A Case for Identity Management
David Piscitello, Core Competence, Inc.
Ask ten security administrators to identify their biggest security concern today. The majority will identify worms, spam and application-level (Web) attacks. A smaller number will respond that user and access management trouble them. Chances are the administrators in the minority are managing the largest, most diverse organizations.
Equally likely, they are managing identities - user and system accounts, access privileges and policies - across multiple organizations engaged in business-to-business (B2B) and business to consumer (B2C) transactions. And their organizations can probably demonstrate the return on investment (ROI) in identity management (IdM) in a more quantifiable manner than most security investments. Why?
Many security investments are hedge bets; insurance against the cost to recover from a security incident. A successful attack against your organization - worm infection and propagation, Web defacement or unauthorized database access, for example - can result in a loss of productivity, information, reputation or credibility and significant expense in forensic investigation, post-incident cleanup and business restoration. These are without question necessary, but they a re difficult to quantify: because you can't be certain your organization will be the victim of an attack, you cannot say with certainty that a reduction in IT staff load will increase productivity for many security investments.
Identity management is one security area where it is possible to quantify ROI. Managing identities, from account creation and approval to change and deactivation, is a recurring process. Defining and assigning access privileges to created identities is a recurring process. Managing account information across multiple sources (directories, databases) in a manner conducive to providing a single sign-on capability is also an ongoing process.
Telephone companies have long demonstrated that efficiencies in provisioning, service order, help desk and trouble resolution processes improve revenue. Revenue begins as soon as the subscriber has dial tone. Prompt resolution of customer inquiries and service restoration enhances customer satisfaction, reduces customer attrition and takes the sting out of breaches of service level agreements.
A well-conceived IdM deployment can bring the kinds of efficiencies telephone companies have mastered to an organization struggling with several or all of the following common user account and access management problems:
- Existing provisioning workflow for user account creation, approval , changes and deactivation is manual, slow, touches multiple identity sources and is prone to configuration error.
- To access multiple applications and databases, IT staff must provision multiple accounts for users, and users must keep track of four or more accounts.
- IT staff applies access control and authorization policies independently to assets - application servers and databases, for example. Policy conflicts are common when an individual has multiple identities. For instance, when a nurse at a medical university is also a pre-med student.
- Large percentage of help desk calls are from users unable to access applications and databases or users requiring a password change or reset , or replacement of a lost or damaged token (smart card).
- IT staff cannot deactivate accounts in a timely fashion. Verification that all accounts an individual possesses are deactivated is a manual and error-prone process.
- Existing account and access management processes cannot accommodate B2B and B2C objectives.
Some costs are measurable. To determine the hours per month IT staff no longer spends performing account management tasks, multiply those recovered hours by the fully burdened pay rate of IT staff. Similarly, to determine the hours per month help desk staff no longer spends dealing with forgotten credentials and account profusion confusion, again, multiply by the fully burdened pay rate of help desk staff.
Less easily computed but equally valuable benefits the organization derives include important security enhancements:
- IT staff can administer policy uniformly through centralized application of access privileges.
- Elimination of multiple accounts increases the rate of compliance by users.
- Users experience fewer non-productive hours resulting from logon failures.
- Auditing is simplified and more accurate.
- Centralized deactivation process reduces windows of opportunity for abuse of unauthorized access by terminated employees or by business partners with whom contracts have lapsed.
IdM doesn't come cheap, and it's not a security panacea. Implementation doesn't occur overnight, and it is sometimes painful. But as organizations grow in size and complexity, and their business relationships become more numerous and complex as well, the case for adopting identity management is easier to justify.