In-Depth

Trends: Identity and Access Management Needed on Mainframes, Too

Phantom users and orphaned accounts are widespread in the distributed space, but things are even worse in the mainframe world

• By Stephen Swoyer
• 04/05/2005

A pair of acquisitions last month highlighted the still-murky state of user provisioning and identity management in the enterprise.

According to consultancy META Group, more than one-third of a user’s accounts or access privileges typically remain active even after the user leaves an organization. While orphaned user accounts and undocumented user privileges are pandemic in distributed environments, things may be even worse in the mainframe world.

Last month’s acquisitions by BMC Software Corp. and Computer Associates International Inc. underscore the growing importance of identity and access management (IAM) solutions. For mainframe customers, CA’s acquisition of long-time partner InfoSec highlights what officials claim is a grossly under-reported issue in most Big Iron shops.

First, BMC snatched up OpenNetwork, a provider of Web access management, Web single-sign on, and federated identity management offerings. The OpenNetwork acquisition was seen by some as a bookend to a similar acquisition BMC made several months earlier when it picked up Calendra, a Web-based identity management solutions provider.

Market watcher Gartner Inc. thinks the acquisition has plenty of potential for BMC, which can now claim to offer a more-or-less complete IAM suite. “The deal will strengthen BMC's position as an IAM suite provider, because BMC will now own the two main engines—user provisioning and extranet access management (EAM)—needed for a full IAM suite,” write Gartner analysts Roberta Witty and Ray Wagner, noting that BMC’s IAM solution is still bereft of a strong authentication component. “The company will also be better positioned to provide strong support for Microsoft Identity Integration Server … and other Microsoft platforms, which are a growing part of many enterprises' IT infrastructures.”

CA's Cleanup

Also last month, CA acquired a mainframe-based IAM tool, called Cleanup, that picks up where most other IAM technologies leave off: It’s designed to ferret out orphaned user accounts and discover cases in which user privileges are elevated (or otherwise undocumented). CA has for some time resold the InfoSec tool as eTrust Cleanup, along with its traditional ACS2 and Top Secret mainframe security tools, so the acquisition was a fait accompli of sorts.

CA officials say orphaned user accounts and undocumented user access rights or privilege elevations are hot-button issues in the mainframe world, thanks in large part to compliance.

One upshot of this, says Ron Moritz, a chief security strategist with CA, is that Big Iron customers in all markets are demanding the kind of functionality provided by a tool like Cleanup.

“It’s [for] anyone who has a mainframe. Top Secret and ACS2 represent approximately 50 percent of the mainframe security market, and arguably anyone who’s running a mainframe shop should be running Cleanup as well,” says Moritz. “If they’re not, how can they validate, how can they provide attestation opposite compliance measures like Gramm-Leach-Bliley, having to do with the proper use and control of customer financial records? They can’t, and that’s what’s really fueling the demand.”

The other half of the mainframe IAM market, of course, is contested by IBM Corp., which reports a similar trend among its own customers.

In fact, confirms Laura Vogliono, director of provisioning and security with Big Blue, the problem is widespread in almost all large IT organizations. “One of our customers, when we came in with our software, we found they had 900 orphaned accounts, and that one of their ex-employees was continuing to access accounts they hadn’t thought to remove,” says Voglino.

There are several pieces to IBM’s IAM solution, including Tivoli Identity Manager (TIM) and IBM Directory Integrator, which together enable automatic reconciliation—that is, mapping of account IDs to user aliases—of user data from enterprise directories, enterprise applications, and other sources. The idea is that TIM can discover user accounts during reconciliation and establish a relation between a specific account and user data by comparing the user ID of the account with all of the aliases in a system. If TIM finds a match, it establishes a relation and recovers the account; if not, it classifies the account as orphaned.

Of course, Voglino says, TIM does a lot more than just reconciliation: “When you’re automatically provisioning and deprovisioning users … you have to constantly be auditing that [process]—verifying that if user Jon has access to Resource A, and if Mary has access to Resource A, I’m having a problem here. You want not only to create your policy, you want to verify your policy, too.”

Problem Exacerbated in Mainframe Shops

On the surface, the problem of orphaned or unused accounts and elevated access privileges would seem disproportionately to affect distributed environments, where—even after the emergence and uptake of enterprise directory services—multiple user identities prevail. But CA’s Moritz says this issue is as big, if not bigger, in mainframe environments.

“We’ve experienced it on Windows and Unix and Linux platforms, but it’s actually worse on the mainframe,” he says. “Oftentimes, we cut off the main access [in z/OS, for example], but individual access to individual applications remains.”

This jibes with research from META Group analyst Earl Perkins, who says a user is typically assigned an average of 16 user IDs during her course of employment; of those 16 IDS, only 10 are typically removed when a user leaves a company.

A typical scenario, says Moritz, is when a user retires after a lengthy term of service with a company. Over the years, of course, this user has accumulated numerous “touch points” on various systems and applications—some of them only incidental, such as when he or she needs temporary access to a system, application, or service. In some cases, Moritz says, these “temporary” touch points aren’t ever revoked.

“We’ll get rid of the obvious touch points, but when it gets into some more bizarre applications—like maybe last year, I needed to access a particular system to see what particular applications we’ve sold to a particular customer, and it was just for that one time, it was granted, and then we kind of forgot about it,” he explains. “That’s not normally the course of business that I’m involved in, and so when I leave the company, nobody bothers to de-provision me from that system, because they didn’t know I was provisioned in the first place.”

The problem is exacerbated in Big Iron shops, Moritz contends, because of the scale and complexity of mainframe systems, which typically host tens, hundreds, or even thousands of applications—many with their own (idiosyncratic) access requirements—that have been micro-partitioned across different LPARs. It’s in this respect, argues Mortiz, that a tool like Cleanup clearly has value.

“Cleanup actually goes off and looks at the applications … looks across the mainframe, and says here’s an account that’s related to a system over here, it’s an inactive account. Here’s a case where [a user] has access [privileges] that he shouldn’t."