QUESTION & ANSWER

IBM aims identity suite at compliance, audit pains

By Robert Westervelt, News Editor 13 Sep 2007 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

What are some common identity management changes and why would a company choose a full suite to address them rather than point solutions?
Joe Anthony: Customers have multiple problems that they're trying to address in their organizations. They may just have a user provisioning challenge, but in most cases they're trying to look at what they need to do throughout their company for all their compliance management needs. That usually runs the full gamut of how you address access management, how you address user provisioning, your directory and identity data infrastructure you're using to handle the identity metadata that you're going to leverage throughout the organization. An individual solution to get started is fine, but you want to look at what your total objective is over a period of time that the projects are going to run and if you are working with a vendor that's going to meet all those needs versus dealing with three or four different point vendors who will meet each of those specific needs.

To put it into perspective, IBM acquired a bunch of point vendors and put them into one suite, correct?
Anthony: We've done an awful lot of integration over the years. We've been very methodical and the acquisitions that we did make as far as assessing who we thought were very good market leaders at the time of the acquisition. Then we spent a lot of time and energy to make sure that the products were integrated and would address the customer needs.

A recently published Burton Group report said IBM needs to prove integration of its usability features of Tivoli Identity Manger to build a cross-functional suite of products. Has cross-functional integration been an issue with the various acquisitions you have made?
Anthony: It's been an area of heavy investment for us. You'll continue to see us put additional efforts there. It's one of those areas that no matter how much you've done, there's always more that you can do. We will continue to increase the level of integration across the products. The other area around our Identity Manager specifically, we have a version of the product called Tivoli Identity Manager Express – a lot of the features in there make it simpler to deploy it, easier to use, so there's screens tailored just for end users versus just a manager who is reporting things. We've taken the features and in the fourth quarter we will have a version of Tivoli Identity Manger that takes the best features of the express and makes those available on top of Tivoli Identity Manager.

Let's talk about the benefits of deploying a single sign on. Is that really what your customers are looking for when they choose an identity management suite?
Anthony: It depends. We'll often go in and assess where the customer is in their overall cycle of deploying an entire identity management infrastructure and we'll see where their greatest pain points are. Some customers do want to start with an enterprise single sign on because that has the most obvious impact to end users and they just want to go ahead and let them see an immediate benefit. Others have already taken a number of their applications and their Web-oriented applications and they may not go with a traditional enterprise single sign on product as much as managing it from an access management perspective and doing a Web single sign on so the end user doesn't even see the vast majority of what's going on. There's other accounts, where, as a result of an audit, they'll have very poor user provisioning policies in the removing of users from systems and they will focus on that right away.

What are some of the complications that result in poor user provisioning policies?
Anthony: If when people are leaving an organization, there is a policy that says that within 48 hours of a contractor leaving an organization you're going to remove their access from email, financial data systems and things like that. An auditor may come in 60 days later and find that none of those accesses have been removed. That will definitely get auditors off on a bad foot. The other area that is very common is the separation of duties problems. Quite often companies will go ahead and keep on adding additional permissions to an individual user so if they're worked in finance over a period of ten years and switched jobs once a year, they will have aggregated far too many entitlements within the finance organization. You would almost be guaranteed to have a separation of duties problem. An individual person would now have the opportunity to be authorizing new contracts, they'll have the authorization to cut checks, make payments, etc. and you just end up with a blatant separation of duties problems.

When did identity management become so closely aligned with security? Wasn't it really off on its own for a long time?
Anthony: As far as a basic need, it's been around since about 2000 and we've seen increased interest over the last three years where people are starting to realize that you can't manage it as a silo. We've advocated that customers make it as a very strong part of their overall identity and access management paradigm and that's how you drive compliance in the organization. Quite often individual companies will look at this as a silo, but we definitely need to drive the mindset in the organization that these things very much are intertwined and need to be looked at holistically across the business processes as well as the compliance and audit processes as well.

What were the market conditions in 2002 that prompted IBM to step into the market? What did IBM see at the time in terms of the solutions it needed to provide?
Anthony: I think we saw a definite need for that level of capabilities. At that time we saw that, in terms of capabilities, the level of increased functionality that we wanted to add to our own offering was definitely going to take us longer than we would have liked so we went out and did an acquisition in 2003 to jumpstart that next evolution of what we wanted to do with identity and access management. We acquired Access360, we assessed the different marketplace vendors at the time and thought that they brought the most to the table and we wanted to leapfrog where we were technology wise. At the time we did have an offering in the market, but we thought Access360 would allow us to deliver additional value to our customers faster.

Tags: IT Security Audits,  Enterprise User Provisioning Tools,  Active Directory and LDAP Security,  Password Management and Policy,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT IT Security Audits MasterCard increases PCI compliance requirements for some merchants How to write a risk methodology that blends business, security needs PCI compliance requirement 11: Testing Using IAM tools to improve compliance Forensic accounting success depends on information security support HIPAA compliance: New regulations change the game PCI DSS Q&A: Answering your questions Maltego demo: Identifying a website's trust relationships PCI QSA assurance program penalizes assessors Strategies for email archiving and meeting compliance regulations Enterprise User Provisioning Tools Privileged account management critical to data security Making the case for enterprise IAM centralized access control Best practices for a privileged access policy to secure user accounts Risk management must include physical-logical security convergence PCI compliance requirement 7: Restrict access PCI compliance requirement 8: Unique IDs Lesson 3: How to implement secure access Using IAM tools to improve compliance Best practices: How to implement and maintain enterprise user roles Enterprise password management policy: Finding the balance Active Directory and LDAP Security Using IAM tools to improve compliance Ease the compliance burden with automation Changing times for identity management Product Review: Symark PowerADvantage 1.5 Do the Group Policy Object and 'Password Never Expires' flag interact? Directory services and beyond: The future of LDAP What are the benefits of identity managed as a service? Enterprise role management: Trends and best practices Identity Management Suites Enable Integration, Interoperability What should an internal support model for identity management look like? Active Directory and LDAP Security Research

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary AAA server  (SearchSecurity.com) authentication, authorization, and accounting  (SearchSecurity.com) federated identity management  (SearchSecurity.com) logon  (SearchSecurity.com) password synchronization  (SearchSecurity.com) RADIUS  (SearchSecurity.com) role mining  (SearchSecurity.com) user profile  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary