Controlling IT Identity and Access Management

by Jodi Mardesich

Identity and access management tools have become increasingly important to CIOs in organizations of all sizes. Large publicly traded organizations, especially in the financial services area, must be concerned about validating the identity of people who gain access to their digital assets. Breaches and break-ins that expose identity information raise the potential for identity theft. For companies in the financial sector, complying with the Gramm-Leach-Bliley act requires monitoring and auditing of who has access to sensitive information.

But even smaller, privately held companies should be concerned with identity and access management. As the boundaries blur between companies doing business together, small companies often must comply with the same regulations in order to do business with larger companies. For example, if a greeting card company wants to sell its products inside Wal-Mart, it may be forced to integrate with Wal-Mart's systems -- and adhere to Wal-Mart's standards.

"When you look at the nature of the organization these days, you can't draw these hard boundaries around companies anymore," says Jamie Lewis, CEO and research chair of the Burton Group. "You have to be able to identify people and make sure they are doing the right thing at the right time."

As the number of data security breaches continues to add up, a number of state legislatures have either passed, or are attempting to pass, laws that increase the liability for such breaches, Lewis says. Identity and access management tools aim to help companies comply with legislation, as well as solve business goals, from saving money to making it easier for workers to do their jobs.

ID and access management tools
A new generation of technology tools has emerged that enables organizations relying on technology to better manage who should have access to what data online and when. These tools can help enterprises better comply with regulations, control access to confidential data and limit identity theft. Identity management software comes in different forms: it can be a large all-encompassing stand-alone suite of software, or a module that fits into other enterprise software programs. Identity management software can provide a single sign-on that manages multiple passwords for different applications and gives users access to the information they need. Conversely, it can address just a subset of the problem: simple password management, for example. One subset of tools, called identity auditing software, helps automate tasks that are often manual. It addresses the desire for IT departments to push a button and grant access and privileges, and just as easily remove it all if the employee leaves or the role changes.

Enterprise Single Sign-On (E-SSO) is a more ambitious form of identity and access management software. Described as the holy grail of security software, it has been viewed suspiciously in the past: does single sign-on lessen security, providing a single point of failure?

"E-SSO is often thought of as an inherently insecure solution, with a single 'key to the kingdom' viewed as a security risk," says Jonathan Penn, vice president and research director for Forrester. While compromise of that one key would have a greater impact, E-SSO deployments significantly reduce the chance of compromise, he says.

"The one password people have to remember is stronger and better protected, as are the application passwords that E-SSO transparently manages," Penn says." So E-SSO actually improves security, especially compared with the status quo -- and even compared with password synchronization."

Providing a record for an organization
Identity management software should provide an authoritative record for an organization, including the information associated with individuals within an organization, or even important customers or partners. Products should automate security administration actions for creating, changing, disabling, and deleting user IDs, passwords, and role assignments across the heterogeneous IT infrastructure, says Roberta Witty, research vice president at Gartner.

Other key components of identity management software include workflow, a core automation engine for provisioning user data, and an authoritative repository housing identity attributes, which may include identifying information, such as name, role, location, phone number, user IDs and other defined information, as well as audit trail to document access.

Besides the different approaches software vendors take, there are competing standards: Security Assertion Markup Language (SAML) is an XML standard for exchanging authentication and authorization data between different organizations. The goal of SAML, backed by a consortium of 150-plus companies in the "Liberty Alliance," is to solve Web browser-based single sign-on, not just within organizations but among organizations working together. The Liberty Alliance members include Sun, IBM and Novell. Microsoft, meanwhile, has taken its own approach with Windows CardSpace.

Best practices for implementing identity and access management
Identity and access management can be an ambitious undertaking, with huge regulatory repercussions. Analysts advise looking at it as a business rather than technology undertaking.

"When you delve in, it's 80% political and business, and about 20% technology," Lewis says.

• Look at business processes What are the critical systems supporting the business? Find out where identity is a problem or inhibitor, where it is slowing things down or creating a regulatory risk, Lewis says. Pick one or two areas that will have the biggest demonstrable results more quickly.
• Identify risks Adopt a risk management approach, working with a chief security officer (CSO) or security professional. "Security can be purely technical, or you can apply basic risk management techniques to understand where identity creates huge financial risk to the company," Lewis says.
• Take incremental steps The biggest mistake CIOs make with identity management is to "boil the ocean," Lewis says. They try to solve the entire problem at one time. Password management is a smaller undertaking where companies have seen a return on investment. "It's not unusual for password problems to constitute 30% of helpdesk calls," Lewis says. Instead of trying to implement the whole of identity management, institute a self service portal that allows the user, without the intervention of the help desk, to reset passwords. Calls to helpdesks will drop. With a demonstrable success under his or her belt, the CIO or IT manager can get buyoff on more complex projects involving identity and access management.
• Create a single authoritative repository of identity information for internal and external users "This is not the authentication directory," Gartner's Witty says. "It is the reporting source." Consolidate as many directories as possible to reduce the number of identity sources and user IDs. Simplify authorization privilege complexity by limiting the functionality of the application (or, more likely, breaking up complex functionality into component parts) to reduce administration complexity.
• Choose an integrator wisely If the organization doesn't have internal expertise, use outside help. Always issue a Request for Proposal, Witty says. "Require customer references from the vendor and the system integrator that are within your industry and that have the level of complexity of your enterprise's identity management project."

"It's a journey of small steps that will get you there," Lewis says.

Jodi Mardesich writes about business and technology. Her writing has appeared in The New York Times, Fortune, San Jose Mercury News, Salon and Slate.