This tip is excerpted from The Definitive Guide to Security Management, written by Dan Sullivan and published by Realtimepublishers.com. Download Chapter 5 Identity and Access Management.
Provisioning is the process of coordinating the creation of user accounts, e-mail authorizations in the form of rules and roles, and other tasks such as provisioning of physical resources associated with enabling new users. In addition to the protocols discussed in the sidebar, industry standards for identity management and provisioning systems should include a workflow component.
Workflow allows administrators to specify a sequence of events to add users based on the users' roles and the approval of others in the organization. The automated process ensures consistency and allows auditing of each step in the provisioning process.
It should also be noted that the provisioning process and other identity management operations should be the same system for all entity types. However, the way and extent that employees are provisioned will differ from customers and partners. Different system and different administration methods should not be required for different types of users.
Another element of provisioning is password management. Users in even small and midsized organizations need multiple passwords to use personal, departmental, and enterprise applications. In addition, passwords must be changed on a regular basis for security practices and regulatory compliance. Keeping track of passwords creates predictable problems, such as users who write down passwords, reuse the same password on several systems, and forget passwords, which results in calls to the Help desk (which increases costs). Password management and self-service applications are designed to solve these types of problems. Self-service applications allow users to self-register and reset passwords with assistance from Help desks or systems administrators, reducing Help desk calls anywhere from 25 to 60%.
Two general approaches have been used to minimize the burden on users to remember passwords: password synchronization and SSO. Password synchronization systems set all user passwords to the same word. Doing so saves the user from having to remember multiple passwords, but at a relatively high cost: If someone discovers the password to any one of those systems, that person has the password to all of them. Although password synchronization is an option for password management, this method is definitely not recommended.
SSO is more complex. The SSO server stores individual passwords for each system that a user accesses. A user authenticates once with the SSO server, for example, when logging on to a network or an enterprise portal. When an application challenges a user for credentials, the SSO server intercepts the request and responds on behalf of the user. SSO servers work directly with Web-based applications intercepting HTTP traffic and responding to password requests. Legacy applications, however, typically require specialized, sometimes custom, code to implement SSO.
Read the rest of this chapter.
This was first published in March 2005