from their desktop.
“The hardest part was getting users to use it and not call us,” says Linnie Gooch of Wescom. “We had to send memo after memo. And finally people started to realize that we won’t do it for them anymore.”
In addition, he says, the password management application had been programmed to send an automated reminder email to all users every single day until they enrolled. The nag factor was a big element in achieving an eventual 100% enrollment.
#3. Competing Departmental Needs. This is a political problem that will arise with just about every new IT implementation in an organization with more than a few dozen employees. Every department has its own mission and its own set of problems and, given that IT implementations inevitably touch every department, each will want to exercise control over the project. The key here is not to cede control, but to take the time to get input from every major stakeholder and device a plan that aims to satisfy the core needs of most groups. Ask each to develop a short list of fundamental requirements and see how many of those can be combined into a workable solution.
#4. Scheduling Conflicts and Reorganizations. Inevitable, just when things are going along well, your top engineer gets sick, or has a family emergency. In these cases, you can’t change events but you can have a Plan B and Plan C ready for the loss of important team members. Good documentation and information-sharing between IT staff helps to ensure critical deployment information doesn’t reside only in one employee’s head.
When it comes to re-organizations, there is even less that you can do to prevent the inevitable. However, assuming that you’ve gotten full management buy-in and this is still a priority, the mere fact of a reorganization shouldn’t derail the project. Continue to show how your IAM project will streamline or assist in the re-organization.
The Long-Term View
Regardless of whatever phase of IAM your organization happens to be at, the long-term strategy should be to regularly evaluate your security needs and decide how well the current IAM technologies are meeting those needs.
Few organizations have completed the entire IAM funnel. But the ones that are successfully mitigating their security risks are those that know why they are at their current level, and under what circumstances they would consider investing in the next layer of IAM technology.
Remember the IAM field is constantly being redefined. Even though IAM has been around for quite sometime new technologies are streamlining this aging industry. Keep an open mind and open eye even after you have settled on an existing solution that met your needs for today. New technologies will drive down your maintenance cost and streamline your processes even further. Most of today’s older IAM technology is revolutionary to deploy and disrupts your current business processes. The next generation of IAM technology allows your organization to evolve as the technology is deployed avoiding costly business disruption.
Nelson A. Cicchitto, a career information technology leader, joined Avatier Corporation in 1995 as chairman and CEO. He has over 20 years of experience setting information technology for fortune 100 companies such as Chevron and Pacific Bell.
» Send this article to a friend...
» Comments? Tell us what you think...
» More Network & Information Security articles...
Commentsblog comments powered by Disqus
Support This Site
• 4/1 Innovation Insights: Geospatial Technologies and Humanitarian Goals: Can Geospatial Technologies Inspire Sympathy?
• 3/25 Ovum: Ovum comments: SAP and Adobe to jointly resell Adobe Marketing Cloud
• 3/24 McAfee Blog: Online Tax Time Scams: How to Avoid
• 3/24 McAfee Blogs: McAfee SIEM Enables Cloud Security and Reduces time and resources for Compliance demands for DTS
• 3/24 Ovum: Ovum forecasts CSPs’ capex to remain flat, while telecom vendors face a tough marketplace
• 3/24 Gartner Says a Thirty-Fold Increase in Internet-Connected Physical Devices by 2020 Will Significantly Alter How the Supply Chain Operates
• 3/24 Gartner Says Healthcare Providers in Middle East & Africa To Spend US $ 2.8 Billion on IT In 2014
• 3/21 McAfee Blog: Google Docs Phishing Campaign is Frighteningly Accurate
• 3/20 HP Security Products Blog: Happiness is…securing your app before you launch it!
