How to avoid the common pitfalls of ID and access management.
On paper, it sounds simple: Make sure the right people have secure access to the right information. But tackling identity and access management can be a complex undertaking. The pitfalls aren't unlike other technology implementations that require project managers to understand the appropriate scope and avoid technology creep.
Take Steve Banyai, CIO of Bridgepoint Health. He wanted to integrate all of his organization's applications into a single portal so its 1,200 users could have access to data regardless of their location. The rollout took eight months from start to finish, and during that time Banyai needed to step in numerous times to keep the project moving smoothly.
First, he jump-started the evaluation process. "One of the smartest moves I made was not spending time vacillating on the pros and cons of each product," he says. "There is only so much testing you can do."
Then, he tightened the reins when his team began implementing technology for technology's sake. "I kept reminding the group that we needed to remember the business needs, not just the technology needs," recalls Banyai.
More information from SearchSecurity.com
Learn how to establish and maintain an effective identity and access management plan in Identity and Access Management Security School.
Visit our resource center for tips and expert advice on implementing identity management and access control measures.
He inserted himself a third time when Bridgepoint's and its vendors' vision for the project began to drift. "Getting alignment back to the vision is very important. When there isn't that alignment, you can get into a technology quagmire."
Banyai is hardly alone. Each of the dozen users and vendors we spoke with shared similar headaches when deploying identity and access management projects. Here are three problem areas--people, process and technology--and ways to avoid such pitfalls.
Bridgepoint Health, Canada's largest health care organization, implemented an access and identity management system to give staff one view of personalized information.
"It was about IT being an enabler, not an impediment, CIO Steve Banyai says.
Banyai decided on Novell's identity and access management solution, which consisted of Novell's exteNd, eDirectory, Identity Manager, iChain and SecureLogin.
The deployment helped integrate disparate applications into a single portal, giving Bridgepoint's 1,200 physicians and staff personalized views of information based on their roles and responsibilities.
As a result, users were able to access critical information nearly 90 percent faster, and password-related help desk calls were reduced by 80 percent.
The solution was deployed within eight months.
"We went with an aggressive timeline. We did the portal in conjunction with SSO, and focused on the ease of use so there wouldn't be a big learning curve," says Banyai.
"The vice president of medicine was at a huge academic hospital, and she told me they never had this. You've really got to deliver applications and technologies that don't prohibit the clinicians from doing their job," he says.
[how to get buy-in]
Since identity management transcends every department, getting the right people involved from the beginning is paramount. "It is critical to identify what areas are going to be influenced by the project and bring them into the picture early," says Somesh Singh, VP and GM of identity management at BMC Software.
At the same time, clarifying roles and responsibilities is critical, explains Loren Russon, director of product management for security and identity at Novell. And it is an area where BMC's Singh says customers have fallen short.
Once the right people--including HR, security, IT, audit and legal, among others--are in the room, get alignment with business units. This includes interviewing business managers on their challenges, organizing working groups from various divisions to agree on requirements, and creating partnerships with high-level executives. Meanwhile, get all stakeholders involved and make sure you understand who needs access to what, says Bill Bartow, senior vice president, identity and access management, for CA.
Since compliance, in many cases, is a key business driver for identity and access management initiatives, line-of-business managers with profit and loss responsibility need to support the rollout, advises Prakash Ramamurthy, vice president of Oracle Identity Management.
For Donna Nixon, IT program manager at Addenbrooke's Hospital in Cambridge, England, this strategy has worked well. When it came time to gather user requirements, she solicited input from the medical director, who reports to the board, as well as the most vociferous user groups she could find. "It was the smartest decision I made," she says.
[how to define policies]
In order to have a successful implementation, you need to define your objective, such as reducing help desk calls for password resets, provisioning and deprovisioning roles more quickly, or complying with federal or industry regulations. You must spell out in policy how you'll reach and measure that goal. Easy to say, harder to do.
"What we see sometimes is users have a decent idea of what they want to do, but when they start looking at solutions, they get confused and their aspirations broaden or start to change," says Singh.
Since IAM tightens the level of controls over applications and data, the business engineering process is as important as the technology implementation.
What happens when someone joins an organization? What types of access and credentials do they get, who approves this, and what happens when they switch jobs? Many data losses occur when companies fail to revoke system permissions once an employee leaves a company--amicably or otherwise.
"These are all questions that need to be addressed, and most companies don't have this documented," explains Joe Anthony, director of identity and access management software for IBM's Tivoli division. "You really need to sit down and leverage best practices. You need to get your architecture and business defined up front and set up a clear set of guidelines, rules and governance. This is especially important since identity and access management projects are often spurred by regulations and corporate governance initiatives."
Only then should you consider the technology. Some people reverse the order and then it is too late.
"We encountered challenges because we didn't have our policies in place," explains Christopher Paidhrin, senior security officer for ACS Healthcare Solutions, who rolled out an SSO/fingerprint authentication solution for Southwest Washington Medical Center in Vancouver, Wash. While the problems weren't insurmountable, it was a telling lesson about how process and policies need to be established first, he says.
"Start with business guidelines," says CA's Bartow. And when you do, cast a critical eye toward existing processes and policies. Do they make sense? For instance, should you have someone approve email access if it is considered a standard business process?
Some larger organizations have categorized their applications and created authentication levels depending on the sensitivity of the applications. One large bank, says Bartow, has set up security zones where the user can get access to 2 or 3 applications in zone one with a simple password. If they try to access an application in zone 2, they may get a challenge question that they need to answer. Zone three applications may ask for some form of strong authentication to verify their identity.
Often customers try to automate existing processes that are chaotic, says BMC's Singh. "Now all you've got is a chaotic and automated process." Singh elaborates: If you automate a process that asks users to change their passwords every 90 days--knowing full well that most users will only do it upon threat of being locked out--has automation improved the process or reduced help desk calls? "Change the policy to force password-change for employees in increments and then automate the process."
[how to get your house in order]
From a technical standpoint, you've got lots to consider under the identity and access management umbrella: directory management, access management, user administration and provisioning, password management, and audit and compliance management. Add to the mix multiple locations, varying applications, hardware platforms and operating systems, and disparate repositories. Perhaps that's why more than three-quarters of Information Security and SearchSecurity.com readers said creating a consistent set of permissions for users across different applications was a problem at their organization.
"What are you doing with the data? Quite often there are too many pockets of information," says IBM's Anthony. Furthermore, companies are collecting too much information, putting the organization at a security risk should their systems get hacked or they lose information and expose the data. "Capture only relevant data and reduce where this information is in to as few places as possible. Put it in one place, if possible, and then replicate as needed."
Normalizing and cleansing data is another area where difficulties arise. So much so, it has spurred an ancillary market, dubbed role engineering.
"Role engineering tools enhance provisioning systems by providing the technical and process glue to build roles across disparate systems," explains Mark Diodati, identity and privacy strategies analyst at the Burton Group. Provisioning systems are good at talking to these disparate systems, but most have difficulty assisting organizations with the role-creation process. "Before role engineering tools, organizations used manual processes and potentially thousands of Excel spreadsheets--a process that could take six months to one year. Role engineering tools can significantly reduce provisioning deployment times." Another technical challenge is provisioning stronger authentication devices. "Provisioning systems are pretty good at password management, but what if I want to issue smart cards? Then it gets more complicated because the provisioning system must cooperate with a smart card management system, which may require custom code," says Diodati.
Whether you decide to include role engineering tools or not, evaluating identity and access management products can be a major undertaking. When it comes to testing various products, do your homework.
"Test what vendors say. Build out a test bed that really replicates the production environment and test the complexities and nuances of a production environment," says Toffer Winslow, RSA Security vice president of product marketing. For instance, when you talk about Web access management (WAM) in particular, it is difficult to integrate applications with complex, internalized authorization schemes, such as Microsoft Web applications, and Web-based enterprise resource planning (ERP) applications, Diodati says. "WAM systems can almost always provide Web single sign-on (SSO) to these platforms-- it's the centralized authorization that can be difficult," he says.
"Which solutions really work well with their competitors' solutions?" asks RSA's Winslow. "This is where customers get into trouble." Adds CA's Bartow: "Make sure you do the architecture assessment in combination with the business process. Oftentimes, people jump right into the implementation. But where are your directories? How are they structured? How will you integrate them?" You don't want to be in the middle of the implementation and realize that you need to integrate a mainframe database or you've missed some proxy server. This is when you miss your schedule and business units are alerted, says Bartow.
Pick your pilot project carefully and start small. Don't deploy enterprise-wide. Pick your top three to five applications--the ones that have the most bang for the buck, says IBM's Anthony.
"Don't get enamored by the big picture. You need to be focused," says Winslow.
And lastly, think to the future. "Build the foundation and have a vision of where you want to go long term," says Winslow. "For instance you may want to move to federation in a few years, or begin to look at service-oriented architectures. You need to consider those goals when you begin the project."
For Banyai, Bridgepoint's IAM project was a success. "It was about being a one-stop shop and deploying access in a transparent manner. We're a hospital, and technology should help, not hinder, our patient caregivers."