Top 10 IAM Challenges for Heterogeneous Enterprises -- Part 2 of 2
We examine the remaining five challenges and how Active Directory provides a solution.
by Jackson Shaw
In the first part of this two-part series, we began a discussion of identity and access management (IAM) challenges faced by an enterprise with a complex, heterogeneous environment: too many identities and directories; inconsistent password policies; too much repetitive manual work; and the ever-increasing need to stay on top of compliance regulations, to name a few.
A heterogeneous environment may include a variety of applications running on any combination of Unix, Linux, Windows, Macintosh, or legacy operating systems. Each system has its own purpose and access requirements, which hinders user productivity and sorely tests IT to maintain efficiency, security, and compliance.
The first part of the series examined five of the top 10 IAM challenges found in the heterogeneous environment (multiple identities and directories; single sign-on; synchronization; inconsistent password policies across systems; and traditional Unix directories (NIS) vs. compliance). In this conclusion to our series, we examine the remaining five:
- Entitlement management
- Excessive manual/repetitive work
- Original purchase versus original expectations
Challenge #6: Auditing
Auditing is one of the defining themes of compliance in identity and access management. An organization performs an audit to prove its information security complies with government regulations and industry standards. The more complex and diverse the enterprise, the more places there are to audit access to critical systems. It’s a time-consuming and expensive process.
In a heterogeneous environment, auditing includes a combination of manual and automated processes. Audit results across disparate systems take significant time to compile, and it takes even more time to collate and interpret this disparate data. The solution to improved auditing in a diverse environment is to reduce the number of places that must be audited. One proven approach is to unify as many non-Windows systems as possible within Active Directory, and add a tool that will automate the auditing process to make it more efficient.
Challenge #7: Entitlement Management
Controlling who has what privileges once they have access to a particular system or application can be a major headache in a heterogeneous environment. Administrators need only as much access as necessary to do their jobs, but, too often an organization’s security and compliance are threatened because too many people have access to privileged accounts they do not need to perform their jobs.
For example, in Unix operating systems, the all-or-nothing root account is most often used to grant privileged access. A Unix root account is like a single master key to all functions of the OS, giving anyone who can access it the rights to do whatever they want. Administrators who only need to reset forgotten passwords or run a backup have the same access as the director of IT, who may need to view and edit logs.
Even privileged Windows administrative accounts can have access-related problems due to some basic shortcomings in Active Directory. Native Active Directory tools don’t offer sufficient granularity to ensure administrative policy, security, or data integrity to the level that most organizations want.
The best way to address this challenge is to implement an entitlement management solution that enhances Active Directory and Unix with the capability to delegate administrative access, audit how administrators use the access they have, and then, through AD, extends those administrative roles and rules to non-Windows platforms and applications. This will help the organization achieve control over things such as the Unix root account.
Challenge #8: Excessive Manual or Repetitive Work
Time-consuming manual work is a hallmark of a heterogeneous environment, in which each system functions as an island unto itself. Wasted time and duplicate efforts to manage access control are typical in environments with multiple directories and identity stores. This is especially true when the mix includes Unix and Linux systems, in which identities and authentication are some of the enterprise’s most disjointed and difficult to manage. In Unix systems, de-provisioning is a time-consuming manual process that can cause the enterprise to be out of compliance if the process takes more than 24 hours.
Automation will provide operational efficiency in an environment of disparate systems, once the number of places to perform access control tasks is reduced. Incorporating Unix, Linux, and Mac systems as full citizens in Active Directory will give IT just one account per user to provision, re-provision, or de-provision, eliminating the delays and gaps in account termination that can cause an enterprise to become non-compliant. Another boost to IT efficiency is the ability to implement an enterprise-wide, self-service password reset solution, freeing the help desk for more important tasks.
Challenge #9: Compliance
Regulatory compliance is all about security and accountability, and its challenges within identity and access management boil down to access control, segregation of duties, policy-based security, and auditing and reporting. These challenges are multiplied in a diverse, complex environment where there are too many identities, too many places to audit, inconsistent policies, delays in de-provisioning, and too many employees with full administrative rights. The time it takes to manage some of these can actually cause an organization to be non-compliant.
The keys to a proactive approach to compliance are consolidation and automation. Unify as much of the non-Windows environment as possible into Active Directory so that both your Windows and non-Windows identity information is in a single place and access control can be centralized. Automating the auditing and reporting processes, as well as many of the other compliance-driven identity administration tasks, will make it easier to prove compliance. The right tools can ensure that systems are compliant and that the organization is able to prove that compliance to its auditors.
Challenge #10: Original Purchase vs. Original Expectations
This challenge arises when an enterprise recognizes, “What we originally bought isn’t living up to our expectations.” It’s not uncommon for big, expensive pieces of custom-built software purchased as a security framework for a heterogeneous environment to be so complex and have so many moving parts that it takes years to get them completely up and running.
The enterprise unable to fully realize the framework and connect the environment’s disparate directories, and the process of building and integrating the connectors can be so time-consuming that it ends up being more expensive than the actual software purchase. In the meantime, efficiency, security, and compliance continue to be compromised, and IT may be forced to reduce the scope of what was originally planned.
Once again, the solution is to consolidate within Active Directory as many non-Windows components of the environment as possible. Then, a single connector between Active Directory and the framework will address the IAM needs of a much larger portion of the enterprise.
The Key to Addressing IAM Challenges
The diversity of the systems, applications, and platforms in the modern heterogeneous environment requires users to have many different identities across the environment. This diversity is the root of most identity and access management challenges, and often results in disruptions to efficiency, risks to security, and lapses in compliance.
The quickest way to create a more efficient, controlled, and compliant approach to identity and access management in a diverse environment is to adopt a “get to one” strategy. Using the right tools, this approach eliminates many of the environment’s disparate identities, roles, policies, and processes, and consolidates as much as possible under Active Directory, the existing identity infrastructure for the largest user population in most organizations today. The AD single sign-on security protocol, Kerberos, then provides for one login, one identity, one password and one credential for seamless and secure access to all Windows resources and non-Windows systems that have “joined” AD.
A “get to one” approach also will work in an organization using a security framework. Because many of the systems within the framework can be managed through Active Directory, the number of connectors can be reduced. Concurrently, AD tools can help optimize the administration of user identities -- including non-Windows identities -- and their reduced number will make the framework more effective.
In reality, it may not be possible for every system and application to be fully unified within an existing infrastructure such as Active Directory. In those cases, the strategy should be modified to “get as close to one as possible for as many systems as possible.” With one single identity and password for each user -- or as few as possible -- efficiency will improve, security and compliance will be enhanced, and most of the challenges will disappear.
Jackson Shaw is senior director of product management for identity and access management at Quest Software. Jackson joined Quest as part of its acquisition of Vintela, and oversees product direction, strategy and go-to-market activities for the Quest One Identity Solution. He has been involved in directory, meta-directory, and security initiatives for 20 years. Previously, Jackson was a key member of the identity and access management marketing team for the Windows server marketing group at Microsoft, where he was responsible for product planning and marketing for Microsoft’s identity and access management products, including Active Directory and Microsoft Identity Integration Server (MIIS) 2003.