The problems and benefits of identity and access management

Identity and access management (IAM) is arguably the broadest issue in IT security. There are few other single concepts that impact as widely on so many areas as that of managing identity in an enterprise business context. From enabling employees to access the internal resources they need to fulfil business aims, through companies outsourcing functionality and hardware to consumers seeking to bank, trade or buy goods remotely, all are dependent on secure, reliable identity and access management.

In addition to enabling secure access to relevant resources of all kinds, well-structured identity management provides the lever to make huge efficiency savings that can grow exponentially over time. Badly-implemented projects, however, will not only soak up precious resources, but will merely automate existing problems, leading to a more costly cleanup exercise in the future. Such are the basic risks and benefits of IAM.

Alan Rodger, senior research analyst, Butler Group, said: "It's certainly a mistake to look at IAM and see it as a series of technical implementations - business needs should be the key driver here. There is a huge scope of products available in this field, from single sign-on through authentication to federation, and any IAM implementation needs to map onto business needs explicitly - there are no hard and fast rules here."

Tim Farrell, CEO and co-founder of FutureSoft, agreed: "Any enterprise looking into this area must first have a very clear idea of its goals, so that it can match protection to its environment. Far too many enterprises try to implement a whole range of security widgets, which are ultimately self-defeating. The key is to identify the 20 per cent of data that is business-critical and protect that, rather than trying to protect everything."

Farrell also believes that mapping essential data is vital: "It's key to know and map exactly where your data is stored, and this is often not as easy as it sounds. Local machines can cache data for performance reasons, and this needs to be acknowledged and analysed. It's important not to get too paranoid and set your security levels too high, though, as it's perfectly possible to step back ten years in performance terms by encrypting all your storage and disabling caching."

Simon Godfrey, director of security solutions, CA, believes that IAM can be the most complex project going. "It's without doubt one of the most challenging projects a business can undertake, and people really are the key to this one. Technology is very much in second place. It's all about ensuring you have strong methodology and have best practice policies in place, as well as keeping the complex process on track with a high level of project governance. Ultimately, IAM is less of a project, more of a programme."

Many businesses will have begun an IAM programme some years ago, and often in single departments or for individual groups of users, such as secure sign-on tokens for remote workers or finance department staff. As demands and technology change, many large enterprises find they are operating several overlapping systems. The integration of these can be a headache, but will bring in extensive cost savings in the future.

This is one of the key benefits of IAM, explains Godfrey: "Often, identity management processes are either manual or semi-manual, and automating these can offer genuine cost benefits. A simple example here is password resets. These soak up huge amounts of helpdesk time, and deploying single sign-on can cut costs drastically. One implementation we did for BT ended up saving it $4.5m per year. And federating new services, such as web services, can cut rollout times and increase flexibility hugely."

The broadening scope of federated management systems makes the task of deployment more complex, but also far more rewarding. Once authenticated identities can be used in a portable fashion across autonomous security domains, administration efficiencies can be driven enormously. However, cross-domain B2B deployments are even more complex, and strict adherence to standards is critical to success.

Whatever the scale of deployment, standards are of vital importance, due to the wide area that identity management covers. Equally, this scope can also make it difficult to ensure that all relevant standards are met in every area of the network. IAM impacts on areas including directory management, certificate authorities, provisioning, access control, as well as authentication standards for tokens, smartcards and biometrics.

The key standards bodies in the IAM space include the Liberty Alliance, which works towards developing standards for federated identity and identity-based web services; Oasis (Organisation for the Advancement of Structured Information Standards), responsible for the development of SAML (Security Assertion Markup Language), a method of conveying identity and authorisation data, as well as WS-Security (Web Services Security), a methodology for attaching security data to web services messages; and XACML (Extensible Access Control Markup Language), a standard for expressing security policies and access rights to information for web services. There is also the Web Services Interoperability Organisation (WS-I), responsible for WS-Security, a security standard for when data is exchanged as part of a web service, and WS-Federation that deals with the federation of trusted identities, their attributes and their authentication. Additionally, ISO and British standards all play a part, depending on geographical territory, as well as a whole host of authentication standards.

Emma Harrington, global product manager, Thales, said: "A lot of customers have heard of one or two standards and ask for them, such as SAML, but many have no idea what these standards actually are, or what they do. This is a very important area, though, as often technology vendors are keen to lock customers into their own products, which can lead to integration difficulties down the line. The key to a successful IAM implementation is to be flexible. A project of this size is a great time to take a step back and assess business priorities, risk vectors and take an overview."

Steve Brunswick, strategy manager, Thales, concurs: "Be sure to consider which standards are most relevant for your business, and discuss these with your chosen vendor. It's also wise to ask them about their intended roadmap; not all vendors will fully support the huge variety of standards in this area."

Jim Hietala, VP security, the Open Group, believes that broader vendor adoption is required: "The standards are out there, but their adoption so far is fragmented, and it is also inconsistent. Organisations are trying to deal with this situation, but it's a complex one. The reality for companies tends to be implementing a solution for business reasons, such as a SaaS product like Salesforce, then looking at IAM considerations later."

Other advantages of a standards-based approach to IAM include increased visibility throughout the organisation, and the inbuilt presence of forensic tools. In the event of a data breach or leak, it's important to be able to spot immediately where the issue originated, so that safeguards can be applied. However, Rodger points out that the sheer scale of the task should not be underestimated. "Provisioning, for example, where access rights are granted as a result of authorised ID, requires a huge amount of work to define the roles of staff. It can take from one to three years to design and spec a large system. This means businesses need to be extremely careful about future-proofing right through the technology stack, from applications right through middleware and hardware."

