Avoiding an identity crisis

Rolling out an identity management (IDM) system in an organisation can be a daunting and thankless process. Every company starts with knowing it needs to sort out the problems, but few know where to start.

Identity management is rapidly heading up the agenda. Recent figures from security company Thales puts IDM as the most important transaction security issue for UK banks. In a recent survey of security budget decision makers, 73 per cent cited identity management as the top transaction security concern, followed by integrity of data (64 per cent) and the security of the network (45 per cent).

The survey also found that in 2005, IDM moved from being fifth to the most important driver for security spend. The number of UK banks that assign separate budgets for IDM has risen from 22 per cent to 60 per cent in three years.

Around four-fifths of respondents saw added value in managing all customer identities from one centralised platform. Maxine Holt, senior research analyst at Butler Group, says having such a system in place can make big savings.

"The initial savings are made from automating password resets from users," she says. "Up to 40 per cent savings can be made just in helpdesk costs. This is not an unrealistic figure."

While the savings are compelling, the biggest trick is knowing where to start. Simon Perry, vice-president of security strategy at Computer Associates, says this is the major problem for many of his clients: "Very often, we see clients trying to do too much at the same time, when they should look at ID management as a staged process with some stages having dependencies on others. Companies need to start with the business side of the equation, not the technology side."

Peter Jopling, head of Tivoli security management at IBM, agrees. He adds that businesses have to understand their own operation before rolling out IDM: "The biggest inhibitor to IDM is the inability of organisations to truly understand how their business operates. It has been seen time and time again that few businesses actually understand who has access to what resource, something their auditors will verify."

One of the biggest problems Perry has come across is where companies do not have an agreed definition of job roles within the organisation or any clear internal agreement on the access rights that holders of different positions should have. "Technology can only enforce the rules that the business decides it needs – the best place to start is often ISO 9001," he says.

So how does the organisation get a grip on this problem? Essentially, it boils down to breaking up the problem into manageable chunks and dealing with each one in turn.

"Companies should take a logical, stepped approach to IDM," explains Perry. "We call it the IDM maturity model and use it to take a client through the lifecycle of IDM deployment, right from basic password management and provisioning through to federated identity management."

Often, an organisation will expect to be able to implement everything at once, but this is just not practical. The best approach is to concentrate on a limited set of functions with the most business benefits and work on these first of all.

"On one occasion, it took us over a year to persuade a customer that doing everything at once would not work," recalls Perry. "This cost the customer a serious delay in achieving the benefits that it could have achieved with a more pragmatic approach."

The lesson of this is: plan carefully, and don't do everything at once. But what should be the first steps?

Many companies are in the middle of compliance efforts, this means that the company, and the way it operates, is under close scrutiny both by its own employees and external auditors. Far from being a drain on resources, this exercise can unearth information on the internal workings of the company and its employees. Use this data to set down who does what. From that, IT security professionals should be able to determine who should have access to what, and this helps define the roles that various people have within the organisation.

It is important not to get bogged down with the roles people have in a company and basing access on that, argues Perry. He believes that role-based access control is good in theory, but is difficult to implement in practice, and there are so many different dimensions that covering these using roles can be impractical.

"For example, in one manufacturing organisation there were purchasing officers who had the right to buy any component within 30cm of a specific point in the finished product, providing it cost less than 75 euros. Trying to manage this with roles would have led to an impractically large number of roles. The best approach is a combination of rules and roles," he says.

Paul Gribbon, a consultant in LogicaCMG's electronic identity practice, points out that companies must understand how this information needs to be accessible across the organisation. This is especially true for multi-national businesses.

"If ID management is dealt with in silos – Bank X operates in 35 countries, but each country wants its own IDM solution, for example – then there will be a series of problems. For example, Miss Y is an international traveller within Bank X, but her UK employee card won't work when she travels to France or Germany – effectively negating the domestic benefits," says Gribbon.

Knowing what people do and where they work should be followed by knowing what they can access. This leads on to the next stage, which is working out who can access which applications and systems. When installing IDM, many experts recommend looking at the most crucial applications in the infrastructure.

Most obvious, and probably most important, is the directory. Most firms use a directory such as Microsoft's Active Directory, Netware or LDAP, so this is pretty much the best starting point on the road to IDM. It should already have information on users and can be cross-referenced with other applications, such as databases and financial applications to find out who's who.

