Let me be clear about what I’m saying. Identity Management for companies with employees that have access to critical data is a MUST, not a want.; Over the years I have had the privilege to work with many companies large and small, who have different business needs. In many cases I hear all the reasons, (and sometimes excuses) for not implementing a solution, policy or methodology. Sometimes these reasons even make perfect sense! In making any business decision, the choice to do, or not do anything is weighed by what I call the “risk vs. reward scale”. Regarding Identity Management (IDM), if you have employees with access to critical business information, you MUST put at least basic IDM in place!
So what is Identity Management? Bill Brant, CEO of Directory Service, Inc. says “IDM is the technological automation and enforcement of business policies and processes to manage the life cycle of electronic credentials, entitlements authorization and compliance mandates.” If you are in management like me, let me translate in English. IDM automates your logins so your company is secure, and you don’t lose millions of dollars, PLUS it increases productivity so you can make millions of dollars. The following are my top three reasons IDM is a must, not a want.
Reason One (1): Provision of new employee credentials
Companies that do not have Identity Management spend days to weeks to properly provision a new employee, and with a high probability of improper provisions. The popular method used to accomplish this task is a simple email request.
Typical email thread:
HR to IT Admin: “Jack is starting today with us, can you get him a login?”
IT Admin to HR: Sure what does he need?
HR to IT Admin: “He is working in Sales, ask his supervisor.”
IT Admin to Supervisor: “Jack is starting today, and I need to get him a login, what accesses does he need?”
Supervisor to IT Admin: “I don’t know, how about just copy the access rights from Jill, she’s been here a while, so whatever she has must be right?
Risk to the company: Jill was the Engineering Manager and Marketing Supervisor before becoming the top sales person in the company. Each new position gave her role specific rights that were never properly taken away as she changed roles. Now she is being used as the “template” for user rights to new hires. Jack the new hire, just gained access to engineering blueprints, and new “go to market” strategies. In addition, the back and forth emailing took two weeks because the supervisor was on vacation. Adding a face slap to a poke in the eye, Jack the “new hire” is still being paid even though he had no access to do his job. Sound familiar?
IDM to the rescue: A company with IDM could implement automated provisioning of credentials by role. A company would define the accesses any given role can have, and further, lock out accesses for roles they should not have i.e. the janitor does not need access to the accounting system. The IDM system’s automatic provisioning process tool performed this task in seconds, and Jack was properly provisioned before he sat at his new desk.
Reason Two (2): Deprovisioning of terminated employee credentials.
In a company without Identity Management the same situation occurs as in the scenario above, but with more immediate consequences. The popular method of conducting deprovisioning of credentials in a company without Identity management is by way of a simple email request.
Typical email thread:
Supervisor to HR: “Jack has been terminated immediately for bad attendance. Please put all the termination protocols in place. He has been removed from the facility, but he did not have his badge with him.”
HR to Supervisor: “Out of Office Reply” I’m sorry, but I’m out of the office the next two weeks on my honeymoon. I my absence please contact the supervisor”.
Supervisor to Manager: “I just fired Jack, and need the termination protocols, but HR is out of the office, what now”?
Manager to Supervisor: “Who is her Backup in HR?”
Supervisor to Manager: “I am, but I don’t know the protocol.”
Manager to HR: “when you get back from your honeymoon, please terminate the supervisor, he hired Jack who we think may have stole engineering plans and sold our marketing plan to the competition after he was terminated because he still had his accesses for the last two weeks! Of course we cannot prove it.” (side note to reader Yes IDM applies here too for compliance and auditing, but that is another article… Marc).
Manager to CEO: “I have no idea how our engineering blueprints and our marketing plan got into the hands of our competition?” It must have been Jill, she has rights to both of those areas. By the way, I’m hearing our client list is being aggressively called by our competition as well. It couldn’t have been Jack, he’s been fired for weeks now.”
Ok obviously I was on a little bit of a roll there with the Manager reply, but I think you get the picture.
IDM to the rescue: A company with IDM could implement automated deprovisioning of credentials by Identity. In this scenario, Jack could have been deprovisioned before he was even out the door. If he tried to access his client database from home, he would have been locked out.
Reason Three (3): Identity Synchronization and Password management
Did you ever think that 3M would produce the world’s largest and most used Identity Management and password vault tool! It is true! Its call the “Post-IT” note, and it can cost you millions.
Some people may get basic Directory Services and Identity Management confused. Directory Services are a key part of IDM because this is where the Identities are managed. For example, Active Directory, eDirectory, LDAP, are all network directory services. What about your applications that maintain their own “directory service database? This may be your custom built Inventory application, or ERP system for example. How do you get these systems to talk? If you do not have Identity management, you create separate login credentials for each sub system, and have your end users become the (Identity Management). This becomes the Identity Management by “Post-IT” note that was mentioned earlier.
IDM to the rescue: With IDM, companies can synchronize their user passwords between directories and application directory databases giving your end users a single password to manage for all systems. The next step would be to implement SSO, or single sign on, which automatically uses a single login event to sign into multiple databases eliminating the need to manually login to multiple systems many times. I stop short of saying SSO is a “MUST” for all businesses, but it sure is up on the list of “should haves”. I reserve the right to be on the fence on the “SSO vs. Identity sync only” discussion depending on the client needs.
Password management is bundled into this category, but I could add this to the list on its own. Some may argue that this is not IDM because it is a directory service component, but I believe it is a component of IDM, so take it for what it is worth. Password management in this scenario would be more than just enforcing strong password policies; it would include “self service password” assistance using challenge response questions and secure authentication methods like multi factor authentication and one time passwords.
Strategies that make it affordable:
There are many different products out there that can facilitate Identity Management and Access Controls. Some of the best are made by Novell, Sun, Oracle and IBM. Recently, the Identity Management space has become somewhat commoditized in what I would call the “basic IDM” space. This would be the space I touched on today, with provisioning / deprovisioning, password management, and synchronization of identities. Some of this functionality is being built into the OS and Directory Services of some vendor products from Novell and Microsoft. Novell has Domain Services for Windows, eDirectory, and the IDM bundle edition that ships with Novell Open Enterprise Server 2 (OES2). Most major directory services vendors have free self service password management tools available for eDirectory, Active Directory, Sun Directory Server etc). New companies are building targeted IDM solutions based on open source like, GreyTower from Directory Services, Inc., and Sun. These solutions can be implemented without licensing costs, but also sell support and maintenance if you need it.
Take the first steps. Contact your trusted Identity Management adviser and discuss your options. Make sure they are not tied to any single vendor or you will get a single option presented that may not fit your business. Remember, IDM is a MUST!