ID management success begets compliance improvements

Elders' Andre Laubscher is one of many IT executives realising the benefits of identity management -- and paving the way for bigger things thanks to expanding vendor ambitions.

Vendors have long pushed identity management systems as a way of improving fine-grained control over systems access, but a growing number of successful implementations is vindicating both vendor enthusiasm and the persistence of the companies adopting their technology.

Rural services giant Elders, which has more than 420 remote offices across the country, is one of the latest reaping dividends after committing to an ID management framework. A longtime IBM midrange server user, Elders is in the midst of a major ID management rollout, built around Tivoli Identity Manager (TIM) access control technologies from IBM, that is improving access for the company's more than 4000 users.

"Manual provisioning [of user IDs and passwords] is inherently prone to error," says André Laubscher, IT facilities manager with Elders. "There are disparate sources of identity information and weaknesses with user ID standards. Being a financial services organisation, we get audited fairly frequently. Elders required a significant improvement in auditing capabilities and compliance reporting; the implementation of TIM offered significant benefits."

Elders, which worked with security specialist firm Senetas on the ID management rollout, has already reached the first of six major milestones: centralised password management. Later in the project, Laubscher's team will be looking at steps including a business analysis of roles and access policies; use of TIM as an automatic identity provisioning tool; extrapolating this upwards to role-based provisioning; integration with custom applications; and, finally, extension of these capabilities to new applications.

Identity management was a major theme at this week's Tivoli Nation conference in Melbourne, where a number of companies shared their experiences integrating what is seen as a key capability in the fight to lock down enterprise network architectures. IBM has been at the front line in the battle, with around a dozen acquisitions last year alone.

One of the most significant, that of Dutch compliance and security audit software Consul Risk Management, highlights the increasingly sophisticated management services that become possible as tools like TIM formalise the task of identity management.

Consul's technology allows companies to track, report and investigate noncompliant behaviour, such as unauthorised activity by information technology administrators and other users. Instead of flagging one-off actions, however, the platform uses long-term averages to identify potentially significant anomalies in user behaviour.

Consul is "focused on security auditing and compliance management," said Joe Anthony, program director for identity management for Tivoli. "It allows a user to go in and see what other users are doing and if it's compliant with business processes. At a bank you might have one teller who looks at 800 customer records per day, while others work with 200 records. It's possible that that teller is more productive than his peers, but it's something that you should flag and look at."

Anthony said Consul was attractive to IBM because its products are built to run on both distributed systems and mainframe systems, which means Big Blue can sell Consul product across all its platform offerings.

Charles King, principal analyst at Pund-IT, said IBM's deal with Consul is both tactical and strategic. "On the tactical side, Consul has given IBM some tools for compliance management that the company did not have, and that fits very, very well with IBM's existing solutions, particularly the zSeries mainframe platform," King said.

IBM's software buying spree is a strategy many industry leaders, such as EMC and Hewlett-Packard Co., have been adopting, King continued. By building up the software business, IBM is also setting up its business services division, he said. Once customers adopt its platforms and software, they are more primed to hire consulting services as well.

King said Consul is a good fit for IBM. Consul "doesn't have the end-to-end security management capabilities that, say RSI, has, which EMC bought last year," King said. "But I think the Consul product is very deep in security administration for the mainframe, and IBM has been pressing really since the announcement of the z9 platform for having the mainframe be the security hub for the enterprise data centre."

Wayne Kernochan, senior IT analyst at research firm Illuminata, said integration of a newly acquired product into an existing software portfolio always carries some risks.

"The situation used to be that IBM users found IBM software a little bit difficult to use because it was not necessarily fully integrated. On the one hand, you have something [from Consul] that's fully integrated, but on the other hand you still have those same integration problems. You can't always count on the integration of products being fully successful."

Kernochan said it might take IBM as long to integrate newly acquired software as it would to build new software internally. However, Consul's history of making its product work with the IBM mainframe makes this deal less risky than others. And with many IBM customers now reporting strong success with TIM, addition of capabilities such as Consul's compliance tool bodes well for the steady maturation of identity-based enterprisewide management and control.

Read more on Privacy and data protection