Now you see it ...
Even more significant than SSO, identity-based networking offers administrators a single point of access for creating and destroying network accounts. With an identity-based provisioning system such as Netegrity IdentityMinder eProvision, a new hire can be set up with e-mail, application, and network access in just a few minutes. Permissions can be assigned based on pre-established rules regarding what access rights a user group, and each member of that group, has in the network. Enter a few brief bits of information into the system - essentially the new hire's name, rank, and serial number - and the identity management solution takes care of the rest.
Purging accounts from the system is an equally speedy procedure. It is obviously far easier to globally delete all permissions associated with a user's identity after the user leaves the company than it is to manually purge this information from a fragmented system, taking note of every remote access server, VPN, wireless access point, and so on. Thus, the risk of leaving a disgruntled employee's password active in some hidden corner of the network is dramatically reduced.
Mike Neuenschwander, senior analyst at Burton Group, believes that provisioning capabilities are likely to provide most enterprises a quick and visible return on their identity management investment. He adds that it's tempting to see provisioning as the most attractive and easy-to-implement component of an identity management system.
But provisioning isn't necessarily simple. Besides setting permissions for human users, it often involves granting access to portable devices and applications and managing other assets (see Identity's Role in SOA). Plus, many companies expand their identity management system beyond their network perimeter to include partners, suppliers, and customers.
"You can't assume you'll be able to run on automatic pilot," Neuenschwander says. "You need responsible parties to set the policies, to look through the rules, make any necessary changes, and approve them. Managers, not the [identity management] system, ultimately have to be the responsible parties for approving and denying access."
Keys to the kingdom
Standardising on identity allows for the creation of more straightforward, role- and policy-based security controls. By defining precisely who the approved users are and what their roles and responsibilities are within and across the entire network, data is better protected from misuse.
Access control can apply to both internal and external users' identities. External user access control can be put to work by allowing customers access to specified sections of company databases for self-service activities, checking order shipment status, adding new services with a click instead of a phone call, or paying bills, for example.
Policies can also be implemented to enforce privacy, exposing sensitive data to only those who need to see it. This is obviously important for those in fields where access to data is now regulated, such as health care and banking, but today no business can afford to be cavalier about privacy.
Another advantage of an identity-based infrastructure is that it facilitates delegated administration, in which the responsibility for managing certain roles and identities can be handed off to the departments most familiar with them, without granting those parties full administrative access to the network.
We can delegate administration to help desks and call centres so that they're able to do certain things with people's identities in the directory," says Steve Devoti, directory services manager at the Credit Union National Association (CUNA), which delivers online services for more than 10,000 US credit unions serving more than 80 million consumer clients. CUNA implemented an identity management system by Oblix in September 2001.
"On the credit union side, it's huge," Devoti says. "The help desks can reset passwords but not delete someone's Social Security number."
For the record
Another benefit of a network infrastructure based on a centralised identity system is the ease with which the system can automate comprehensive logging and auditing. Many experts note that without proper auditing, there's no such thing as real security.
"Audit is just event logging, but it's a really big issue," says Roberta Witty, research director for information security strategies at Gartner. "You need to be able to know at a glance who signed on to the system, who signed off and when, and what access they requested."
"There's no point in establishing security polices if there's no way to track adherence to those policies," says security consultant Mike Sweeney. "Users need to know that policies mean something, that they aren't just suggestions, and that policies are enforced. Plus, depending on the business a company is in, auditing is either already required by law or may well soon be."
Ken Sims, vice president of business development at Oblix, agrees. "The original drivers toward identity management were [competition], cost reduction, and increased security," he says. "Now we have regulatory compliance issues that are forcing people to look towards identity management as the only way to effectively be in compliance with regulations like HIPAA [Health Insurance Portability and Accountability Act] and Sarbanes-Oxley."
According to Sweeney, the advantage of identity-based security is that it unifies and correlates the various logs and audit trails generated by disparate applications and tools.
"Virtually all business software tools already have their own event log that makes note of who's doing what at the operating system and application level," Sweeney says. "But if you think about how many logs you'd need to query in the event of a security breech or to show progression of what information each user had access to when and why - it'd be a mess. You'd have to touch all those logs. It's far better to have a central repository for this information, where the data is correlated and you have the proper tools to work with it."
Tailored to fit
Burton Group's Neuenschwander and Gartner's Witty agree that it's important for businesses to find an identity management system that fits their unique needs, rather than altering their business practices to suit the needs of a solution.
"I had a customer call and ask me, 'What identity management system should I buy, and can I install it over the weekend?' " Neuenschwander says. "Identity management is not something that you can just install, and it's not a plug-and-play product. You need to have a strategic plan. You need to identify the problems that are not being handled well now and then come up with the specific tasks that you want to accomplish before you begin to evaluate products."
IBM's O'Connor agrees that no single approach will be right for every organisation. A successful identity implementation, he says, will start small.
"Whatever issue you want to address - cost cutting, security, compliance, solving workflow processes, etc. - it's important that you pick the problem you want to solve first and start there," O'Connor explains. "And it's important to understand the scope of what you're doing. In a typical large enterprise, identity management will need to span several lines of business."
In addition, O'Connor cautions companies not to expect an immediate return on its move to identity-based network management. As with any major IT project, arriving at the solution that best serves business goals will take time.
"You will spend several months architecting how it should work and another several months getting first areas up to speed," O'Connor says. "You'll first start seeing value in the system two or three months after you deploy it. It will take six months to fully realise value. So the entire cycle will take a year or longer."
When the goal is securing and future-proofing your network, however, there's little doubt that implementing identity will be time well spent.