Security Standards

Every organization is confronted with the question of how best to manage digital identities in order to effectively control access to and use of its IT application resources. To grasp the extent of this challenge, consider the stages of an identity's lifecycle, and the processes, practices, and tools needed within each stage.

In this context, identity management is basically defined as the tools and processes related to the efficient, secure, and auditable creation, use, maintenance, and deletion of digital identities. The diagram shows a lifecycle comprised of five core stages, establishing the relationship between Create, Use, Maintain, and Delete; underpinning them all is a consistent Audit mechanism that provides visibility into the what, when, where, and how of that identity's activity in each stage.

It is critically important to recognize the interdependence between each stage in the identity lifecycle. In other words, changes in technology or processes within any one stage are likely to have repercussions on the others. This is why it is imperative that identity lifecycle management initiatives focus as much on the linkage between lifecycle stages as the processes within any one stage. In the end, disjointed identity lifecycle management results in operational, information security, and regulatory compliance problems.

This interdependence between lifecycle stages highlights the need for a turnkey technology approach for identity management, one that provides tight and consistent linkage between the processes of each stage. To date, however, vendors have generally promoted and attempted a "best-of-breed" approach in this arena. This is evidenced by the large number of vendors who provide stand-alone products targeted at individual functions within the lifecycle, such as password management, user account provisioning, directory integration tools, single sign-on, and reporting and audit tools.

Even so-called suite providers may in actuality be best-of-breed product providers. In many cases, each element in the suite is actually fully stand-alone, having been developed separately, at different times, and/or by entirely different companies who have since either merged or OEM'd their product to each other.

While the best-of-breed technology philosophy has merits when addressing independent, singular problems, it is not well suited for environments with highly interdependent processes that require cohesion; matrixed organizational structures with many shared resources; and sensitivity to the delays that extensive field integration can cause. The identity lifecycle is one such environment where the best-of-breed point product approach will be problematic, for two primary reasons. First, point products are typically functionally oriented, rather than business-unit oriented. This makes providing a complete lifecycle management ecosystem an enterprise-wide proposition rather than a business-unit endeavor. Second, "chaining" point products across lifecycle stages will present greater integration burdens and risks than a cohesive, end-to-end product that establishes a consistent construct for the entire lifecycle.

The Critical Need For Identity Lifecycle Management

As stated above, disjointed and inefficient identity lifecycle management results in a set of interrelated operational, information security, and regulatory compliance problems. Taken together, these form the Secured User Management challenge that needs to be addressed by an identity, access, and audit management infrastructure.

Operational Challenges
This class of business problem concerns itself with operating metrics such as administrative cost burden, personnel productivity, and user satisfaction. In the user management context, examples of operational challenges stemming from poor identity lifecycle management are:

• Inefficient and error-prone user account provisioning: Each application owner defines a different procedure for account enrollment and approval. The user is burdened with navigating and "walking through" each unique procedure. Furthermore, multiple accounts need to be created, one for each independent application. Depending on the application, the process may be automated or manual, so the time to commission the user is bound to vary. Finally, the fragmented nature of provisioning makes effecting changes to an employee's role and associated privileges a time consuming endeavor.
• User frustration with large number of passwords: Each independent application requires its own password, whose format is likely to be unique to that application. The end user, overwhelmed with managing multiple and differing passwords, winds up driving excessive help desk costs for resets and renewals. Beyond the hard costs of help desk, from both a brand and customer relationship management standpoint, it is inappropriate to burden users with multiple passwords.
• Fragmented system administration: Independent applications, implemented on a range of platforms, make it extremely difficult to have a consolidated measurement of administrative overhead across users and applications.

Information Security Challenges
This class of business problem relates to the establishment and enforcement of security policies and standards across the IT environment, particularly in the area of user authentication and authorization. In the user management context, examples of security challenges stemming from identity lifecycle management are:

• Inconsistent digital credential policy: Each application defines its own standard for credential traits (e.g. strength of password, frequency of password changes).
• Weak Authentication: Burdening users with a large number of passwords leads them to weaken the password mechanism. At best, users pick simple passwords that they can easily remember. Unfortunately, these passwords are also easy for hackers to crack. Worse, many users write their passwords down and store them in unsecured work areas. The business case for an identity management solution must address the cost of risk associated with having such points of weakness in authentication control.
• "Orphan" Accounts: The other side of inefficient and error-prone provisioning is an equally problematic de-provisioning hurdle. In this case, the lack of consistent and reliable de-provisioning of a user account results in "orphan accounts", which could be covertly exploited by persons with malicious intent, including former employees and unhappy insiders.

Compliance and Process Integrity Challenges
If these operational and security issues were not enough, there is now a third challenge, which is arguably more compelling than the first two: legal and regulatory compliance. The enactment of numerous regulations, including Sarbanes-Oxley (SOX), Gramm-Leach-Bliley Act (GLBA), and the Health Insurance Portability and Accountability Act (HIPAA), is placing a significant strain on business, IT, and auditing resources across the enterprise. Compliance with these regulations demands that controls be defined and enforced to protect the integrity, privacy, and confidentiality of systems and data. In the context of identity management, this requires that an organization be able to provide a full accounting of each user's activity. At a minimum, this means knowing who has access to which resource, and then tracking when each user accessed each resource.

This class of business problem relates to accurately and cost-effectively collecting and processing data about users' access and activity on IT applications. Examples of challenges stemming from a lack of effective identity lifecycle management are:

• Incomplete user data: Legacy applications, particularly those without authorization engines, cannot collect granular data on user access patterns. Responding to an auditor's request for such data is therefore impossible.
• Fragmented user access data: Each independent application collects its own data, in its own repository, using its own rules. Even after the time is spent gathering this data from each application, the process still yields disparate presentations and reports.
• No audit report facility: Varying (perhaps non-existent in some cases) capabilities in terms of report generation make it practically impossible to provide a single, consolidated audit report of all user activity across all applications.

Tackling Identity Lifecycle Management

The above discussion highlights the business problems associated with managing digital identities. Due to their interdependence, any solution must be able to concurrently address these operational, information security, and compliance challenges. The strategic question to be answered, then, is whether a best-of-breed (i.e. point product) or integrated platform solution is more appropriate.

The best-of-breed approach to the problem involves selecting a set of point products and undertaking a field integration project to embed them into the enterprise's IT infrastructure. Conversely, an integrated platform approach involves deploying a single infrastructure product that powers all of the identity, access, and audit management services needed in an end-to-end identity lifecycle management system.

A key difference between the two approaches is the way in which they are deployed. A point product is, by definition, focused on delivering a single function (or set of related functions), such as account provisioning or password management. As shown in Figure 2, a point product can be thought of a deploying horizontally across business units. An integrated platform, on the other hand, inherently incorporates all the services needed for identity lifecycle management, and can therefore be regarded as deploying "vertically" within each business unit. Hence the earlier statement that a point product is functionally oriented, while an integrated platform is business-unit oriented. This has important ramifications in the design and deployment strategy for a secured user management solution.

What attracts buyers to point products is their promise of ease of deployment, since a point product is focused on only one business function at a time. This at first may appear simple enough, but if the processes and resources impacted by the point product are shared by multiple business units, then deployment of the product may require a cross-enterprise coordination effort. This has both technological and political implications. When considering a point product, therefore, determine if it can be deployed within a contained area, without drawing in a broader set of constituents.

Ironically, that creates its own challenges. If a point product is really so contained in its reach, experience shows that each individual department will be tempted to acquire whichever product they prefer. This ultimately leads to the company owning a host of products, doing essentially the same thing, deployed throughout the enterprise.

Perhaps the most important ramification of a best-of-breed approach is the amount of field integration that would be needed to chain all the point products into a seamless and efficient identity lifecycle management system. Each product's data scheme, input and output requirements, and configuration flexibility will impact the integration effort. Configuration flexibility, for example, comes into play when two products have some functional overlap. The integration effort will need to determine which product's native functionality will be used, while disabling the other's equivalent functionality.

Another critical integration consideration relates to auditing and reporting. Point products and even some product suites may present multiple log repositories and variable reporting capabilities that would need to be harmonized through integration. Given the regulatory pressures facing enterprises today, it is imperative that an efficient and accurate identity event auditing and reporting mechanism be established. In this way, the cost and risk of auditing will be mitigated as much as possible.

Overall integration effort, cost, and schedule and technical risk need to be carefully assessed, accounting for the complete set of point products that will ultimately be needed for an end-to-end identity management solution.

As shown in Figure 2, the integrated platform approach enables a "vertical" deployment model. That is, it can tackle either the entire enterprise or a business unit at a time. The primary benefit of this approach is the flexibility to rapidly commission the complete identity management ecosystem within a business entity. The result is the ability to show return on investment early in the process, without having to wait until the solution has been placed into production enterprise-wide.

Another key benefit of an integrated platform approach is its inherently lower cost and risk of integration. With all of the key functionality natively built in to the product, the linkages between the lifecycle stages are automatically made strong. Finally, one product platform powering the entire lifecycle management process translates into one security architecture and one consistent administrative and auditing system, thereby maximizing the efficacy of the solution in addressing the operational, security, and compliance challenges mentioned above.

Conclusion

Enterprises are increasingly compelled to design and deploy a Secured User Management solution that concurrently addresses the operational, information security, and regulatory compliance challenges associated with management of users' digital identities. Due to the interdependence between identity lifecycle stages, an integrated technology platform approach is better suited than a best-of-breed product approach for tackling these business problems.

Add Your Feedback

In order to post a comment you need to be registered and logged in.

Register | Log in

Please wait while we process your request...