By Michael S. Mimoso
Identity management likely isn't the first thing that comes to mind when you consider what it takes for an automobile to roll off the assembly line. But a thoughtful, secure organization of users and collaborators may be just as crucial to production as a robot welding a body to a chassis.
General Motors recognized this three years ago.
The giant automaker was bleeding money processing help desk calls, especially for provisioning access requests. Most of those requests ultimately required manual remediation, which could have delayed the process more than a week. Existing users weren't happy either, and the blame lay on disparate directory systems that often led to colliding digital identities. Users could be left with as many as 40 identity/password combinations to remember just to get into the applications necessary to do their jobs. Toss in privacy issues and language and international legal barriers -- GM does business in more than 170 countries -- and the world's largest automaker was looking at $22 million per year in direct and indirect costs related to managing the identities of its 1 million users.
Someone had to hit the brakes.
GM's goals were ambitious. It wanted to reduce account provisioning from days to minutes and give users a common identifier to access the enterprise's thousands of applications and portals. About 30 months later, the project is closing in on its final stages. Users have a noticeably better experience interacting with GM's logical systems; costs are down; data is safely accessed by employees, partners, suppliers and customers; and business gets done quicker.
At a time when many U.S. automakers are struggling to rev up revenue, GM can point to its ID and access management makeover as a model of efficiency. "From the business point of view, we're helping to design and sell cars more effectively than when we started out," says the project's chief architect, Jarrod Jasper.
An information-gathering exercise
You'd be hard-pressed today to find a password on a sticky note at GM, much less 40 of them clinging to a keyboard. But if you were an engineer three years ago, part of the job description was wading through a sea of secret codes to access various CAD/ CAM applications and collaboration portals. Jasper and his team of five weren't interested in making the numbers work on a fancy ROI calculation. (Jasper would not disclose project costs.) Breaking even was good enough; improving the user experience was the real impetus for GM's identity management overhaul.
"Today, if you walk down the hallways and ask, you will learn that users feel things are getting better," Jasper says. "It's easier to access applications, and many of the simple frustrations have been removed -- that is our measure of success."
Engineers are probably the best anecdotal evidence of improvements in the user experience. Not only were they once saddled with managing dozens of ID/password combinations, but they were also tasked with assigning IDs and access to applications. Engineering and design work played second fiddle to access management.
"We relieved them of those extraneous tasks by centralizing the identity function and reducing the need for multiple ID logins," Jasper says. "Now, they are able to focus on their primary tasks -- collaborating with engineers and designers throughout GM and with outside suppliers to engineer and design great cars and trucks."
The initial steps of the project in 2004 consisted of gathering an inventory of systems and processes, and aligning them with the goal of reaching a common identifier and profile for each user that would be recognized across GM's infrastructure. Creating standardized, repeatable results was a mandate going forward.
By the end of 2005, each of GM's employees and internal users was assigned a common identifier. Users still had to authenticate multiple times, but could use persistent log-in IDs each time. By the end of 2006, business partners, including collaborators in joint ventures, suppliers and dealers, will also have unique identifiers.
Building user profiles was a critical yet painstaking process of immersion into each of GM's businesses. In order to ease the process, GM's human resources department was given business leadership of the project. HR understood the dependencies between a strong, common user profile and business objectives, and would be critical in collecting the data that makes up a user's profile without overstepping legal or regulatory boundaries regarding personally identifiable information.
Doing so not only made HR a major stakeholder in the project, but gave the teams a direct line to user data. Jasper wanted to build what he called DNA profiles -- common denominators from each GM user that consistently identifies them in the network."We gather the minimum information that we can collect from someone that makes them unique," Jasper explains. "The DNA is information that they bring to GM. We collect what we can within the bounds of the law and respect for individual privacy. For example, although we collect Social Security numbers as part of this process -- for guaranteed uniqueness, background checks, etc. -- we are actively looking at alternate, less intrusive mechanisms that don't require national identifiers."
Based on the data, roles are assigned and access is provisioned. Not only were productivity issues addressed, but security was enhanced, particularly with collaborative efforts between automakers. Engineers from competing manufacturers could virtually sit side-by-side with GM designers on any given project. Allocating appropriate permissions forced Jasper to ensure that trust is inherent in systems and to manage the relationships between identities, database permissions and data classification. This was one of the primary drivers toward a common identifier, rather than single sign-on, which would be a single point of exploit.
Once user profiles were built, technology interoperability barriers had to be hurdled.
Conspiring to add to the complexity is the fact that, like most enterprises, GM built its infrastructure piece by piece over time. Identity management is split between Microsoft's Active Directory servers and Sun Microsystems' Java System Directory LDAP-based servers, and there was little interoperability between the two, making them the major culprits of GM's identity-password overload.
"We were quickly becoming two fiefdoms," Jasper says. "Building identity management system by system, instead of [designing] an enterprise service, creates more IDs and passwords than we need. We had to consolidate to a common ID, password and profile across systems."
GM has brought both vendors to the table, flexing its purchasing muscle to force Microsoft and Sun to work together to facilitate changing, resetting or deleting GM identifiers and login IDs between the competing directories. In the meantime, GM has deployed a meta-directory synchronization engine from Siemens that acts as a go-between for Microsoft and Sun servers, and facilitates identification changes or resets.
The lack of interoperability also meant business partnerships were suffering because they took too long to be realized. Multiple provisioning processes created separate identities and permissions for each system: 20% of new access requests required remediation, and 50% of those requests required contact with individual users. When problems arose, manual intervention was the only option. GM hired consultants -- which it called SWAT teams -- dedicated to getting users access to systems.
Half of GM's existing user accounts also required access help, with some of those repairs taking up to 10 days. In addition to the direct expense of paying help desk personnel for assistance, lost productivity costs hit the bottom line hard.
"Every minute you can't design a new car is that much longer to get the car to market," Jasper says. "When it takes three weeks to get an engineer access to a system, how much money have you lost? It's the market opportunity we're talking about."
Provisioning Microsoft's role
It always seems to come down to Microsoft, and this is no exception. Burton Group analyst Dan Beckett says that the first technology task most enterprises have to tackle is sorting out what role Microsoft and Active Directory are going to play in the organization's identity infrastructure. Beckett says that Microsoft's Identity Integration Server (IIS), used alongside Active Directory, provides some necessary back-end capabilities, but lacks the front end to do administrative and run-time authentication, for example.
"You have to have everything natively authenticate to AD, and that's not viable in a heterogeneous environment," Beckett says. "That's why it's a critical decision to figure out the role AD is going to play. You have to put a fence around that, and put in guidelines for developers to figure out how the rest of the identity management infrastructure is going to provide the capabilities that Microsoft is not going to provide.
"Unless you're a Microsoft-only shop or keep Microsoft discrete from everything you're doing -- which is few and far between -- that's where I always start."
Integration woes, however, did little to simplify GM's project. GM is doing its best to exert pressure on vendors to work together on its behalf, but more times than not, Jasper's teams found themselves taking off-the-shelf software and rewriting code to get them to work together.
"The drive is more out-of-the-box integration not just within suites from a vendor, but across vendors, so we don't have to do it as much," Jasper says. "That costs us millions every year."
Jasper is trying to massage vendor relationships to ease scalability issues. In order to build a global system, he is engaging them to build scalable products that grow not only in terms of the number of users, but geographically.
"Identity management is a series of cascading decisions," Beckett says. "The driver is to deliver applications to users. The danger there is that this is something we forget. It's important to keep this nuance in perspective -- the need to deliver apps."
It used to be that large, unruly user populations and the need to steer consumer-facing applications to the Internet drove identity management projects. Today, like most IT security endeavors, Sarbanes-Oxley and other government regulations are spurring identity management changes in manufacturing organizations like GM. Among other things, these regulations call for organizations to adopt controls for the workflow in provisioning accounts. Data security laws put a premium on protecting sensitive user information and intellectual property.
Future GM endeavors, therefore, will focus on first deeming its data as unclassified, classified or private, then assign access based on that classification. Eventually, this will not only impact authentication, but force Web-based applications to leverage the same security rules that apply to role-based access control. The ultimate goal is personalized access.
"The identity profile and access control rules, in tandem with information classification rules, give us a security system we can be proud of," Jasper says. "We have to balance this endeavor to keep improving the user experience without compromising security. We are trying to increase the richness and complexity of our security system without making life more difficult on the users."
This was first published in June 2006