Managing employees' identities, passwords, and access rights has always been a challenge. And now, increased use of outsourcing and software-as-a-service offerings have further complicated things, requiring the use of federated identity management outside the corporate walls.
Setting up and managing federated IDM, which makes users' identity data portable across autonomous security domains, can be complicated and cumbersome. With distributed systems, employees around the globe, and an endless number of technologies to integrate, it's not for the faint of heart.
But if planned properly, there are significant benefits, including improved security, reduced operational overhead, lower support costs, and a better user experience. Identity management lets IT understand who users are, what applications and networks they have access to, and in most cases their job functions. It enables the complete management of an identity, versus providing an isolated view of a single account in a single system.
The key is to understand what identity management technologies are in your environment, how people interact with them, and how they all tie together. What follows are seven steps for tackling these issues and improving the control you have over your environment.
What Are You Managing?
Before you can manage user identities, step one is to know what you're managing. Your identity management approach will depend on how much you have to spend, the technologies that require identity management, and how sophisticated and comprehensive the system needs to be.
Does your company need basic user admin support, or everything from provisioning new users to single sign-on to deprovisioning of users who've left? If your company's growing, adding locations and employees, opting for SaaS applications instead of bringing more applications in-house, then you're better off with more automation of current IDM processes than spending money to bring in new solutions.Fully automating the provisioning and deprovisioning of employees will cut back on mistakes, provide better security, and result in fewer audit issues. You can go a step further and create templates and expiration dates for employee accounts for application and network access; that will make your auditors happy.
If your company gives system access to outsourced partners, particularly third-party developers with high turnover, then automation is critical. Too often, contractors' accounts are left active long after they leave, or new contractors use the account of the person they replaced because the access provisioning process is so painful.
Where Are The User Accounts?
The next step is to identify the technology in which user accounts reside. This may be a human resource system, SAP, Active Directory, OpenLDAP, or any other employee or user account directory, or some combination of these. HR and payroll systems are the best places to look for a system that identifies which users are legit and active.
You also need to determine what IT's master authentication system is. Is it Active Directory, or some other centralized account repository? If there isn't one, that explains your problem, and it's the place to start.
If you have Active Directory or another system, figure out what it's authenticating against it. It may be just your desktops and servers, or it may also include custom applications, database logins, and third-party apps.
Time To Centralize Authentication?
At this point you should thoroughly evaluate whether to move to a central authentication system. One of the keys of federated IDM is having a central place to manage accounts, and most companies find the benefits of central authentication outweigh the drawbacks.
CA's Identity Manager and IBM's Tivoli Identity Manager are among the IDM offerings companies can use whether or not they have a central user directory. Most of these tools do the same job, but each has its own sweet spot. The larger systems such as CA's and IBM's run $100,000 or more and provide full workflow management for provisioning and deprovisioning users, including taking in the initial request, getting authorization, creating an account, and removing an account with one click. These features are what distinguish identity management systems from directory services systems like Active Directory. They let IT import accounts from a master directory or individual system. Once accounts have been discovered and imported, you can map, group, remove, modify or do just about anything else you want to with them.
If there's a master record of employees from HR or payroll, it can be imported through supported connectors or the import of flat files and used to map system accounts to actual employees. Doing this will make it easier to understand the entirety of what a particular person has access to, rather than an isolated view of a single account in a single system.
Do You Know What External Apps Are In Use?
Once the internal enterprise is understood, look outward. Is your company using SaaS services such as Salesforce.com, social networks, outsourced expense management, and HR systems? With lower operating cost and faster deployment, SaaS offerings can make a great addition to the enterprise--if they have sufficient user management capabilities. If you don't have good tools, managing hundreds of accounts in an outsourced system can suck up a lot of resources.
Query your accounting department and survey employees about what third-party online apps and sites they're using without IT's knowledge. The goal isn't to stop them from using these services but to understand how to better manage them.
The challenge with third-party services will be finding a tool that can properly manage accounts while also managing internal resources. You may need two products or even some custom scripting. Examine the options, and ask IDM vendors and SaaS vendors for suggestions.
Do You Understand Your Workflows?
The next step is to understand workflows. You want to fully understand the process as it is and be able to provide a map showing how it would work differently in a vendor's offering. Look at how users are provisioned, how changes to their access are handled, and how you deprovision them when they leave. How do you add accounts across multiple systems?
Walk through a test of how requests are processed. Do this exercise for edge cases, too, such as external systems like Salesforce, and that system that's always been managed by one person who refuses to let others in.
Use flow charts to document workflows. They're useful as you implement new products and for spotting redundancy in processes.
Do this with the end users. Often we look at the technical processes and forget to ask users what they think of the process, how they understand it, and the pain points they encounter. I recently did this and found end-user views to be very different from those of IT. Problems and misunderstandings in the existing system, if not addressed, will carry over to the new one.
Do You Know Your Limits?
Now that you know the technology, directories, and services you need to integrate with, assess your limitations. Can you manage all of these technologies? Is one product the way to go, or do you need multiple ones?
One easy way to simplify identity management is to tie as many resources into the least number of user directories. For instance, authenticate as many systems and applications to Active Directory as possible. Once you reduce the number of authentication points, implementing an IDM system is easier, there are fewer potential outages due to system changes, and fewer help-desk tickets for forgotten passwords.
Now you have the number of places to manage accounts down to a reasonable level and hopefully back in IT's hands. And if there isn't a lot of employee turnover, it may not make sense to invest in a larger, automated system. Alternatively, automation may substantially improve compliance with requirements like the Payment Card Industry standards. If you stop here, at least you've reduced support costs and improved the IDM process.
Which System Is Right?
There are many vendors in the IDM market, including CA, Conformity, IBM, Logic, Oracle, Radiant, SAP, and Symplified.The other option is to develop an in-house tool, but most companies find that's difficult and ends up costing too much. Off the shelf might cost more initially, but in the long run, it typically works much better as companies grow and add technologies.
Send vendors a list of the technologies you use, have them verify which they support, whether that support adds to the cost, and explain how your processes can be implemented with their systems. Rank them based on your criteria and budget considerations.
Before making a final selection, make sure you've taken time to look beyond what's in place now. You'll likely want to implement some new technology eventually. Ensure that whatever path you take with identity management, it's flexible and allows for additions and changes.
Adam Ely is TiVo's director of security where he's responsible for IT and app security.