The need to tighten control of system access is often at odds with the requirement for cutting costs. As Martin Kuhlmann explains, though, the use a four-step plan – Consolidate, Automate, Streamline and Manage – renders the security goal possible in a relatively short space of time.
Increasingly the pressure to cut costs, conflicting with the need to tighten control of system access, means sleepless nights for the stressed information security specialist.

Enterprise-wide identity management and provision offers a solution. However, introducing a solution is a highly complex task. It demands a sound methodology to ensure that the desired return on investment is achieved – and that the project itself doesn't spin out of control.

By using the four project phases (figure 1, below) – Consolidate, Automate, Streamline and Manage – a standard enterprise-wide concept is employed. This enables break-even after just 12 to 15 months.

The topic of IT security is precarious as it is, and has been further exacerbated by the increasing work of the Web applications and access permission for external users such as customers or partners. However, greater security isn't the only incentive offered by central provisioning. There's also:

  • a high potential for rationalisation;
  • a growing number of users who can be managed without an increase in costs;
  • new employees who can receive access rights far more quickly;
  • rights that can be revoked much more simply for employees who change posts or leave the company.

In this way, some 90% of a security administrator's routine manual activities can be automated.

Considerable work is necessary
Currently, these changes usually have to be made by the different administrators of the various technology platforms – RACF, Top Secret, Windows NT/2000, NetWare or UNIX, for example – for each application.

This involves considerable work and is, consequently, often neglected in practice. However, the accumulation of rights from an employee's different posts or the failure to withdraw access permission harbours a high risk of data theft or sabotage.

Given the difficulty in quantifying it, this is frequently ignored in any return on investment (ROI) calculations.

Identity management also reduces the workload on the administration and Help Desk teams thanks to features such as single sign-on and automatic password re-setting. Users no longer have to remember a different password for each system or even application, but can obtain automatic access to all the relevant systems by entering a single password.

The result is that the Help Desk no longer needs to be contacted because users have forgotten their passwords or IDs. This accounts for 50% fewer queries addressed to the Help Desk – queries that cost $15US each, according to estimates. Accordingly, the prospects for a high ROI with identity management are extremely enticing (provided the implementation project runs on time and within the defined budget).

Obstacles to management projects
The first obstacle on the path to successful identity management is the choice of suitable software. The market is swarming with vendors of comprehensive identity management solutions including security provisioning (such as Beta Systems, BMC, IBM Tivoli, CA or Novell) alongside a whole host of providers from related markets.

Yet a software product for single sign-on or an authentication tool is far from being the basis for an end-to-end security concept. Prospective purchasers should, therefore, look for a solution that offers all the components for ensuring central administration of users and rights across all systems and applications.

A key aspect in a project's success is co-operation between the parties involved. Identity management projects are mostly driven by various departments, including IT auditing, IT management, security, architecture and organisation. The main target group for this software – large enterprises with around 3,500 users or more, such as those in the financial sector, industry, the health sector or public authorities – tends not to have the simplest of structures.

This results in bulky security specifications often comprising 60-70 pages. An enterprise-wide identity management concept requires that every party involved in the project address not just the processes above and beyond their own department, but frequently also a plethora of changes to existing procedures.

It's certainly a challenge to reconcile the many interest groups, which typically number between three and ten.

Protecting vested rights otherwise ends in trench warfare with the result that success depends on a competent project manager who is accepted by all parties, the willingness of the parties to compromise and their commitment to the common goal.

A particularly decisive factor is how the new system introduction is organised. That's why, for instance, the vendor Beta Systems has developed a four-stage methodology for implementing its SAM Jupiter software. Since this issue is complex, and rapid and successful implementation of such projects demands a great deal of experience, a methodical approach is absolutely vital.

Following an examination of the current security systems, the software is installed and the most important target systems integrated. This is followed by the loading of existing security data – such as users, user groups, resources and authorisations – from the individual systems, and the creation of a single, central repository containing security definitions. The focus is now on consolidation.

One important task is to consolidate the user accounts on the connected systems and to merge them into one user identity that's unique throughout the enterprise. This work is part of the first project phase (Project Step 1: Consolidate).

One strength of the methodology is role and rule-based access protection management. Instead of internal and external employees, customers and partners being regarded as individual cases when it comes to assigning rights, the different security requirements can be pooled in roles. This slashes the cost and effort involved in administration.

New users can be automatically assigned their relevant roles on the basis of the data transferred from human resource applications or with the aid of workflows.

Tools such as data mining are used to enable rapid implementation of a role concept. This technology can be used, for example, to cluster existing authorisations into roles.

The next project step largely involves automating the processes through integration of various sources of information – for example the HR system (Project Step 2: Automate).

In this, all information on changes to employee data is constantly transferred to SAM from the HR data systems. One tool that's additionally configured is an integrated workflow that, for example, ensures the assignment of permissions to deputies in the event of illness or for the purpose of work in short-term project structures.

Integration of HR and creation of workflows demands precise planning of the processes to be automated. For instance, definition of the parameters to be used as the basis for role membership or the definition of multi-level approval procedures for the workflow.

As soon as an infrastructure is available with the creation of a central directory for user and rights administration (and the integration of all security systems under the identity management software), implementation of services such as sign-on and automatic password reset may then be tackled (Project Step 3: Streamline).

The aim is then to adapt the system and assignment of rights to organisational and structural changes at the company, integrate new applications or platforms and support administration with iterative role engineering and systematic authorisation auditing (Project Step 4: Manage). The central access rights database in future provides answers to management-related questions, such as whether employees actually have the rights they need or whether general statutory requirements are being complied with.

The highest possible system flexibility is a key factor, above all in times of frequent company mergers and joining of IT landscapes.

Quicker returns count
Experience shows that the large number of applications and systems to be integrated harbours a great potential for problems in introduction. The greater the difficulty in integrating them in the central system, the more IT security managers tend to ask whether it's worthwhile incorporating every application.

A cost-benefit analysis should be conducted here. Admittedly, systems that are not so important are frequently ignored as a rule. However, the selected identity management tool should be designed to enable the rapid integration of systems.

One aspect is overlooked in many provisioning projects: achieving an ROI depends to a large extent on what target systems are integrated first.

If a large number of target systems are meticulously integrated within a year, but only one department with 500 users, the benefit will be far less than that from a strategy that envisages integrating the three most important target systems within three to five months, yet reaches at least 90% of users within this time.

Downloads

Source

SMT

Postscript

Martin Kuhlmann is IT security director at Beta Systems Software AG