How can you be certain that staff and external business partners are given the correct access to your company's IT system? How do you ensure they are only able to access the information they require, and that when they no longer need access or cease employment, their login is barred? Identity and access management (IAM) technology is designed to address such security issues.
IAM technology has to date been driven predominantly by regulatory compliance concerns. However, uptake is currently far from pervasive, with implementations historically tending to be tactical rather than strategic in nature. For instance, IAM is often used when groups of users need remote access.
Some organisations are deterred by the complexity and potential cost of broad-based initiatives. Many are simply confused as to what the term actually means, since it has been widely appropriated by vendors to fit their own ends.
Project management issues
Ant Allan, a research vice-president at Gartner, says that because identities are very complex to manage, the fundamental aim of IAM is to bring simplicity and overarching structure to control things in a consistent way across a heterogeneous environment.
"The problem is that we've ended up with a huge number of discrete technologies that each address a different slice of it. So there's not a single IAM market. There are a number and they're all slightly different," he says.
Gartner estimates that between two-thirds and three-quarters of companies currently have no major technical IAM implementations underway. Barriers to adoption among mid-market and smaller companies, in particular, include expensive per-user licence fees for tools and the need for recourse to professional services companies to find relevant skills. Such a move can double or triple the cost of a project.
"Even with the benefits that improved automation can bring in terms of reducing costs, providing better service levels, better control and the ability to hit compliance goals more effectively, these projects can be hard to justify for many organisations," says Allan.
Obstacles to success
To make matters worse, according to Don Smith, technical director at information security consultancy dns, more than half of projects fail, mainly because they tend to be treated as technology initiatives rather than business programmes.
"They're like ERP projects," says Smith, "which means you have to layer business processes onto them. The technology is relatively straightforward, but the problem is that implementations in most organisations are ill defined at best."
In reality, this means that many enterprises fail to understand or document the process steps involved in, for example, setting up a user account, or to agree standard organisational definitions for what constitutes a 'site', for instance. But if such processes are automated without such activity having taken place, they are unlikely to be effective, or be acceptable to or adopted by personnel on the ground.
Other reasons for project failure relate to internal politics. The buy-in of a high-level executive sponsor and the creation of a suitable governance body are both imperative to push through change from the top.
Allan believes it is also crucial for enterprises to adopt a programme approach to IAM. This is necessary to ensure coordinated action to optimise and streamline fragmented processes, which cause real problems on a day-to-day basis.
"It's about trying to get consistent processes that cross all systems and users so you introduce better controls and transparency. The downturn will put pressure on new investment in technology and especially the more expensive products in this space, but that shouldn't mean organisations stop IAM activity. There are a lot of things they can do to get in better shape without buying technology," says Allan.
One option is to exploit existing systems more effectively, perhaps by ensuring that directories are integrated with a wider range of applications so that identity information can be updated more seamlessly, for example. Another is to embark on phased process optimisation activity. Such action will provide a strong foundation for when enterprises are ready to invest in technology again in order to obtain the benefits associated with automation and consolidation.
In spite of the challenges in implementing IAM successfully throughout a business, there is growing interest in using the technology to support regulatory compliance efforts. Businesses need to run IAM.
South London and Maudsley NHS Foundation Trust has introduced a cost-effective user provisioning system based on a mixture of new and existing software, with the objectives of enhancing information security controls and reducing its administrative burden.
When the Trust embarked on its initiative in January 2008, it was already a user of Microsoft's Active Directory (AD) technology, which stores information about resources residing on the corporate network, enabling administrators to assign policies and access rights for individual user accounts.
It had likewise signed up to the national NHS Electronic Staff Records (ESR) system, which now holds human resources and payroll data relating to the NHS's 1.2 million employees. The Trust itself employs about 5,000 staff, working across more than 100 sites in the boroughs of Croydon, Southwark, Lambeth and Lewisham.
But the decision was also taken to implement Novell's Identity Manager software to automate user provisioning and act as a synchronisation hub between the two systems. This means that when information about changes to an individual's status - that is, if they join, leave or their role alters - is entered into an ESR record by the HR department, it is automatically reflected in AD, which likewise automatically modifies account permissions and access rights, as well as synchronising passwords across all supported applications.
Chris Irving, IT services manager at the Trust, explains the rationale behind the move. "Staff turnover in the NHS can be as much as 20% a month, so it's imperative to keep staff records up to date. About 200 accounts are created, changed or disabled here every month, which is a lot of change to deal with using manual paper-based processes, particularly because they're prone to human error."
But he emphasises that an important element of any identity project is ensuring the existence of a single, accurate source of information about staff. In the Trust's case, this data was mainly provided by the NHS ESR system, but the organisation also had to engage in a data cleansing exercise of its own to ensure the employee data held in AD was correct.
"We had to confirm who staff were and ensure that each AD record included the right employee payroll number because the system uses that to synchronise," says Irving. "This entailed e-mailing and writing to staff and including messages in their payslip to ensure everything was in order. It took a couple of months, so getting the data clean and tidy is quite a long process, but it's also an important one."
After completing this exercise, the Trust appointed Salford Software to provide consultancy and implementation services. The initiative was, however, managed by a project board, comprising a dedicated project manager and representatives from HR, finance and the IT service desk, which was responsible for account creation.
The first activity involved backing up the existing AD structure, before replicating it for testing purposes to ensure the new system worked. "If something goes wrong with AD, you're stuck. So testing is very important because of the amount of time it takes to restore an AD of our size. It's about minimising risk," says Irving.
The phased live roll-out began in May 2008, starting with batches of a dozen people, based on alphabetical order, again to minimise risk. As confidence grew, batch sizes rose to 100 until the entire permanent employee base was covered.
This now means the IT service desk no longer has to manually input data into AD based on paper application forms. New accounts are created as soon as a candidate's ESR record indicates an unconditional offer letter has been sent and are activated as soon as the new staff member starts work. Accounts are disabled at midnight on the leaving date, again indicated in the ESR record. AD information is synchronised on a daily basis with the ESR system.
But in the next phase of the project, early this year, the Trust will also including agency staff and contractors in the system. At this stage, agencies and contracting companies will likely be required to complete spreadsheets containing staff information, which can be fed automatically into the Identity Manager software.
The organisation will also explore which applications to include in a single sign-on system, which is already being employed in conjunction a pharmacy stock control package accessed by 30 users. This supplementary system has been added as a complement to AD because not all applications are currently able to authenticate to it. A password self-service offering will likewise be introduced at the same time, in a bid to reduce the number of calls to the IT helpdesk.
|Building blocks for IAM|
|An infrastructure of identity data so that organisations know who people are, why they should be allowed to access the corporate network and what they are permitted to do once they have gained access.|
|Management tools to provide a way to administer accounts: creating, managing and deleting them as appropriate.|
|Controlled access to multiple IT resources based on established identity credentials.|
|Auditing and logging of all the above activities to establish who has accessed what information and when.|
|The most widely adopted and mature technologies in this space include enterprise single sign-on, web access management and two-factor authentication because such projects make it relatively easy to demonstrate a return on investment.|