• 3/20 Wireless Watch: Google and Samsung both start with the watch, but then wearables agendas diverge
• 3/20 Faultline: Vivendi picks the devil it knows best in French bunfight over mobile
• 3/20 Faultline: All singing and dancing TV Connect live with OTT, mobile, dongles, RDK
• 3/20 Gartner Says European CRM Budgets Remain Strong Despite Economic Uncertainty
• 3/19 Ovum: Increase in financial markets IT spending points to end of credit crunch
• 3/19 Gartner Says the Internet of Things Will Transform the Data Center
• 3/19 Gartner Says 70 Percent of CIOs Will Change Their Technology and Sourcing Relationships in the Next Two to Three Years
• 3/19 HP Security Products Blog: Big announcements for 4th Annual HP Government Summit
• 3/18 McAfee Blogs: Smartphone Kill Switch Could Become Federal Law
• 3/18 McAfee Blogs: Anxious About Summer Already? Create a Family Gadget Plan
• 3/18 McAfee Blogs: What is a Denial-of-Service Attack?
• 3/18 McAfee Blogs: Four Pillars Build the Foundation of Successful SIEM
• 3/17 McAfee Blogs: Online relationships are Anamorphic Illusions
• 3/17 McAfee Blogs: Experian ID Theft Exposed 200 Million Consumer Records
• 3/17 McAfee Blogs: Adaptive Threat Prevention – Reducing Attack Discovery to Containment in Milliseconds
• 3/17 Gartner Says Worldwide External Controller-Based Disk Storage Market Grew Five Percent in Fourth Quarter of 2013
• 3/13 McAfee Blogs: Anonymous, Syrian Electronic Army Lead Recent Hacktivist Actions
• 3/13 Ovum: Analyst view: EE’s ranking in RootMetrics study reflects its strategy for being one-step-ahead
• 3/13 Gartner Says Middle East & Africa IT Infrastructure Spending will Reach $3.5 Billion in 2014
• 3/13 eMarketer: Desktop Search to Decline $1.4 Billion as Google Users Shift to Mobile
• 3/13 Wireless Watch: Carrier aggregation reaches out to TDD and unlicensed spectrum
• 3/13 Wireless Watch: Carrier SDN needs to unify every network layer to maximize returns
• 3/12 McAfee Blogs: Analyzing the Uroburos PatchGuard Bypass
• 3/12 Ovum: Analyst View: Ovum sees security transformation underway
• 3/12 Ovum: Analyst view: MEPs voted for stronger protection for EU citizens’ personal data
• 3/12 Gartner Says New U.S. Government Rules Will Require IT Leaders to Consider How IT Infrastructure Can Help Promote Employment Opportunities for People with Disabilities
• 3/11 McAfee Blogs: Threats Timeline Tracks Recent Security Breaches
• 3/11 Ovum: Analyst view: Ifetel declares Telmex and Televisa as dominant in their respective markets in Mexico
• 3/11 Gartner Acquires Software Advice
• 3/11 Gartner Announces Customer 360 Summit 2014
• 3/11 eMarketer: AOL Rebounds as Programmatic, Video Push Double-Digit Growth
• 3/11 HP Security Products Blog: Consumers need security intelligence, too
• 3/10 Wireless Watch: WiFi Revisited - The effects of WiFi Offload
• 3/10 McAfee Blogs: Timeline of Bitcoin Events Demonstrates Online Currency’s Volatility
• 3/10 McAfee Blogs: Threat Intelligence Exchange: An Old Dog with Plenty of New Tricks
• 3/10 McAfee Blogs: Network Security Perspective: Point-of-Sale, Data Loss, and the Black Market
• 3/10 eMarketer: Mobile to Surpass Newspapers for UK Ad Spending
• 3/10 Canalys: Technology channel partners set for business transformation in 2014
• 3/9 McAfee Blogs: Welcome to the New McAfee Labs Quarterly Threats Report
• 3/9 Gartner Says Public Cloud Services in the Middle East and North Africa Region on Pace To Total $620 Million In 2014
• 3/7 HP Security Products Blog: How to prevent vulnerabilities in WiFi access points