This article can also be found in the Premium Editorial Download "Information Security magazine: Security Products Readers' Choice Awards 2007."
Download it now to read this article plus other related content.
In the trenches
The politics of IAM
Security managers need time to implement identity management, while business units want immediate results.
When it comes to getting the most of your identity and access management system, IT directors must first ask: How quickly do you need to score a victory with your colleagues?
"A decision needs to be made about the political nature of your organization, and whether you need to look for quick wins" with your IAM product, says Ken Lobenstein, chief technology officer and chief security officer with Continuum Health Partners in New York City.
Lobenstein believes it takes two to three years for organizations to best implement and utilize identity and access management. Of course, other departments in your organization might not want to wait 24 months to see the fruits of the IT department's latest endeavor. That's especially true with IAM, with regulatory pressures requiring IAM capabilities.
Lobenstein understood he needed a quick victory when the hospital network he works for bought Novell Identity Manager one year ago. Within six months he had the Novell device managing the identities of 400 new residents across three databases. With more than 21,000 users, that may not sound like a big victory. But his co-workers were pleased, and that initial triumph kept enthusiasm alive for the ongoing implementation.
Looking for the quick victory "makes
However, Lobenstein's quick victory was not without setbacks. "The pain was that we didn't have business rules fully developed as we implemented it, so we had to rebuild our drivers two or three times because they didn't quite work," he says.
To avoid such problems, companies need to figure out what they want out of their IAM product before buying one. "Start small and don't try doing every single application," says Karl Jackson, an IT software engineer at Brigham Young University in Provo, Utah.
Jackson has used CA eTrust Identity and Access Management Suite for five years to manage the university's administrative computing needs. He started primarily with provisioning but branched out with the product as new challenges arose. "It's grown in terms of integration as I've grown more comfortable with it," he says. "Components like access control and SiteMinder [Web single sign-on] and eTrust Administrator [provisioning, password management] are integrated. The trick is taking what I've got and leveraging that integration."
Dave Young, program director of Web services with Geisinger Health System in Danville, Pa., spent nearly a year defining how he wanted to implement identity and access management before he shopped for a vendor. "You can't just take the product out of the box," says Young, who chose RSA Security's RSA ClearTrust. "You need policies behind the product."
Young, for example, needed a device that created different password requirements for various user groups. RSA ClearTrust lets employee passwords expire every six months, but patient passwords never expire.
This was first published in April 2007