RSS
Email
Print
ShareSpecial Issue -- IT Automation: Identity Management
Posted by Greg Shipley on June 9, 2007
 |
|
ANALYSIS:
IT AUTOMATION OUR LOGIC IS UNDENIABLE: SELF-HEALING, SELF- PROVISIONING NETWORKS THAT EASE PROCESS AND CHANGE CONTROL ARE OUR FUTURE. WANT A TASTE NOW? READ ON... |
For many IT professionals, identity management represents the ultimate intersection of infrastructure, process, security and business applications. Succeed in launching a global IdM initiative, you're a hero. Fail and face an ignoble and expensive defeat.
"There's a lot of dead bodies on this highway," says Amit Jasuja, VP of development for security and identity management at Oracle. "This is due in part to both wrong technology and serious market changes."
Indeed, we found seismic movement in the IdM space, but readers and experts
agree on a few truths. First, flexibility is crucial. Those who built bridges to multiple teams--some outside of IT--overcame obstacles quicker. Organizations that kept flexibility top of mind also had the fewest headaches when they were thrown those inevitable technical curveballs.
Second, the stakes are incredibly high when it comes to vendor selection--IdM touches so many aspects of the business that choosing the wrong partners can have a cascading effect.
The good news? There are huge savings to be gained by organizations that are savvy about where, when and how they invest. A well-planned and -executed IdM strategy helps in myriad areas--from automating account administration to lightening helpdesk workloads to reducing the time it takes to bring new applications online.
And, enabling technologies are maturing. Highlights include a group of 81 authentication vendors looking to provide standardized protocols for cross-vendor authentication; open-source products, including the OpenLDAP directory project; and virtual directories. In the larger scheme of things, the ongoing convergence of the logical data security world and the physical security sphere is only going to make IdM more inevitable.
As with most major IT initiatives, however, IdM goes beyond the technology piece to include people and process components.
"Identity and access management cannot be an IT project," says Dan Ayala, a data security manager who is working on his second IdM deployment within the Fortune 500. "It has to be business, HR and IT together, or it will fail."
Here's how to keep the constituencies aligned and pushing your efforts forward.
Continue Reading This Story...
 | |
|
IMAGES
Click image to view image   |
|
|
DOWNLOAD
 Download a customizable spreadhseet designed to assess the TCO of an automated server configuration management setup, including software licenses, predeployment planning and maintenance costs. |
|
Wide Reaching Concept
So what, exactly, is identity management? Is it authentication? User provisioning and de-provisioning? Network- and system-level access control? Directory services? Authorization mechanisms? All of the above, and then some. In our reader poll for this article, each of these items pulled in decisive numbers.
Those of us who've been in the IT trenches for more than a decade may recall the aggravation of monkeying with the NetWare bindery or managing painful NT trust models. The lesson is, be careful what you wish for: Although technology has improved, we now face complex new worries, including stronger regulations, privacy initiatives, the crossing of geo-political borders that exhibit dissimilar values, evolved concepts of data stewardship ... the list goes on. In our reader poll, the regulatory axe trailed only productivity increases as a top IdM driver.
And of course, all this angst represents marketing ops.
When we started gathering background for this article we were initially appalled by the number of vendors inserting identity management into their positioning statements. Had we missed the memo mandating that IdM, compliance or NAC be included in all marketing manifestos? Apparently so, given that IPS vendors, desktop-management companies, firewall vendors, organizations that market third-party DHCP systems, wireless companies, storage vendors, even makers of USB thumb drives all claimed to own a piece of IdM (see ID Management Components" in the image gallery, for the real deal).
While we're still critical of the buzzword gravy train, once we peered a little deeper into the problem set, it became clear that IdM does in fact touch a wide range of technology platforms. It also became obvious that we're nowhere near the end of the road in terms of deployment. In fact, in our reader poll of 180-plus organizations, only 26 percent said they were almost or completely done with their IdM efforts. While that's certainly good for vendors, our view is that smart IT groups are taking their time, getting people and process components nailed down rather than diving into IdM. They're also playing the field; just 24 percent of our readers said they'd use a single vendor for their IdM projects. Forty-four percent gave a resounding no, while 32 percent scoffed at the very notion.
And, you're never really finished, according to experts we spoke with.
"This road map should continue to evolve as the global regulatory landscape matures and business demands change," Ayala says. "Continual re-evaluation of the program objectives and scope will keep it 'fresh' and in line with the business requirements, thus ensuring it has ongoing support from the business areas."
People Power
In talking with experienced IdM teams we got a diverse range of war stories, but a couple of themes stayed constant. One was a commitment by the HR department.
"If HR isn't centralized or at least standardized, you'll most likely have a difficult--if not impossible--task ahead of you," says Brooke Paul, who was CISO (chief information security officer) at a Fortune 500 financial services firm during its IdM deployment. "You need an 'authoritative source' of people information, and HR is usually the right place to find that."
Ayala echoed that sentiment: "This is a monumental effort that relied on the full support of HR to be truly successful. If IT endeavors to embark on this type of classification in a vacuum, the initial mapping results might be acceptable and accurate, but the long-term implications, as reorganizations occur and job functions change, without HR involvement will render the initial mappings of little value."
There's no getting around the fact that a central part of identity management is the people, and the concept of an authoritative source for employee data is elemental. Each data element in the identity store, typically a directory service, must be "correct" in that it should faithfully match the value of the source that provided the data. If an error is found in the store, it should be fixed in the authoritative source--which is not necessarily in the directory. Building bi-directional publishing systems can be a troublesome feat technically, a Herculean effort politically. Smart IdM teams get HR on their sides early and leverage that relationship throughout the project.
HR also can play a critical role in process definition. Processes usually exist for employee provisioning (new desk, phone or PC) and de-provisioning (firing, resignation or retirement). HR can provide valuable information regarding role definitions, an item large organizations seem to struggle with. Role definitions may go beyond the scope of HR, but HR can serve as a powerful ally. Successful IdM teams can learn from existing processes and coordinate modifications through natural process owners. Many had to dig deep into departments and business units to get at the heart of institutional roles. Often, department roles are understood only by immediate teams and co-workers, and they're rarely documented.
IT and security groups also are critical allies--and ones that aren't always aligned. The location of the information-security team in the org chart is a topic unto itself, but recently we're seeing more infosec groups that aren't even under the IT umbrella. In some cases, the security team is spearheading the IdM initiative; other times, IT takes the lead. Regardless of location and project driver, IT will play a huge role in any deployment because many IdM systems will be tied directly to IT assets.
"You need to make sure the team that will eventually manage the IdM applications have a significant voice in the requirements process," says Tyler Allison, who was a member of the IdM team at a large insurance provider. "Ownership should be decided before you engage the vendors. Things get messy otherwise."
It's also important to note that operational folks might not be the only ones who benefit. For example, the IdM system can provide value to developers and help secure data by giving developers a central location for finding people information (white pages) as well as security data (authentication, groups, roles). Providing common assets, such as Web services, or modules like Java objects or C libraries that developers can use to easily query information and get authentication and authorization data, also can help get other parts of IT excited about the initiative. A successful IdM deployment can even make IT look good to the business.
"We view our [IdM] deployment as a competitive advantage" says Jeff Anderson, assistant vice president, enabling technologies, at Fifth Third Bank. "We're looking at millions of dollars by getting products to market faster. That's pretty real to us."
Once sponsorship, roles, scope and processes are nailed down, it's time to start looking at the technology side--the plumbing in IdM that makes it all work.
Triple A: Evolution Continues
Before mainstream recognition that IdM initiatives encompass a wide range of technical and process issues, many early efforts were pushed forward using little more than the classic triple-A concepts: authentication, authorization and access control. Of course, it quickly became obvious that IdM is about way more than simply AAA. Still, even today these components play a critical and central IdM role, and the technologies continue to evolve.
Each element of AAA can--and often does--exist in many parts of the infrastructure. Access-control mechanisms, for example, are probably the most mature and are usually found embedded in core technology components: OSs, databases, firewalls and enterprise applications. New to the mix is today's definition of NAC, which now encompasses an absolutely dizzying array of endpoint-validation products (see our NAC market analysis at "The Plot Thickens," at nwc.com/go/nac-analysis).
The confusion and buzz behind NAC aside, having a foundational understanding of where access control fits into your IdM strategy is important to determine what's in scope versus out of scope. Firewalls might be critical for network access control, for instance, but they typically don't play a central role in IdM. In contrast, the provisioning of CRM user accounts often does.
Compared with the dynamic state of access-control technology, authentication mechanisms are well-understood, albeit relatively new, and are gaining prominence. Examples include tying the authentication for full-disk encryption suites into enterprise directories, managing mobile device risks and combating the growing problem of criminal attacks against online financial applications. The B2C challenge is a particularly dynamic one as criminal gangs continue their assaults on online users, and organizations respond with a virtual arms race. Round 1 had financial institutions moving from a state of blissful ignorance to one of proactive hardening and audit. In Round 2, attackers shifted from targeting institutions head-on to attacking customers. With Round 3 we're entering the era of "stronger authentication" in hopes of raising the bar yet again. It's here that things get really interesting, from an IdM perspective.
Solutions That Aren't
Dig deeper into the authentication portion of IdM, and most security veterans will attest that the world needs to move beyond passwords. But what's the replacement?
Microsoft's money is on the mainstream adoption of smart cards for certificate handling. Although PKI is still a bad word in many organizations, the technology that drives it is unavoidable, with behind-the-scenes inclusion in our daily lives becoming more pronounced; think SSL and Active Directory.
There's a better chance of smart-card adoption these days thanks to greater consumer awareness of security, and in turn, the inclusion of items such as fingerprint readers and hardware encryption in laptops, but we're skeptical of smart cards taking us to the authentication promised land.
Further, smart cards can address a wide range of use cases, but they can't address all of them. What about kiosk access? B2C transactions? Home banking? When one removes control of the endpoint, smart cards cease to be a reasonable route as the reader becomes a wildcard. We see smart cards as only one tool in our arsenal.
In some scenarios, biometrics is still an option, as fingerprint readers slowly creep into mainstream uses like laptop, PDA and USB drive authentication. TriCipher and other organizations offer a certificate-like approach that creatively inserts an additional verification step. Outside of biometrics, passwords and certificates, the next big authentication option is hardware tokens, a technology that's been successful but fundamentally stagnant for at least the past decade in terms of function and cost. It remains a relevant technology badly need of an evolutionary step forward.
Consider that in 2007 we're still shelling out anywhere from $10 to $40--the same prices we were paying a decade ago--for a piece of plastic that's likely manufactured in China for about $2. Entrust's shot-across-the-bow move of launching a $5 token reinforces this notion. These margins are good for vendor revenue, bad for everyone else, particularly those looking to bring more authentication mechanisms to a larger base of users.
Fortunately, there's hope on the horizon. The Initiative for Open Authentication, or OATH, comprises 81 authentication vendors--nearly every large player in the space ... except RSA. OATH is looking to provide the necessary leadership to drive standardized protocols for cross-vendor authentication initiatives. The OATH team has already pushed through a number of standards, including the HOTP (HMAC-based One Time Password) algorithm, with more on the way. If OATH continues its progress, if it makes good on its promises, and if vendors adopt and implement the standards, we may in our lifetimes be able to purchase a token from vendor A, a provisioning system from vendor B, and an authentication system from vendor C, and have it all work together.
Of course, that's a lot of "ifs." And unfortunately there are still plenty of kinks to work out, even with standards already ratified. For example, even though the HOTP algorithm has been implemented in hardware tokens from companies like Vasco, the vision of separating the authentication backend from the end-user token isn't yet reality. When we walked around the RSA conference this year and asked if we could buy tokens from vendor X and an authentication system from vendor Y, reps looked at us like we had three heads.
Someone forgot to tell the sales teams about OATH.
Joking aside, some vendor marriages look to be fruitful. In early May, for example, VeriSign launched a new fraud-prevention service that takes advantage of Innovative Card Technologies credit cards that sport built-in OTPs (one-time passwords) and displays (see card, above). IDtech designs and manufactures credit cards that can contain built-in smart-card chips, proximity technology for physical access needs and OTP displays. Would you rather carry around a klunky RSA token, or slide a credit card into your wallet and forget about it? Now ask what your employees and customers would prefer.
Post-1990s tokens aside, we don't think the issue will be making a decision among tokens, smart cards, biometrics or hybrid models like TriCipher, but rather having the flexibility to use the right technology given your use cases, understood threats and known restrictions. Smart organization aren't building IdM infrastructures around a single authentication protocol or model, but rather are taking a flexible approach.
Which brings us to the next piece of critical IdM plumbing: the identity store.
Open Source Makes Its Mark
Eighty-three percent of our survey respondents use Microsoft Active Directory as an identity store. Considering Microsoft's penetration in the server space, its domination on the desktop and the wide adoption of critical applications like Exchange, that figure shouldn't surprise anyone. Let's face it: It's difficult to avoid using AD today. Having it bundled with the server OS makes going another avenue a really hard sell.
But we were a little surprised by what occupied the No. 2 slot among identity stores: the open-source OpenLDAP project. That is, we were surprised until we started talking to readers. What we learned is that OpenLDAP is driving a number of Fortune 500 enterprise IdM efforts, and adoption doesn't appear to be slowing.
Another area that appears to be shifting is the tactics behind identity store consolidation efforts. When we spoke to large organizations a few years ago, many were embarking on initiatives to centralize their user and other "identity" information into a single repository or directory. While that ideal still exists, most appear to have lowered the bar a notch and would be happy with getting down to only three or four stores.
Again, flexibility seems to prevail.
"The reality is that in large companies, the business model and related operating environments often prohibit the ideal of a single--or even a low number--of repositories for user or identity data, not to mention the number of distinct sources of authoritative data," Ayala says. "The concept of virtual directories seems the most logical way to merge all these sources and storage locations of user data."
Indeed, adding to the modern repertoire of IdM tools is this relatively new concept of "virtual directories." Virtual directories can perform a number of handy utility functions, including serving as pseudo information proxies for uncooperative applications and providing directory caching and schema-presentation services. One common use of virtual directory technology is to place it "in front" of multiple directory stores and use it to service all application information requests. This approach can alleviate the need to consolidate to a single identity store or create overly complex "specific application to specific directory service" mappings. The approach can also help take business discussions to the next level.
"Thanks to our VDS [Virtual Directory System] implementation, when I'm talking with our business people I'm no longer talking about field types and data stores" Fifth Third Bank's Anderson says. "I'm talking about identity information that they need to make decisions."
While the executives at Radiant Logic lay claim to bringing the virtual-directory concept to market back in 2001, most readers we spoke with are only now starting to research them. History aside, you'll find a range of virtual-directory offerings, from goliath companies like Oracle to niche players like Radiant Logic. There's even an open-source Virtual Directory offering called "myVD." An unfortunate abbreviation, but no doubt a handy tool ... and further validation that open-source could play a bigger role in IdM efforts moving forward. (Learn more at "Virtual Directories Take Hold")
Road Ahead
Taking a look into our crystal ball, we're confident that convergence between the logical data and physical security worlds is inevitable. Most IdM issues in the logical world--for example, the need to provision user accounts and manage access--overlay almost directly those of the physical one, even down to role mapping and provisioning/de-provisioning (see more on convergence of physical and logical security) If nothing else, Cisco's recent entry into video surveillance should serve as a clear indication that the big players are eyeing new turf.
Another area to consider is the alignment of IdM initiatives with business objectives. Sure, there are huge security and compliance benefits inherent in IdM, not to mention the cost savings coupled with automating processes. But what about investigating your business stakeholders' strategy? How can IdM help them? For example, if your company is trying to provide more services and be easier to do business with, IdM will further that goal by reducing the number of IDs and passwords that a client has to deal with across multiple applications.
Another potential benefit is providing a better view into what your customers are doing--having one identity across applications makes CRM data a lot more valuable. Crazy talk? Perhaps in years past, but seeing as many believe ROI isn't the model to turn to when driving security initiatives, aligning with strategic business goals can't hurt.
Finally, as the product space, standards, and toolsets mature we should start to see a wider range of interoperable options. Historically though, this hasn't been the case.
After spending time with vendors, readers and end users, it's clear that IdM teams that took the time to get the right sponsorships and allies, validated technology sets before writing the huge PO, and properly planned and set expectations had a far easier time than those that skipped a step or two.
Having the discipline to pilot and making smart vendor choices remains critical.
"Today when you pick IdM vendors, it's for life," Allison says. "Choose wisely, because you are locking your company in for a very, very long time."
Greg Shipley is the CTO of Neohapsis, an information security consultancy and enterprise IT product-testing lab. Write to him at gshipley@neohapsis.com.
Add Your Comment: