This tip is excerpted from The Definitive Guide to Security Management, written by Dan Sullivan and published by Realtimepublishers.com. Download Chapter 5 Identity and Access Management.
Provisioning is the process of coordinating the creation of user accounts, e-mail authorizations in
the form of rules and roles, and other tasks such as provisioning of physical resources associated
with enabling new users. In addition to the protocols discussed in the sidebar, industry standards
for identity management and provisioning systems should include a workflow component.
Workflow allows administrators to specify a sequence of events to add users based on the users'
roles and the approval of others in the organization. The automated process ensures consistency
and allows auditing of each step in the provisioning process.
It should also be noted that the provisioning process and other identity management operations
should be the same system for all entity types. However, the way and extent that employees are
provisioned will differ from customers and partners. Different system and different
administration methods should not be required for different types of users.
Another element of provisioning is password management. Users in even small and midsized
organizations need multiple passwords to use personal, departmental, and enterprise applications.
In addition, passwords must be changed on a regular basis for security practices and regulatory
compliance. Keeping track of passwords creates predictable problems, such as users who write
down passwords, reuse the same password on several systems, and forget passwords, which
results in calls to the Help desk (which increases costs). Password management and self-service
applications are designed to solve these types of problems. Self-service applications allow users
to self-register and reset passwords with assistance from Help desks or systems administrators,
reducing Help desk calls anywhere from 25 to 60%.
Two general approaches have been used to minimize the burden on users to remember
passwords: password synchronization and SSO. Password synchronization systems set all user
passwords to the same word. Doing so saves the user from having to remember multiple
passwords, but at a relatively high cost: If someone discovers the password to any one of those
systems, that person has the password to all of them. Although password synchronization is an
option for password management, this method is definitely not recommended.
SSO is more complex. The SSO server stores individual passwords for each system that a user
accesses. A user authenticates once with the SSO server, for example, when logging on to a
network or an enterprise portal. When an application challenges a user for credentials, the SSO
server intercepts the request and responds on behalf of the user. SSO servers work directly with
Web-based applications intercepting HTTP traffic and responding to password requests. Legacy
applications, however, typically require specialized, sometimes custom, code to implement SSO.
Read the rest of this chapter.
