Many organizations have implemented SSO without realizing that SSO alone won't enforce their security policies such as separation of duties, won't assure that access to IT resources is immediately revoked for former employees, won't provide rapid access to resources for new employees, won't audit who has access to resources, won't keep information up to date, and won't necessarily help comply with governmental regulations. Indeed, former employees of many organizations continue to access SSO-enabled resources without the knowledge of the organizations.
When a person is hired into the organization, appropriate levels of access to IT and other resources need to be quickly provided based on the organization's policies, databases and directories must be updated, password policies must be enforced, and audit records need to be written. When a person departs the organization, access to SSO and other resources must be quickly revoked; however, analysts report that on average, very large organizations take approximately 6 months to revoke access to all resources. In some organizations, up to 60% of all IT accounts are "ghost accounts" that are not associated with any current employee. A PriceWaterhouseCoopers survey revealed that C-level executives believe former employees are their primary security threat.
Despite popular belief, SSO and access management software don't address these security requirements. They also don't help with resources that are not SSOenabled: even in organizations with SSO, most users have more than one password, and some users resort to choosing obvious passwords or writing their passwords in non-secured locations, like under their keyboards. Other users lose productivity when they call the help desk to have their passwords reset. According to the Gartner Group, up to 40% of help desk calls are for password resets at an average of $30 each.
Identity management solutions immediately allocate and revoke appropriate resources when users join or depart an organization: internal users and business partners are immediately granted access to the right resources based on their business roles, such as Accountant Level 1, or their membership in groups such as people working in the organization's London office and people in the accounting department: users no longer have to wait days or even weeks to receive access to the resources they need to perform their jobs and can become productive immediately. Even requests for non-IT resources such as office space, supplies and credit cards can be included in this provisioning process. Identity management solutions can also automatically update databases and directories with current information as it changes.
Likewise, when a person's responsibilities change, or when a person leaves the organization, identity management immediately changes or revokes access to appropriate resources. This helps enforce security policies such as separation of duties since persons in one role or group are automatically granted access to a different set of resources than persons in another role or group. Ghost accounts are eliminated and users retain access to only the resources they require in their new positions.
Identity management also improves security by cost-effectively managing password resets and synchronization across the enterprise. It automatically synchronizes passwords so users can easily remember them. Users quickly reset forgotten passwords without wasting time and even have a choice of resetting passwords through web browsers, mobile PDAs, Windows login or by voice response. Identity management also enforces password policies such as frequency of change and password length for all accounts.
Identity management solutions complement SSO, authentication and access management products by automatically provisioning and deprovisioning IT resources. New employees and business partners immediately have the access they require to SSO-enabled resources and other resources. Persons whose relationships with the organization are changing immediately have their access privileges changed or revoked. This can be accomplished through a single point of administration (typically the HR system) instead of involving multiple administrators, as is currently the norm. Obviously, it's important to work with a vendor whose solutions are platform and application agnostic, and that has a robust interface to your HR system, whether it's PeopleSoft, SAP, Oracle, Great Plains or something else. Identity management solutions also help comply with Sarbanes-Oxley and other regulations by auditing and reporting any changes in permissions as well as the status of who has access to each resource.
Glenn Choquette is Director of Product Management for Fischer International, an identity management vendor.