In-Depth

Enterprises Struggle with Identity Management Roles

Identity management software adoption is increasing, but many organizations still rely upon too many group permissions to effectively manage their implementations.

Move over, ROI. Adoption of identity management software is increasing rapidly, thanks to three trends: a move to consolidated identity-management platforms, the current epidemic of lost and compromised personal information, and stricter regulations.

“The area of compliance is definitely first in the minds of companies I visit, rather than return on investment (ROI),” says Joe Anthony, director of integrated identity management at IBM Tivoli. “A year ago, ROI was the first thing I had to discuss.”

Even so, with the increased adoption and use of identity management, enterprises struggle with having defined too many roles—what discrete groups of users can or cannot do—resulting in management headaches. With identity management becoming mandatory to support the automated controls encouraged by many regulations, however, organizations are simply having to fine-tune as they go.

Research firm IDC predicts this year’s market for identity- and access-management sales will be $2.6 billion, and, largely driven by compliance requirements, will hit $3.5 billion by 2008. That forecast reflects how a number of identity- and access-management sub-categories (IDC defines seven) are growing rapidly.

Many regulations are driving the use of identity management. “It’s Basel II for European financial institutions, Sarbanes-Oxley for any public company that does business in the U.S., as well as such things as FDA regulations, if they’re a pharmaceutical company,” says Somesh Singh, vice president and general manager of the identity management business unit at BMC Software Inc.

As the use of identity management has grown, so have acquisitions. Over the past few years, Computer Associates bought Netegrity, HP acquired SelectAccess and TruLogica, IBM Tivoli acquired Access 360, Oracle acquired Oblix, and Sun acquired Waveset. This year, BMC Software acquired OpenNetwork Technologies and Calendra.

Overall, the acquisition of Web access management and user-provisioning providers has been especially popular. For example, IDC predicts the 2005 Web access management market will be worth $750 million in revenue, and the user provisioning market—connecting people to the resources required to get them productive—will be worth about $400 million.

The goal of all those acquisitions has been to give users more out-of-the-box identity-management features and integration, and such products are now hitting the market. For example, BMC recently released its Identity Management Suite, which integrates the former Calendra and OpenNetwork software into BMC’s identity management package.

According to BMC’s Singh, “customers, until a year or two ago, were going and addressing different needs. Some were focused on single sign-on, or auditing, or provisioning.” As users have grown more experienced with identity management, and capabilities have evolved, he says users have started to say, "I’d like to get a complete solution that’s integrated." Companies are looking for vendors that will stick to it for a period of time and also expand as the market matures.

That vendor strategy is now a market necessity, notes Jonathan Penn, a principal analyst at Forrester Research. “Organizations are seeking out vendors offering a broad identity-management solution.” As such, “vendors with solutions such as Web SSO (single sign-on) and provisioning will compete more effectively against those with only Web SSO or only provisioning.”

Better-Defining Roles

While companies’ identity-management options have increased, however, using such software doesn’t guarantee improved security. Organizations are still learning how to apply it. For example, identity-management software can’t restrict access to sensitive resources when malevolent users are granted inappropriate levels of access. That’s what happened earlier this year when ChoicePoint granted accounts to attackers, which had fooled the data seller by setting up a network of fake business fronts. Of course, the attackers then legitimately purchased about 145,000 reports on consumers.

The lack of effective security controls at ChoicePoint was not an isolated incident, and many companies could improve how they approve users’ requests for access to sensitive resources, says Anthony. “Customers really do need to take a step back and say, 'What are the manual processes we’re using to do approvals?' Frankly, we run into a lot of customers who still have no formal process in place.”

An ideal, formal process, he says, includes carefully vetting what a role can or can’t access, and why (as well as effective background checks, in the case of a company like ChoicePoint). “That applies no matter whether it’s an internal employee, or customer, or business partner,” he says.

When it comes to roles, flexibility is also key. “You could have a case where an employee was in on the weekend, working on their SAP system, for example, and they may have gone ahead and given that administrator, who doesn’t normally work on the SAP system, access for the weekend,” says Anthony. Such an approach—allowing for exceptions on an as-needed basis, and expiring them as soon as possible—can reduce the number of defined roles a company must maintain.

Then, after companies create roles, he says “what’s really important is the reconciliation on an ongoing basis,” ensuring that users aren’t exceeding their permissions, that security levels assigned to roles are still appropriate, and that all of a user’s rights are revoked when they leave the company. Today, however, “too often, customers are putting in place homegrown systems where they don’t do any remediation.”

In addition, many organizations try to over-define who has access to which systems and end up with too many different end user, customer, and client roles to manage. What’s needed, says Anthony, is application of the 80/20 Rule, with 20 percent of defined roles covering 80 percent of people in an organization. “When I hear companies say they have more roles than employees,” he says, “I know they’re going to have a maintenance challenge.”

Related Articles:

Q&A: Moving to Web Services Identity Management
http://www.esj.com/Security/article.aspx?EditorialsID=1417

New Identity Management Acquisitions
http://www.esj.com/Security/article.aspx?EditorialsID=1341

About the Author

Mathew Schwartz is a Contributing Editor for Enterprise Systems and is its Security Strategies column, as well as being a long-time contributor to the company's print publications. Mr. Schwartz is also a security and technology freelance writer.

Must Read Articles