Q&A: Managing Security Through Enterprise Procurement

Simplifying the time-consuming process of setting up security, and changing security permissions quickly, can often be handled through procurement software.

When it comes to procurement, most organizations face interminable lag times, unclear lines of authority, and disorder. Simply put, the process of giving users new or altered access to applications, hardware, or company resources is difficult. Sometimes, chaos results from procurement being a mostly manual process—managers have to contact multiple departments to get everything set up for a new hire. Other times, the holdup has to do with time: IT gets minimal advance notice, delaying the process of configuring the laptop and setting security access permissions correctly.

As most companies seek to lower the time it takes to handle procurement, they face two tasks: ironing out their business processes and deciding whether to invest in procurement software to better automate the process.

Security Strategies spoke with Jeff Schultz, vice president of sales and marketing for procurement software provider Abridean, about those challenges. While a number of procurement software providers exist today, Abridean has a twist: it started developing software for hosted e-mail providers. Their business model: split a Microsoft Exchange server between different clients, giving each client Exchange capability at a lower price than if they did it themselves. Abridean’s software supported that, but the latest versions of its Provisor software also gives that capability to IT departments.

When it comes to provisioning, what were some lessons learned from the hosting business?

We originally focused on hosted messaging providers—e-mail hosting. They had a huge need for sharing an Exchange server amongst clients, then allowing a customer to provision accounts. Some of the larger hosters might have multiple servers, each provisioned amongst different customers.

So the trick, as you can imagine, especially with the new version of Exchange, which relies upon Active Directory, is simply provisioning everyone efficiently; it can be tricky to do that securely.

So why would IT departments want software born from hosting?

Many IT departments need to delegate some of their infrastructure out and to automate the process of setting up users. We’re hearing stories from enterprise customers that it could be 10 or 15 days before a new employee gets completely set up with accounts.

Enterprises … for cost savings reasons, but also for security reasons, began to pay attention to hosting models, because the need, in this day and age, is not just to set up employees, but to give them access to applications or take it away as roles change. Some are beginning to delegate more security responsibility to [front-line] managers.

We also see [IT departments] beginning to view themselves as service providers, and you’re seeing things like minimum SLAs [service level agreements], things like chargebacks, from the IT department.

What are challenges in an approach like that?

The interesting thing is that the technical challenges that we’ve seen over the years are, in my opinion, beginning to get whittled away, because you see … new standards. More and more applications adhere to common directory standards like LDAP [Lightweight Directory Access Protocol] and SLDL [System Description Language], for instance. So that makes it easier for people to write to those standards and not have to do as much integration. The technical challenges are still there, but they’re getting resolved.

The challenges businesses need to focus on are the business process challenges. The way companies do it tends to be pretty chaotic. [Instead] you want to think about all the roles and rules in your company. The biggest challenge is not technical, it’s business process, and getting the buy-in from all of the different departments involved, because it’s HR, and accounting, and executives … it’s everything.

What can organizations do to map their business processes more easily?

Well, a lot … of these applications will go beyond just getting a user ID. Organizations might trigger processes to get a laptop, keycard, [and] parking space. So there’s a process aspect to that across different parts of the organization that you have to deal with. And from a customer perspective, that’s a big challenge. For a vendor like us, the challenge is, how do you make that easier? In [the new release] of Provisor, we have a … policy management capability to do advanced workflow through Visio. Using Visio to make an organization chart, you can “map”—using drag and drop—positions, with our product, to set permissions.

How does the org chart translate to security permissions?

Well, there could be a rule that says, "Check the user’s office location, then check the printer locations for our company, and pick a printer for that user and make it his default printer." Or take his first and last name, put a dot in between, an “@,” and the company's e-mail address, then check and see if that address is taken, oops it is, then use this alternate method of creating an e-mail address.

Or you could check the title—in many organizations, certain titles key to certain security permissions. So we help break [account provisioning] up into identity-centric rules—this is what an e-mail address looks like—and application-centric rules. For example, you’re going to get an e-mail mailbox on Exchange, what kind should you get? All while maintaining security.

So are you seeing a trend in IT departments toward centralization, or toward decentralization?

I really see both. You have a history where a lot of departments and groups, when we were in the era of decentralization, would install their own products. What you have now is a legacy, where different companies have different ways of storing their information, and you do have a trend toward unifying that information, because otherwise you don’t get [the full business benefit].

Are more companies using meta- or virtual directories to facilitate provisioning?

Yes, and what a virtual directory does is, instead of synchronizing across all those different products, it’s almost like a meta-view. It points at all of the information directories, and what you see is one attribute for, say, Jeff Schultz. There’s a growing [need] for that, because … as organizations roll out provisioning, they realize they need that one view of what a customer or employee looks like, but … they don’t have time to create it.

Now there does tend to be a lot of talk that organizations, over time, want to move to having a single directory overall. But it’s just like the ebb and flow we see in the IT market; there are practical considerations that make that difficult.

Are legacy applications an impediment to single directories?

Legacy applications [can be], and justifying how much work it would take to do data integration and so on. Most organizations today are not undertaking projects like that if they don’t have to. For example if a company can roll out a portal, because [maybe] there’s a huge benefit for [centralizing information for employees], they’re going to do it the virtual or meta-directory way. Rewriting old applications always gets back-burnered.

About the Author

Mathew Schwartz is a Contributing Editor for Enterprise Systems and is its Security Strategies column, as well as being a long-time contributor to the company's print publications. Mr. Schwartz is also a security and technology freelance writer.