Future issues aside, another common IAM pitfall is to downplay the importance of executive buy-in, according to Godfrey. "This is by far the greatest reason for failure in IAM programmes, and when a client comes to us without it, we know that success is unlikely. Implementations on this scale will inevitably encounter resistance from some quarter of the business, and it's vital to have the weight of an executive sponsor to keep things moving. It's also critical to keep this sponsorship. We've certainly seen projects that gradually grind to a halt after stage one because the sponsor has withdrawn."

It's clear that IAM will mean very different things to different companies, and implementations will range from single sign-on for double-figure user bases, through to international federated B2B marketplace systems. However, many of the preliminary steps remain the same, and the absolute requirement to co-ordinate and maintain project coherence is the top priority. As the demand for efficiencies grows, the need for increasingly complex federated systems will also increase, and the raft of standards that accompany the theory will also mature further. Keeping on top of the relevant ones for your IAM implementation is key, especially to ensure that your investment remains viable into the future.

Top 10 IAM Tips

1. Don't start by looking at technology solutions. The first step is to understand your business needs and establish how far down the road you need to go - one size does not fit all here. Ensure that the various phases of your IAM project are tied to quantifiable business results.

2. Review risk and policy. Conduct a thorough review of business risk factors and existing security policies before beginning to spec an IAM system. A solid base will enable a measured and realistic outcome. Check that internal policies, and department responsibilities are correct and up-to date, as minor changes can render them obsolete.

3. Check your manual identity processes. Ensure that your existing manual processes are right and that they work. Establish from the first what problem you are trying to solve, and ensure that the processes you are automating and streamlining actually fit the bill. Simply automating failing processes will result in an expensive volte-face in the future.

4. Don't rush in. Successful IAM implementations can take up to three years - don't try and cut corners, as clearing up the mess may be difficult and protracted.

5. Don't bite off more than you can chew. If there is an existing business case for a small, localised implementation, gain an easy win with that first, rather than taking on a major task straight off. An early win is essential to ensure buy-in stays strong.

6. Work together. Co-operation is the key to a successful deployment, and getting the right people across the business onboard is essential. Involve application owners, executives and marketing personnel as well as end users. Also be very sure that you have executive level buy-in, and that you keep it that way. A siloed approach will not succeed.

7. Educate, educate, educate. Provide targeted education to both users and IT staff, as with any major IT project, and ensure that regular refreshers are scheduled.

8. Pay attention to maintenance. An IAM system needs regular maintenance to keep pace with standards and product updates, internal technical changes and process optimisations. In addition, business realignments will require reassessment of their responsibilities and/or other requirements.

9. Complexity can be deadly. Match protection to your environment, and be sure that the problems you are seeking to solve are clearly quantified. Excessive complexity will result in a system that will alienate users and IT alike - so don't use a hammer to crack a nut...

10. Future-proof your plans. Don't fall into the trap of vendor-lock in, and look for the most flexible solutions. The best will allow future integration without too much pain. Also be wary of too much detail in a tender response - is it likely that all that time and effort is just for your benefit?

CASE STUDY

Irish Life & Permanent is Ireland's largest life assurance company, and also provides personal financial services. The company has grown rapidly, both organically and through acquisition, and this resulted in the organisation's 5,000 staff facing a diverse number of systems, user IDs and passwords.

Alongside a variety of other IT-related changes, it was decided that there was a requirement for enhanced security and simplified passwords for a specific user group of around 1,800.

Aaron Slater, IT manager, Irish Life, explained: "The staff in the branch network were dealing with several different systems on a daily basis and needed to keep track of a combination of IDs, which was becoming a bit of a burden."

The solution needed to be transparent to the end user and easy to use, as well as automating logon and managing password changes and error conditions for a variety of application types.

Slater continued: "We looked at a variety of solutions, some of which were more practical than others, including password synchronisation." Of the 12 market candidates approached, eight presented proposals and from that two companies were asked to arrange site visits to existing customers. Passlogix was judged the winner of the beauty contest, with its single sign-on VGO 5.03 SP12 product.

Stephane Fymat, VP strategy and product management, Passlogix, said: "Our product has been resold by IBM and Sun and white labelled by Oracle. In the past, BMC and Citrix have also resold it, while RSA's Sign on Manager combined other technology with it. Lesser-known benefits include account reconciliation and true visibility across the enterprise about who is using what, and when, useful when planning other IAM projects."

Slater said "a key point in Passlogix's favour was that no changes to the backend were required, and the system is pretty transparent to the end users, so minimal training was required - only one person per branch was trained."

On the actual day of migration, all of the branch staff came in 15 minutes earlier than usual to register, and most were positive about the new system, according to Slater. "Staff are certainly more efficient, and the overall environment is more secure, as passwords are now randomised. We've found the whole implementation to be pretty bullet-proof."

Slater summarised the experience: "There's a certain amount of due diligence when adding new applications to a system of this type, and some can be easier than others. For example, web apps aren't all built with single sign-on in mind, so might have the same logon and logoff URLs, and these don't work well. We built a separate test area to ensure that there were no major problems, and this has stood us in good stead. Any changes to any of the products in the system could change the reaction of the single sign-on component, so you need to maintain close relationships with the various developers."