Gribbon believes that this information, along with people proving their identity, are both extremely important for the enrolment process. "Enrolment itself is crucial to a successful ID management deployment," he says. "The corporate must be 100 per cent confident that the person presenting themselves at enrolment is who they say they are."

The flip side of enrolment, however, is de-provisioning. Any system that can get a user up and running quickly also has to deal with the inevitable and prevent former employees from accessing systems and applications they should no longer have access to.

"This is a major part of IDM and, over time, an employee can amass a number of passwords to a range of different applications," says Alan Rodgers, research analyst at Butler Group. "If there was no centralised IDM, there would be no way of the company knowing what that employee had access to."

Rodgers says that companies need to be able to switch off access, especially when an employee has left an organisation under a cloud. "This has to tie-in with HR systems, so the minute a user leaves, they can no longer access," he says.

Sometimes, it can take up to 12 months to properly deprovision a user where an IDM system has been installed without a deprovisioning module that can cut access quickly. "The savings made from not having a disgruntled ex-user compromising a system they still have access to could run into millions," says Holt.

Rodgers says that companies might also want to integrate IDM with their asset management, so that if the employee has a company laptop or car, the company knows to make sure these are returned. Rodgers believes that, in general, this function is added into IDM systems at the later stages of a project.

The trick in implementing IDM is "to go for the 80/20 rule", says Jopling. "Look for the most visible application in the business, that will show the greatest need for IDM. Once this has been seen to, roll-out the other applications in order of importance. Don't try to boil the ocean and rush to cover all the applications from day one, as this is a potential career-limiting move. Less is more in the early days with IDM. More will be gained for the business and the return on investment in IDM will be realised faster."

There is definitely a financial need to get applications corralled into an IDM system. Ray Stanton, global head of BT's business continuity, security and governance practice, says that large organisations average more than 75 applications, databases and systems, with each one requiring their own authentication.

"The indirect cost of time spent repeatedly logging on has been estimated at £380 a year for each member of staff. Furthermore, it's said that the average worker has to remember at least 15 usernames and passwords, all with different expiry dates," says Stanton.

And the bigger the company, the bigger the problem. Fortune 1000 firms typically depend on around 200 databases or directories of user information to control access to their systems. Traditionally, an administrator managed each system through a paper-based trail to decide access to each application. But this is both expensive and prone to error.

Information about individuals, their changing roles, and the organisation's structure needs to be kept up to date. Links are also required between people, so that applications can work out who works for whom, for example.

Mistakes are the inevitable result of manually replicating these changes. Cutting down on the number of different directories could help to avoid the more howling errors.

"These errors rarely become public knowledge, but when they do the results are both comical and disquieting. For example, months after a CFO left, one major company's system administrators found a cleaner with the same name had been given access rights to all its financial systems," says Stanton.

And while administrators have to quell the large numbers of directories, users have to have to cope with passwords for every single one of them. Users, not being security conscious, have ways of remembering them that would make many administrators suffer sleepless nights.

"On one occasion, we found the whiteboard in an office displayed a convenient table of people, applications and passwords," says Perry. "There is no substitute for single sign-on with a human-friendly password policy. A large US bank implemented single sign-on and this resulted in savings of $1 million (£570k) in helpdesk costs and led to an improvement in end user satisfaction."

Organisations might find the costs of administering IT systems and ensuring compliance go through the roof unless a reliable IDM infrastructure is in place and the data quality is good enough. However, to be truly successful, IDM needs to be integrated with an organisation's networks, applications, security precautions and ways of working.

The final part of the puzzle is compliance, something touched upon earlier. While the work done in gathering data about the organisation can define who does what, where, why and what with, and gets regulation boxes ticked, there is then the continual need to make sure everything stays in compliance and secure.

This means that you have to demonstrate that the proper controls exist around access privileges, user databases, roles and policies. While compliance is a driver for IDM, some believe that the main drivers will be cost and efficiency.

"IDM helps overcome duplication, reduces costs, optimises supply chains and achieves other efficiencies. There is also an instant benefit when it comes to launching new enterprise applications. As a result, it is a major contributing factor in the shift of enterprise security from overhead to direct benefit," says Stanton.