Identifying Identity Management Needs
March 8, 2010Author unknown
Is your network a collection of different systems and applications? Are there multiple directories and data systems? Are there users and other data objects stored in multiple places? How is the environment managed? How are new accounts created for users each time a new application is added?
Does a single change event cause changes to occur in multiple locations? Is this change accomplished manually, or is it automated?
Chances are, your company is like most other companies. You are spending a lot of money managing information that exists in multiple locations in your network. You have users with an identity in multiple applications and whenever a change occurs to that users’ information, you have to duplicate the task of updating the information in many different places.
Most companies have this problem, multiple databases (directories) with redundant information. Sadly, most companies also haven’t figured out how to address this problem other than by throwing more money at it.
According to Forrester Research, only 8% of large corporations have these disparate data “islands” connected. A whopping 42% synchronize their data manually! The rest are trying to achieve a management solution, but still have a fragmented strategy.
This becomes a management problem that is actually quite easy to compute. If you take the number of users, the number of directories, the amount of common data between them and the amount of change that occurs in your organization, the management expense becomes a factor of all these components multiplied by the administrative costs. The problem grows linearly with each new directory, user or change to the users’ data.
The Burton Group, a highly respected IT analyst and consulting firm provides an estimate of the management costs for a network with only 7 directories and 25,000 users. Based on standard calculations it’s easy to see that redundant management costs account for $312,600 of the total management cost. If the management of this information could be automated, then the cost would reduce from $364,700 to $52,100. Remember that other research indicates that most enterprise environments have many more directories…up to 181 different directories.
Based on this same evaluation, if the same organization had 180 directories, then the management costs would be over $9,000,000 for managing redundant data…a management task that can be reduced to $52,000 if the systems is completely integrated. This is an astounding figure, especially in light of the new solutions that will solve this problem.
Identity Repository Assessment / Inventory
It is well worth the effort to take an inventory of the number of repositories and the resources required to maintain them. The results of such inventories have encouraged enterprises into looking at an Identity management solution.
· This is where the cost justification will be acquired.
· This process will uncover the cost of not implementing a Meta Directory Solution.
· The cost of maintaining platforms and staff to manage all the disparate data repositories should be documented.
· Refer to section “Enterprise Evaluation Process” for help on addressing these issues.
Initiatives Requiring an Identity Management Solution
Most large companies are already starting to grapple with some form of identity management initiative to provide the enabling services needed by:
· Global Address Book applications. Synchronizing mailbox information between the different e-mail directories within a company enables users to locate other users and send them e-mail across differing systems.
· Hire/fire solutions. Propagating information about a newly hired employee – such as title, role and access rights – to all systems that require identity data enables speedy establishment of services, this is know as provisioning. Systems also must perform the same processes quickly in reverse when employees leave to prevent breaches of security.
· E-commerce applications. Synchronizing enterprise identity information, such as digital certificates for suppliers and extranet users is enabled with directories that reside outside of firewalls.
· Single Sign-On initiatives. Managing user name, password and access right information is enabled across many different platforms and applications that use a variety of access control and cryptographic techniques
· Enterprise User Administration (EUA)
· The Gartner research paper on “Enterprise User Administration (EUA) Magic Quadrant FY01” describes EUA in many of the same terms I have used to describe MDS (MDS). It can be concluded that the more sophisticated MDS are a form of EUAs.
Gartner states the EUA market is adapting beyond the traditional operating system and database environment and emerging as the key tool for user access management.
By 2008, 40 % of Type A enterprises will implement EUA products in order to manage their entire business transaction flow and resulting user access requirements for both Web and non-Web applications (0.8 probability).
EUA — sometimes referred to as consolidated user administration or consolidated security administration — allows a security administrator (SA) to manage a number of permissions on behalf of a user. Ideally, adding a new user might be achieved with a single command. In reality, EUA tools reduce the workload of the SA, but do not eliminate it. EUA tools make the SA’s job easier, and reduce turnaround time between request and implementation to less than 24 hours in some cases
EUA Tool Overview
Customers want an EUA product to have the following features:
· Platform support — Operating system (OS), database management systems (DBMS), e-mail, groupware, Enterprise Resource Planning (ERP) and other purchased applications.
· Easy customization/integration with applications not supported “out of the box”
· Web application support, primarily through the management of extranet access management (EAM) products and LDAP
· LDAP management — Initially as a target platform, but increasingly as the repository for user credentials/entitlements
· Technical support — Breadth, depth and geographic availability
· Role-based access control covering the assessment of the current status of users and their entitlements from the existing IT environment (i.e., here are the permissions Fred has); grouping of users into common entitlement profiles for reporting (i.e., these people are all “Tellers”) and granting of entitlements (i.e., please give new employee Fred the things a “Teller” has), and in some cases policy compliance (i.e., Fred is a “Teller” but his permissions deviate from those of the “Teller” role)
· Password management and synchronization
· Bi-directional change synchronization to ensure that changes made at the native platform level are automatically synchronized with the EUA tool
· Delegated user administration for enterprises wanting to distribute the user administration responsibility
· Workflow facility for automating the access request process, often through integration with Human Resources applications
· “Batch job” facility for automated and rapid establishment of entire groups of users (especially important for mergers, acquisitions and application conversions)
· Single sign-on, either through their own solution or through partnership with existing Single Sign-On (SSO) solutions
· Public Key Infrastructure (PKI) support for activities such as certificate management
· Customizable reporting, including a user view and platform view across the environment
· Audit log and reporting of sens
itive activities — for the administration of the product as well as user administration.
Impediments to a Successful EUA Implementation
The main impediments to installing EUA tools are the lack of documented access roles based on business functionality and weakly defined procedures for handling users’ changing roles. Clearly, reorganization places a burden on security administration staff, and a tool that automates even a subset of the mass of changes can help. However, if the rules governing access when a user moves from one job to another are unclear, no automation tool will help. In fact, they will simply highlight the procedural shortcomings the organization must resolve. Customers report that the more time they spend in the planning stages of the project, the more successful the implementation
In an attempt to solve some of these identity management initiatives, companies are implementing some of the solution alternatives that are discussed in this paper. The first step will be defining what is required of an identity management solution.