Do's and Dont's on Identity Management Projects

Page content

Identity and Access Management – A security domain project which is more a bane than a boon- Why? How to confront it?

A chain is only as strong as its weakest link. In the IT security domain, Identity and Access Management is the weakest link. Today every business enterprise includes intricate and diverse information systems. Proliferation of personal computers and their networking has exponentially increased the number of systems that are accessed by various employees of the organization. Synchronizing the big chunk of user information with the several IT resources is the challenge faced by the entire heterogeneous environment. The fact that authentication, authorization, and administration must be controlled for every identity/user in the enterprise constitutes the core of Identity and Access Management.

What is Identity and Access Management: Whenever an employee or contractor joins a company, a unique user-id and password is assigned to this entity. All the information of this entity has to be fed into the network of packaged applications like HR, payroll, travel and others. Granting access to chosen systems like windows or UNIX, provisioning the user accounts in the respective platforms and revoking access of terminated employees are some of the key features to enhance security in the organization. Manual operation of the whole process retards the efficiency of the resources. Automation of the process ensures reduction in IT administration and help desk cost, improvises security and manifolds user productivity. This is where Identity and Access Management (IAM) Software comes as a saviour. It automates administrative tasks, such as resetting user passwords (password synchronization), approval tasks, such as generating a leave request via mail to the manager concerned, multiple application access authorization tasks and termination tasks such as annulling access rights off a resigned employee and much more. So no more cases of terminated employees having access to sensitive systems, no more burdening the employees by having them to remember multiple passwords ,write them on sticky notes and slip them under their keyboards. In an enterprise setting, identity management is used to reinforce security and maximize productivity, while shelving cost and redundant effort.Beyond this setting, Identity and Access Management technologies would also enable companies to trust the identities of suppliers, business partners and other outsiders who need secure access to their systems. Standards for global identity management are also being designed by the World Wide Web Consortium to link each user identity to their respective data.

In an initiative to implement the IAM, business process issues pose as a complex hurdle than the technology for most of the companies. Most organizations have grown in an ad-hoc fashion, preventing them from executing on a consistent identity and access management practices from the very beginning. Therefore, they are left to address challenges as they come up. A system that may have caused no problems when it was procured may later be out of compliance, demanding the organization to address a specific challenge with a specific solution. Factoring in the dynamic requirements of an ever changing enterprise, the IAM business process approach must be flexible enough to be incorporate changes in the future. For example, on procuring, the user provisioning process might have been triggered only after it passes the company’s mandatory drug test. But later if the company policy changes to a mandatory legal background check, the business workflow must be able to accommodate to conform to the dynamic rules. A thorough research must be done on piloting the business process rather than enhancing the technology right from the scratch.

IAM industry consolidation is another threat faced by the companies from setting up a secure environment. Netegrity was bought by Computer associates last year. The companies venturing into protecting their environment will evaluate the vendors in IAM arena. With these kinds of mergers prevalent, standardization will become a concern. This year a company that was predominantly a Microsoft shop committed on buying Oblix. Oblix was acquired by Oracle! - it withdrew because of compliance concerns – it may no more be Microsoft friendly .The only strategy to deal with this uncertainty is : “Design the business processes in a standardized way. Thus migration into a new technology, will demand for little re-architecting.

Last but not the least: IAM is a nebulous technology to a non-IT sector crowd; the business partners must be educated only with the business level terminologies skimming off the technical details. Scenarios that project the essence of the technology, several feet above the granular techie details alone must be quoted. This will make their foray into this niche area interesting and facile.

Oracle Identity Manager, Tivoli Identity Manager, Sun Identity Manager, Single sign-on, Federated Identity manager, Reconciliation, Compliance manager, Attestation…… Welcome aboard to the World of Identity and Access Management.