The Perils of Identity Mismanagement

eProvision Role-Out normalizes, reconciles, and cleans user identities

Organizations that think installing identity management capabilities is as simple as selecting the right software product are in for a rude awakening. As with many major enterprise systems integration efforts, months (or more likely years) of work face large organizations, which struggle to identify and import user identities and permissions into new software that will front for many other enterprise applications.

“Data reconciliation is a huge problem across the enterprise, and the ability to reconcile user identities, entitlements, and access rights has clearly become a critical undertaking for the enterprise as a first step in user provisioning projects,” says Roberta Witty, a research director for Gartner Inc.

Organizations implementing identity management software face a range of challenges, especially when attempting to transfer existing user information into new security software—if clean data isn’t loaded into the identity management, people can’t get access.

To make identity management rollouts easier, Business Layers Inc., a provisioning software company, announced eProvision Role-Out, billed as the first identity consolidation service.

eProvision Role-Out takes data from existing sources in the enterprise, such as LDAP-compatible directories, Microsoft’s Active Directory, or enterprise application databases. The software interprets, normalizes, and reconciles the data, ultimately providing the identity management software with clean data and federated identities. That means administrators can save time by not having to manually clean data before it can be imported. In addition, clean data reduces rollout time, putting better security in place more quickly.

Companies typically use expensive consultants or low-yield technology for translating existing data stores into centralized, clean data. Meta-directories exist to acquire data, but manual remediation is still required. Yet having an accurate record of identities is the first step in rolling out any identity management program.

“Technologies that assist with this reconciliation effort—finding orphaned accounts, mismatches in user profile data, and conflicts in privileges granted to a user, then correcting those situations and establishing policies to enforce entitlements and rights across the enterprise – have far-reaching applications, especially in this time of growing regulatory compliance efforts such as HIPAA and Sarbanes-Oxley,” says Witty.

No matter the number of inputs, eProvision Role-Out organizes identity data through a process of extraction, normalization, and correlation of multiple roles into a single list of identities and corresponding entitlements.

Business Layers says the software will reconcile at least 80 percent of data; the rest must be manually remediated. In addition, the software can function on an ongoing basis, automatically loading data from enterprise software, including ERP, human resources, and Oracle files.

Once data is in the system, administrators can mine and analyze it to produce association rules, and apply tools for creating groups based on data commonalities. Administrators get real-time management tools for managing the data as well as report-generating capabilities.

Using an approach such as eProvision Role-Out helps “businesses create order out of chaos,” notes Business Layers chief technology officer Adrian Viego, by streamlining the data cleansing and consolidation process. In addition, it can help organizations “more quickly combat the damaging effects of identity mismanagement.” In other words, what is the cost of implementing identity management incorrectly? Besides headaches for systems integrators, it equals lost productivity for users if they’re unable to access enterprise applications.

For more information, visit

About the Author

Mathew Schwartz is a Contributing Editor for Enterprise Systems and is its Security Strategies column, as well as being a long-time contributor to the company's print publications. Mr. Schwartz is also a security and technology freelance writer.