Two years ago, Exxon Mobil had big plans to create a centrally-managed identity management infrastructure that would automate the process of issuing new user accounts for access to its many corporate applications. Unfortunately, it had to put those plans on hold last year when the technology couldn't meet the business's needs.

"Our vision includes full life-cycle management of all user identities and access privileges," says Patricia Hewlett, vice president of global IT. The problem was achieving that vision at scale. Exxon needed to manage identities and provision access based on each user's role and the types of system access required to do the job, but that was difficult with 84,000 employees in 200 countries.

"Available products could handle a small number of static roles but were not well suited to managing dynamic, attribute-based roles," Hewlett says.

Many of Exxon's applications also didn't support role-based access. "We had to add those capabilities to each application," Hewlett says. That was too much work, so she has "put the project in the fridge" for now.

The products have improved since Exxon first planned the project, but Hewlett says role-based access is still relatively immature. "We ... have not made a decision as to when we'll resume the project," she adds.

Like many other organisations that have travelled the road to centralised identity management, Exxon found the potential benefits — such as automated provisioning of accounts for new users and deactivation of accounts for departing employees — compelling. But getting the full benefit from an identity infrastructure remains challenging.

Identity management tools have made strides in the areas of managing access, creating user accounts, designing workflows and providing an audit trail of who had access to what when.

The tools break down the stovepipe identity infrastructures in which each application has its own access controls and administrator — a design that doesn't scale well when businesses have thousands of applications.

Growing integration

As the industry has consolidated, many of the stand-alone identity management tools have been absorbed into suites that integrate user provisioning, Web access management, single sign-on and other functions into one framework. But centralising the management of identity information is still a complex and costly affair that involves integrating application-specific and directory-based repositories.

"The integration of applications, the role management issues, many organisations find very complex to plan and deploy," says Ray Wagner, an analyst at Gartner. And identifying and managing user roles is still "a very early market," he adds.

Applications that support a common directory system, such as Microsoft's Active Directory, make role management easier, but even then there are challenges, says Rafael Rodriguez, associate CIO for infrastructure services at Duke University Health System in North Carolina. "Active Directory can keep track of roles, but in each application, you still have to maintain what those roles are allowed to do," he says.

Many identity management deployments also lack granularity, allowing all-or-nothing access to applications. Fine-grained access controls, where users have conditional access based on their roles, have been implemented in very few organisations, Wagner says. That means that in most cases, administrators still must manage fine-grained access within each application.

Cleaning up and mapping data is another challenge. "Customers don't always have their data in a form where you can bring it together into a common repository of identity, or they don't understand the business processes well enough to deploy role-based systems," says Peter Houston, senior director of identity and access product management at Microsoft.

Deployments can also be costly, and complexity increases with the size of the organisation. IT executives should expect to pay $20 to $30 per user for the software and two to six times that amount on integration, Wagner says.

Motivating Factors

Nonetheless, businesses are increasingly motivated to move ahead. Identity management systems can improve overall security and privacy while providing an audit trail to meet the requirements of regulations such as the US Health Insurance Portability and Accountability Act or Sarbanes-Oxley Act.

Because of that, compliance issues are driving identity projects that couldn't be justified by return on investment alone. Without an identity management infrastructure, organisations are finding that "it's either very painful to produce compliance reports, or they can't do it at all," Wagner says.

A centralised identity management infrastructure is also foundational for projects that can cut administrative costs and increase productivity. The systems can reduce replication of administrative tasks by allowing identity information to be updated in one repository and propagated out to all others. User provisioning and deprovisioning tasks can be automated or delegated to others. Self-service initiatives, such as automating the password-reset process, can cut down on help desk calls.

Compliance was a motivator at Florida-based Health First, which manages 15,000 user accounts for three hospitals and a health plan. It has several authoritative sources of identity information, including a PeopleSoft application, a physician credentialing system called Midas+ Seeker from Affiliated Computer Services and a suite of clinical applications.

The problem is that as people change roles, they gain cumulative access to the various systems, says Dan Tesenair, senior network engineer at Health First. "We're very good at getting people what they need, but we're very poor at taking it away," he says.

Health First brought in Novell Identity Manager and has been using the product's metadirectory features to manage identity information among 20 applications. Like most vendors, Novell offers connectors for commonly used directories such as LDAP, popular applications such as PeopleSoft, and databases such as SQL Server and Oracle, which some applications use as back-end repositories for identity information.

For other applications, Health First needed to write new connectors. But customisation wasn't what slowed the project, Tesenair says. "On average, we spend two or three months dealing with the business processes and two to three weeks writing the connector for any given application," he says.

Part 2 tomorrow.