Risk
5/6/2010
03:20 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

7 Steps To Better Identity Management

Here's what you need to know about managing employee identities in this age of outsourcing and SaaS.

Managing employees' identities, passwords, and access rights has always been a challenge. And now, increased use of outsourcing and software-as-a-service offerings have further complicated things, requiring the use of federated identity management outside the corporate walls.

Setting up and managing federated IDM, which makes users' identity data portable across autonomous security domains, can be complicated and cumbersome. With distributed systems, employees around the globe, and an endless number of technologies to integrate, it's not for the faint of heart.

But if planned properly, there are significant benefits, including improved security, reduced operational overhead, lower support costs, and a better user experience. Identity management lets IT understand who users are, what applications and networks they have access to, and in most cases their job functions. It enables the complete management of an identity, versus providing an isolated view of a single account in a single system.

The key is to understand what identity management technologies are in your environment, how people interact with them, and how they all tie together. What follows are seven steps for tackling these issues and improving the control you have over your environment.

What Are You Managing?

Before you can manage user identities, step one is to know what you're managing. Your identity management approach will depend on how much you have to spend, the technologies that require identity management, and how sophisticated and comprehensive the system needs to be.

Does your company need basic user admin support, or everything from provisioning new users to single sign-on to deprovisioning of users who've left? If your company's growing, adding locations and employees, opting for SaaS applications instead of bringing more applications in-house, then you're better off with more automation of current IDM processes than spending money to bring in new solutions.

Fully automating the provisioning and deprovisioning of employees will cut back on mistakes, provide better security, and result in fewer audit issues. You can go a step further and create templates and expiration dates for employee accounts for application and network access; that will make your auditors happy.

If your company gives system access to outsourced partners, particularly third-party developers with high turnover, then automation is critical. Too often, contractors' accounts are left active long after they leave, or new contractors use the account of the person they replaced because the access provisioning process is so painful.

Where Are The User Accounts?

The next step is to identify the technology in which user accounts reside. This may be a human resource system, SAP, Active Directory, OpenLDAP, or any other employee or user account directory, or some combination of these. HR and payroll systems are the best places to look for a system that identifies which users are legit and active.

You also need to determine what IT's master authentication system is. Is it Active Directory, or some other centralized account repository? If there isn't one, that explains your problem, and it's the place to start.

If you have Active Directory or another system, figure out what it's authenticating against it. It may be just your desktops and servers, or it may also include custom applications, database logins, and third-party apps.

Time To Centralize Authentication?

At this point you should thoroughly evaluate whether to move to a central authentication system. One of the keys of federated IDM is having a central place to manage accounts, and most companies find the benefits of central authentication outweigh the drawbacks.

CA's Identity Manager and IBM's Tivoli Identity Manager are among the IDM offerings companies can use whether or not they have a central user directory. Most of these tools do the same job, but each has its own sweet spot. The larger systems such as CA's and IBM's run $100,000 or more and provide full workflow management for provisioning and deprovisioning users, including taking in the initial request, getting authorization, creating an account, and removing an account with one click. These features are what distinguish identity management systems from directory services systems like Active Directory. They let IT import accounts from a master directory or individual system. Once accounts have been discovered and imported, you can map, group, remove, modify or do just about anything else you want to with them.

If there's a master record of employees from HR or payroll, it can be imported through supported connectors or the import of flat files and used to map system accounts to actual employees. Doing this will make it easier to understand the entirety of what a particular person has access to, rather than an isolated view of a single account in a single system.

Do You Know What External Apps Are In Use?

Once the internal enterprise is understood, look outward. Is your company using SaaS services such as Salesforce.com, social networks, outsourced expense management, and HR systems? With lower operating cost and faster deployment, SaaS offerings can make a great addition to the enterprise--if they have sufficient user management capabilities. If you don't have good tools, managing hundreds of accounts in an outsourced system can suck up a lot of resources.

Query your accounting department and survey employees about what third-party online apps and sites they're using without IT's knowledge. The goal isn't to stop them from using these services but to understand how to better manage them.

The challenge with third-party services will be finding a tool that can properly manage accounts while also managing internal resources. You may need two products or even some custom scripting. Examine the options, and ask IDM vendors and SaaS vendors for suggestions.

Do You Understand Your Workflows?

The next step is to understand workflows. You want to fully understand the process as it is and be able to provide a map showing how it would work differently in a vendor's offering. Look at how users are provisioned, how changes to their access are handled, and how you deprovision them when they leave. How do you add accounts across multiple systems?

Walk through a test of how requests are processed. Do this exercise for edge cases, too, such as external systems like Salesforce, and that system that's always been managed by one person who refuses to let others in.

Use flow charts to document workflows. They're useful as you implement new products and for spotting redundancy in processes.

Do this with the end users. Often we look at the technical processes and forget to ask users what they think of the process, how they understand it, and the pain points they encounter. I recently did this and found end-user views to be very different from those of IT. Problems and misunderstandings in the existing system, if not addressed, will carry over to the new one.

Do You Know Your Limits?

Now that you know the technology, directories, and services you need to integrate with, assess your limitations. Can you manage all of these technologies? Is one product the way to go, or do you need multiple ones?

One easy way to simplify identity management is to tie as many resources into the least number of user directories. For instance, authenticate as many systems and applications to Active Directory as possible. Once you reduce the number of authentication points, implementing an IDM system is easier, there are fewer potential outages due to system changes, and fewer help-desk tickets for forgotten passwords.

Now you have the number of places to manage accounts down to a reasonable level and hopefully back in IT's hands. And if there isn't a lot of employee turnover, it may not make sense to invest in a larger, automated system. Alternatively, automation may substantially improve compliance with requirements like the Payment Card Industry standards. If you stop here, at least you've reduced support costs and improved the IDM process.

Which System Is Right?

There are many vendors in the IDM market, including CA, Conformity, IBM, Logic, Oracle, Radiant, SAP, and Symplified.The other option is to develop an in-house tool, but most companies find that's difficult and ends up costing too much. Off the shelf might cost more initially, but in the long run, it typically works much better as companies grow and add technologies.

Send vendors a list of the technologies you use, have them verify which they support, whether that support adds to the cost, and explain how your processes can be implemented with their systems. Rank them based on your criteria and budget considerations.

Before making a final selection, make sure you've taken time to look beyond what's in place now. You'll likely want to implement some new technology eventually. Ensure that whatever path you take with identity management, it's flexible and allows for additions and changes.

Adam Ely is TiVo's director of security where he's responsible for IT and app security.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
Partner Perspectives
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2012-5242
Published: 2014-10-21
Directory traversal vulnerability in functions/suggest.php in Banana Dance B.2.6 and earlier allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the name parameter in a get_template action.

CVE-2012-5243
Published: 2014-10-21
functions/suggest.php in Banana Dance B.2.6 and earlier allows remote attackers to read arbitrary database information via a crafted request.

CVE-2012-5702
Published: 2014-10-21
Multiple cross-site scripting (XSS) vulnerabilities in dotProject before 2.1.7 allow remote attackers to inject arbitrary web script or HTML via the (1) callback parameter in a color_selector action, (2) field parameter in a date_format action, or (3) company_name parameter in an addedit action to i...

CVE-2013-7406
Published: 2014-10-21
SQL injection vulnerability in the MRBS module for Drupal allows remote attackers to execute arbitrary SQL commands via unspecified vectors.

CVE-2014-2531
Published: 2014-10-21
SQL injection vulnerability in xhr.php in InterWorx Web Control Panel (aka InterWorx Hosting Control Panel and InterWorx-CP) before 5.0.14 build 577 allows remote authenticated users to execute arbitrary SQL commands via the i parameter in a search action to the (1) NodeWorx , (2) SiteWorx, or (3) R...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.