You know the drill: Your organization must securely authenticate, authorize and audit users and the resources they access, while ensuring that customers and partners get the royal treatment.
To handle the first part of this equation, you must implement systems to cover the three A's: authentication (Who are you?), authorization (What can you access?) and audit (What has been accessed by whom?). Gathering this data manually is expensive, so many organizations cut costs by automating. But it's a hard row to hoe: IT managers must deal with numerous data repositories and identity stores, as well as diverse operating systems and business units.
Today, the average Fortune 1000 company maintains 181 data repositories, according to Gartner. Jackson Shaw, a product manager for MIIS (Microsoft Identity Information Server), says one of his customers has 89 distinct identity stores. The manager of systems and processes for a Fortune 100 company's customer-care division says that on a typical day, he authenticates against a dozen internal iden-
tity stores and six to eight external stores. He's frustrated, he says, by the security risks posed by those identity stores' containing active accounts and identities of past employees, noting that it's common for employees to have improper access to resources. Alternatively--and just as frustrating--when an employee does need access to a resource, he or she may spend weeks trying to get the proper authorization.
Lest you think these are rare situations, we asked our readers to estimate the number of Web resources their organizations offer authenticated users. Nearly half of our 307 respondents said they support more than 100 resources; 12 percent said they have more than 5,000 resources available. As you can imagine, this makes the second part of that equation--customizing access for top customers and partners and giving end users access to niceties like single sign-on and self-service functionality--a huge challenge.
This sad state is attributable to an overwhelming lack of technology integration and a failure of procedures and policies. As business units try to implement projects on tight budgets, it's easier to hire a consultant to build a standalone Web application than to work through the proper channels to integrate with an existing identity store. Most times, these seemingly insignificant projects happen without the consent or knowledge of the IT department and get on IT's radar only when security vulnerabilities or scalability problems arise.
What To Do?
Help is available in the form of identity- and access- management products. We tested five IAM suites; see "I Manage, Therefore IAM,". The IAM product landscape has changed quite a bit in the past couple of years. In many cases, vendors that once focused on Web access control or identity management now provide software that addresses both. Here's a rundown of key concepts:
• Identity management involves the creation, maintenance, teardown and overall management of identities within an organization. In other words, identity management deals with authentication, not authorization. Elementary? Not so. Identity management requires policy application and identity synchronization across multiple stores. These identity stores may be found within network OSs, database servers, directories, HR systems, business applications and e-commerce applications.
Making management more difficult, organizations often keep identity information in two different stores with contradictory data. For instance, an address may be updated in HR but not in the corporate online listing. And as the industry focuses on federated identity, which allows for the secure sharing of identities across domains, organizations that once managed only employees will have to address external identities, including those of vendors, resellers and partners. Because federated identity is in its infancy, chances are that systems implemented today will change greatly in the coming months and years (find a primer on federated identity).
• Web access control deals with authorizing and authenticating individuals by supplying controlled access to Web resources. Web access-management systems generally offer an SSO (single sign-on) component for one-time authentication. The system maintains a user's credentials as he or she attempts to access resources inside and outside the organization. Implementing SSO is often a long-term goal rather than a short-term reality because of the complexity of integrating diverse and possibly legacy applications. The best most organizations can expect is reduced sign-on--fewer logins.
• Because of provisioning difficulties, it's common for new hires to wait longer than 24 hours for their digital identities to be created and to be given appropriate access to resources. Provisioning is usually trickier from a business perspective than a technology perspective because companies often have no idea who is in charge of managing resources and who is responsible for the audits and assumed risks. Provisioning systems can simplify and centrally manage the process of granting or denying access to resources. The provisioning components we tested let users self-register and support the creation of an approval-process work flow for granting access to new accounts.
• Delegated administration lets organizations entrust business units or even partners with managing a subset of users or tasks. By decentralizing control, organizations can alleviate identity-management bottlenecks. There are at least two roles in this process: the person who signs off from the business perspective and the person/mechanism that physically grants access.
• Federated identity is the infrastructure wave most vendors hope to ride for the next several years. FIM (federated identity management) lets companies share identities securely, giving employees, customers and partners access to systems and resources throughout the supply chain. FIM is more than a technology--to reap its benefits, organizations must have the appropriate policies, procedures and trust agreements in place.
FIM is in its infancy, with competing standards. The front-runner is SAML (Security Assertion Markup Language), which all the vendors in our review support. An XML-based specification developed by the SSTC (Security Services Technical Committee) within OASIS (Organization for the Advancement of Structured Information Standards), SAML is part of the framework for the Liberty Alliance, an industry group formed to promote federated identity standards.
Microsoft and IBM have proposed an alternative framework, WS-Federation (Web Services-Federation). We think the two standards will converge, perhaps with the release of SAML 2.0.
There are four main drivers of IAM implementations: compliance, security, cost savings and revenue enhancements.
Compliance Several laws have been enacted that relate directly to identity management and/or secure access to resources. Besides the three acts listed below, organizations should review the Gramm-Leach-Bliley Act of 1999 and European Union privacy regulations, which are more stringent than comparable laws in the United States.
• Sarbanes-Oxley Act: Section 404 requires organizations to establish and maintain an adequate internal access-control structure and to assess the effectiveness of that structure annually. (Read more at "Take Me Out of the SOX Game,".)
• Health Insurance Portability and Accountability Act: Section 164.312 requires implementation of policies and procedures that allow access to protected health information only to those specifically granted access rights. (For more on the HIPAA, see "Feds Reach Out and Touch IT,".)
• Patriot Act: Section 326 is the Customer Identification Program, which requires financial services firms operating in the United States to collect, verify and document information that identifies each individual or entity that opens an account. (See "Hanging Launderers Out to Dry,".)
Security Poor planning and implementation add risks. For example, an attacker who compromises one SSO account can access multiple resources at once. To counter this threat, all the IAM products we tested have detailed audit trails and reporting capabilities, and some allow for event triggers, monitoring and alerting.
Cost Savings Over time, an IAM infrastructure should produce tangible and intangible cost savings. For example, most of the systems we tested have some delegated administration and user provisioning, making it easier for managers to set up, tear down and control access to specific resources. In addition, users can reset their own passwords through self-service features in the software. These features should reduce the number of helpdesk calls and lower the overall cost of IT administration. In our reader poll, 31 percent said their companies allow password resets; and some let end users update profile information, such as address and phone number. A 10,000-employee company that automates provisioning for 12 applications will save about $3.5 million over three years, according to Gartner; that's based on 14,000 hours per year for the time IT spends managing user access and 6,600 helpdesk hours cut every year.
Companies that customize their IAM software may realize additional savings by using built-in functions or custom APIs to automate work flow. Finally, SSO and self-service give employees instant satisfaction and make it easy to remember security credentials.
Revenue Enhancement One primary goal of any B2B organization is to increase the number of digital transactions through its Web site. Implementing a federated solution helps achieve this by letting an organization grant its sales force, partners and external constituents secure access to resources faster and more conveniently.
It's now mostly large organizations that are reviewing or implementing IAM, and half of those we polled expect to spend less than $50,000 on the technology. Only 6 percent say their companies will spend more than $500,000.
It's only a matter of time until IAM trickles down to midsize and small organizations that need to manage customer logins. RSA Security product manager Brian Breton says his company has just about 1,000 employees, and organizations of that size may not be in a hurry to implement IAM, though the company manages more than 12,000 identities. RSA isn't unique: One consultant who has worked on many global IAM implementations told us it's not unheard of to see a tenfold increase in the number of identities that must be managed, especially once a company opens up supplier and partner access to its supply chain.
Microsoft, which focuses solely on identity management, tries to target all organizations with two versions of its MIIS. The Identity Integration Feature Pack is a free, downloadable version of MIIS that will connect only Active Directory. The enterprise version costs $24,999 per CPU and works with several of the products we tested. Microsoft was not eligible for our IAM review because its product lacks access control.
We don't recommend trying to implement these products without training or consultation. After testing Netegrity's SiteMinder and IdentityMinder, for example, we felt like we needed to attend the doctoral program at Netegrity headquarters before delving deeper into managing the product.
As we'll discuss in our review, getting the software up and running is only a small part of the battle. Without exception, the vendors visiting our Real-World Labs® told us that defining policies and integrating distinct identity stores take much longer. For example, a typical enterprise with several data repositories must set policies that define which repository is the authority and how identity information is shared among repositories. Policies may be based on something simple, such as a departmental unit, or may be dynamic, as with policies based on data from several data stores. Roles and/or functions also must be created. Role-based access control simplifies the management of thousands of users by assigning them access to resources based on policies. If users don't fit exactly into a defined role, the organization can grant access to specific functions (function-based access control), which allows for more granular access but increases system overhead.
Planning also involves deciding which resources should be protected, and to what extent a compromised resource would adversely affect the organization. This decision-making process will help determine the level of authentication needed to access the resource--for example, in addition to user names and passwords, all the products we tested support tokens, smartcards, X.509 certificates, federated identity and biometrics. Once such a determination is made, then and only then should ACLs and policies be set up by the IT manager or delegated owner of the resource. Yes, it's a lot of work, but the payoff in added efficiency, security and customization capabilities will help IT make a real contribution to business goals.
Jeffrey H. Rubin is a senior instructor with the School of Information Studies at Syracuse University and president of Internet Consulting Services.
Identity and access management (IAM) is a powerful set of tools. It can improve efficiency (aka, save money); boost employee productivity by offering self-service and SSO (single sign-on); and give valued business partners, customers and suppliers customized access to internal resources. The downside is that, depending on how sprawling and complex your infrastructure is, especially in terms of identity stores, IAM can be a bear to implement. In "Roll Out the Red Carpet," we analyze the IAM market and examine the criteria for deciding if an IAM suite is right for you.
In the second part of our cover package, "I Manage, Therefore IAM", we review five IAM suites from Entegrity Solutions, Hewlett-Packard, Netegrity, Novell and RSA Security. Although we found the software relatively manageable, there is still uncertainty about the security specs, such as SAML, necessary for ubiquitous IAM, and defining access policies will require cooperation across many departments.
Still, the potential rewards are tantalizing: Some of the products we tested provide a password-synchronization module that syncs passwords between multiple repositories. In addition, all the products, except Entegrity's, support password self-service, letting end users change or reset their passwords without IT's help. The cost savings alone are enormous, especially for organizations that outsource their helpdesk and get charged per incident.
In the end, HP's Select Access earned our Editor's Choice award. We found its comprehensive feature set very accessible, thanks to an extremely intuitive management interface that made performing IAM tasks quick and easy.