User provisioning has become the first item on the wish list of any company shopping for IAM suites.
Research firm Gartner Inc. recently released its "Magic Quadrant" report on the user provisioning market. In this tip, some of Gartner's findings will be examined to discern what the future holds for enterprise user provisioning products.
Key user provisioning features
Perhaps the most appealing features of user provisioning products are their ability to add many new users quickly and uniformly, and to knit together the hodgepodge of authentication systems that many companies have..
Adding new users isn't as easy as it may seem. According to Gartner, user provisioning software must be able to automate creation, modification and deletion of user IDs on targeted systems, as well as employ self-service functionality, including password resets and role management. Such user provisioning products must also include a workflow process for approval of account additions and changes, support for HR applications to trigger changes in provisioning when an employee's status changes and report of role assignments and events for each user. Besides being a best security practice for keeping track of users, these functions are required for compliance, most notably PCI DSS, which now demands full accounting for all users and their roles.
User provisioning works by providing a single method for creating and managing user accounts across diverse systems. For example, a company may have started out as a mainframe shop, then later added some Unix systems and maybe brought in a Windows network through an acquisition. On top of that, even on the same systems, administrators may not have been adding users uniformly. In some cases, they may have been handed a sticky note with instructions to "add Bob's user account the way Sally's was added last month."
User provisioning ends that chaos. Whether logging on to a mainframe, a Unix server or a Windows network, every user is added in the same way, through a uniform interface asking for the same credentials to build a user profile. This not only streamlines adding and managing user credentials, but also allows for accurate tracking of who has access to what systems, which is required for compliance. In addition, user provisioning can offer automated password resets, reducing the number of help desk calls.
Emerging user provisioning features
User provisioning is a basic concept. It's about creating and managing authentication credentials. Over the years, ease of use with Web-based dashboards has improved, for example, as has better role management. Beyond that, however, there have been few show-stopping technological innovations.
But two areas stand out as possible indicators of the direction of the user provisioning market. One is Software as a Service (SaaS) or cloud computing. As companies, particularly smaller organizations, outsource their security services to SaaS providers, the question becomes how to provision users "in the cloud." So far, only a few vendors have ventured into this space, like Courion Corp. and Fischer International, but both have partnered with SaaS providers like Identropy Inc. (in the case of Courion) rather than offering their own SaaS service.
The growth of SaaS could lead to the development of more user provisioning software offerings in the cloud. PingFederate from Ping Identity Corp. offers such a service for Salesforce.com; it allows administrators to provision users themselves through the SaaS service, even though the systems are remote. Note that SaaS-based user provisioning is still in its infancy, however, it has a long way to go before being widely adopted.
Another innovation and possible market indicator is virtualization. Virtualization itself adds a wrinkle to user provisioning, since it's essentially a system residing inside another system. So, how does one provision a user to a virtual system? One vendor, Fox Technologies Inc., addresses this issue by automatically provisioning users to virtual machines by adding the machines to existing managed groups. This will become a key issue, as with SaaS, as companies turn to virtual machines to reduce hardware costs through consolidation of servers.
SaaS and virtualization are on the ground floor, barely emerging from the basement, as two innovative features the major players will have to eventually develop as part of their user-provisioning offerings.
So, who are the major players and where are they going? Among the leading vendors Gartner highlights in its report, Oracle Corp. has been particularly impressive in beefing up its IAM suite, while Novell Inc. has more tightly focused its marketing efforts and improved the customer experience. Sun Microsystems Inc., though still in the big leagues, has trailed Oracle and IBM Tivoli, and CA Inc. moved into a commanding position because of its sales and marketing overhaul and product delivery improvements.
The future of user provisioning software
Going forward, Gartner envisions the creation of a new market called identity auditing, which combines the expanding role of user provisioning with user-access reporting for regulatory compliance. Identity auditing will allow the capabilities of user provisioning to tap into directory services combined with other event logs of user access activity to provide real-time event reporting.
Identity auditing, for good or bad, may become a necessary evil in user provisioning, as compliance pressures demand accurate accounting of user access to systems. Whether or not it'll strengthen user provisioning or add excess baggage that will make user provisioning too complicated remains to be seen, since identity auditing is a few years away from becoming a user-provisioning feature.
Ultimately it may defeat the purpose of user provisioning, which is to simplify the creation and management of user authentication credentials. It may also be redundant, when reporting is already a feature offered by IAM suites.
Parallel to identity auditing, Gartner also predicts user provisioning will eventually intertwine security incident and event management (SIM or SIEM) to provide information about identity events alongside other network events monitored for security. The idea is that user provisioning and SIEM will work together by providing immediate reporting of an attempt at a malicious login on a SIEM dashboard. If someone is brute forcing a password or creating an unauthorized (and probably malicious) user, the SIEM will detect it immediately.
Again, as with identity auditing, it might be a nice feature in theory, but may add too much complexity to a user-provisioning system when other IDS and IPS tools can do the same trick.
User provisioning is fundamental to IAM, and is continually maturing. Its vendors continue to be creative about upgrading and marketing their products; it's exciting to watch where it goes.
About the author:
Joel Dubin, CISSP, is an independent computer security consultant. He is a Microsoft MVP, specializing in web and application security, and is the author of The Little Black Book of Computer Security, Second Edition. He also hosts a regular radio show on computer security on WIIT in Chicago, and runs The IT Security Guy Blog at http://www.theitsecurityguy.com.
This was first published in October 2008