Bite-size Identity Management

Rapid deployment key to success

Deloitte & Touche LLP and IBM Tivoli announced a software and services combination to help companies rapidly roll out identity management capabilities. Dubbed ID Accelerator, the initiative will help large and mid-sized organizations get automated user identity management and improve their security policy enforcement in weeks, rather than months. The software also automates password management and resets.

Identity management controls who gets access to which systems. That’s a special concern as more businesses tie their computers together, a fundamental aspect of the Web Services movement. Yet for all the burgeoning integration, in a typical enterprise users have a mishmash of different passwords for different systems. Managing passwords for all of those users—especially when employees join or leave an organization—is an expensive, typically decentralized, and time-consuming process fraught with potential error.

Identity management can centralize the management and distribution of passwords. When employees are hired or fired, IT has a centralized mechanism for adding people to—or locking them out from—every system. “We typically find about 40-50 percent of the valid users on systems in the enterprise are people who no longer work there,” says Jeff Drake, director of Tivoli security strategy at IBM.

“This is a unique space for the security industry. What we've usually talked about is [how] we need to do security controls for the sake of security controls—focusing on fear, uncertainty and doubt, as some would say,” notes Mark Ford, principal with Deloitte & Touche LLP. “Tools like this help us operationalize security. It's focused on how do I make security management much more effective and streamlined.”

Rolling out identity management software typically requires a long wait until it’s up and running, though that’s changing. “These days, given the world security and the macroeconomic environment, companies aren't willing to do that anymore. It's a paradigm shift. Consulting companies can no longer just consult—they have to deliver value,” says Drake.

Traditional identity management projects face a wealth of potential obstacles. “What companies quickly find out is that there are many places in their companies where user information is stored, and a lot of that information is not the same, and it's not synchronized across different inventories,” says Roberta Witty, a research director at analyst firm Gartner Inc. in Stamford, Conn. Changes to one application don’t necessarily filter into another.

For companies that start with high-level business processes, getting to the point where they’re “synchronizing data across multiple repositories can take months,” she cautions. The tradeoff with a quicker rollout, however, is that it often lacks customization, or can't handle many thousands of users or more than a few platforms—at least initially. On the other hand, rapid deployment at least gets something up and running.

Then there’s cost. “At an enterprise level these implementations are expensive, there’s no question about it. There are questions of technology and consulting, and to do it enterprise-wide is a multiyear undertaking to do it right,” says Witty. Automating identity management is so difficult because it automates existing business processes. Precisely what those processes are mystifies many companies, and integration can get snagged on political issues, undocumented procedures, and requests for excessive customization.

Properly rolled out, however, an identity management project can be music to executives’ ears. “From a CFO perspective, I keep hearing that CFOs keep seeing the value of these offerings and the amount of money that can be saved,” says Witty. In fact, a Gartner study last year found that for identity management projects, the return on investment for an average project, over three years, is 300 percent.

Companies have to roll it out first, of course. “As far as rapid deployment, that's where ID Accelerator is really impressive,” says Witty. The software can also automate password management, which saves time and money—studies show that 50 percent of help desk calls typically relate to passwords.

ID Accelerator gets 1500 users running on the system initially, but such speed means there are tradeoffs. Tivoli Identity Manager, for example, can support over 70 end points containing identity information—everything from e-mail servers to ERP—via agents. “There's no way that we could say we're going to do all of these,” says Ford. “Our goal is to have the thing in in four-to-six weeks,” with three endpoints, one of which the client gets to pick. “We'll have a standard out-of-the-box feature for an operating system, such as Windows 2000, a standard option for an e-mail package, such as for Exchange, and we'll have a choice between an LDAP agent. Tivoli Identity Manager comes with one product that's a universal agent—that's pretty slick. Say you don't have an integratable end point—this guy allows you to integrate it.”

Installation “immediately sanitizes the environment, which is an extremely important security requirement. While that's not a very specific ROI driver, it's a very specific security driver,” says Drake.

The software itself is automated in other ways. “The way that the Tivoli identity manager product works is it goes out and feeds into itself access information about users—what applications does a user have access to. It will also gather data from any LDAP directory or human resources system, so those are all of the places where you would find users,” Drake notes.

On the CFO front, other security routes will automate business processes and save money. Those include password management deployment and resetting software, or limiting the number of platforms in the enterprise in order to control the amount of data cleansing and synchronization needed to let them play together.

No matter which identity management product companies choose, Witty recommends they look for "products that allow you to easily modify their agents, and more of a point-and-click interface, which tend to be easier to implement, because you tend to put more control in the hands of the end user, rather than having to go back to the vendor for tweaking."

Avoid getting a vendor to change its application code whenever possible, she warns, because it’s a time and cost trap. “By having a componentized product architecture, you can do a lot of the work yourself, so that you don't have to go back to the vendor for the customization whenever you need to make changes.”

About the Author

Mathew Schwartz is a Contributing Editor for Enterprise Systems and is its Security Strategies column, as well as being a long-time contributor to the company's print publications. Mr. Schwartz is also a security and technology freelance writer.