Projects to introduce automated user provisioning and password management often face the enormous problem of dispersed and inconsistent information on users' identities. With a consolidated meta-directory containing users' information often not available, virtual directories can enable an organization to consolidate the ID information needed to automate critical ID management projects.
Identity mapping offers cost and security benefits in this process, as well as help to achieve regulatory compliance. But what exactly is it?
Mapping corporate identities enables enterprises to map user IDs and their associated access permissions. It helps avoid massive data cleansing projects to establish a clean authoritative source. ID mapping is easiest for end-users when done automatically by the system.
User provisioning and password management software directly linked to virtual directories ensures the secure association of authentication data and account privileges required for secure, self-service or delegated ID management.
Improving security for less money
Having a map of all users and their associated access rights allows enterprises to immediately act upon vulnerable accounts according to their security policies. Automated provisioning and de-provisioning enables the business manager or support staff to deactivate all of the access rights of employees, partners, and contractors as soon as their relationship is terminated.
This immediate termination of access rights dramatically improves security, enabling enterprises to cut costs associated with security breaches as well as operational costs of software licenses, cell phone plans, and so on, that are no longer in use. Integrated identity management software enables customers to tighten security and reduce costs while efficiently solving this complex IT problem.
The path to regulatory compliance
Regulatory requirements such as HIPAA, Sarbanes-Oxley, and Gramm-Leach-Bliley, put more focus on the identification of digital assets and access rights.
Automated ID management software assists in enforcing access requirements by addressing authentication, access controls, user account management, and real-time auditing and reporting capabilities. ID management software can manage users' digital identities and access rights through their entire corporate lifecycle, from on-boarding to termination. This is achieved by looking at who is there (authentication management and access control), how they are managed (user management, delegated administration, workflow), and what do they really need access to (user provisioning and de-provisioning) – all in a self-service manner that puts the information in the hands of those who know it best: the business line managers.
The problem with compliance from an IT perspective is that identity information is scattered throughout the enterprise. Corporations have a variety of users, and many different types of applications and different identities across different platforms such as NT, UNIX, and mainframe.
Achieving regulatory compliance today requires IT to:
- Establish consistent, repeatable business processes;
- Ensure that sensitive data can only be accessed by employees who need it to perform their job;
- Immediately delete access to data when the employee leaves;
- Provide detailed audit data.
Establishing consistent ID mapping processes provides enterprises with all of the above, and distinctly enhances their ability to achieve regulatory compliance.
Overcoming political barriers
In order to gain cross-functional support, IT should be able to demonstrate how implementing ID mapping can help the enterprise run better than it is currently, as well as show incremental and measurable returns along the way.
An important component of ID management and ID mapping solutions that will impact success of the overall projects is the requirement to not force a schema or process onto the business based on the proposed technology – but in fact to do just the opposite: utilize technology whose schema and processes adapt to the existing organization. This also ties into the need to be able to demonstrate real flexibility in making the ID mapping and larger ID management initiative map to the way the enterprise works today, and to show that it has the flexibility to mirror changes in the organization.
Successful cross-functional deployments are all about the politics of reducing risk, reducing costs, minimizing impact and maximizing return. ID mapping is an excellent way for IT to introduce larger ID management initiatives to the enterprise, easing concerns and gaining cross-functional support.
The key to implementing an ID mapping process is linking a person's profile to the accounts and resources assigned to them and storing this information in a data repository. ID management solutions leverage this capability to enable individuals or support staff to manage the credentials appropriate for their profile.
For any ID mapping initiative to be most effective, the authoritative data must be current and accurate.
ID mapping generally consists of four steps:
- Discover the accounts on systems in the infrastructure and move to a staging area;
- Apply exclusions on accounts and profiles that are not part of ID management (such as system, admin or other sensitive accounts);
- Run mapping rules that match profiles and accounts. Mapping rules may vary by company, business unit, geography, platform, and so on. The mapping rules must be able to handle this level of complexity to be effective;
- Apply manual mappings that have been pre-defined in the system (typically resolved by an administrator).
This process generates a list of un-mapped accounts where no profile was matched, or where other aspects of the rules have moved the accounts into the unmapped category. The set of unmapped accounts is the candidate list of orphaned accounts that can then be dealt with according to the security policy.
Brian Milas is chief technology officer at Courion Corp.