CIO Kevin Sparks of Blue Cross and Blue Shield of Kansas City had three goals when he began deploying software for identity and access management (IAM): to simplify access to key systems and records for employees and external customers, to make that access "bulletproof" from a security standpoint, and to lighten the load of IT administrators and help desk managers.
The project hasn't been easy or cheap. The HMO has spent between $500,000 and $1 million and approximately three years on its IAM deployment. Sparks attributes at least some of that cost and time to "jumping in at the deep end of the privacy pool": that is, attempting to set up a complex automated user provisioning system without "getting our house in order first." That meant performing various housecleaning tasks such as defining or redefining business processes, getting the Active Directory (AD) schema in order, and cleaning up the HR database.
IAM terminology and vendors
| Identity and access management (IAM) offerings fall into the following broad categories:
Strong, or multifactor, authentication beefs up password protection by adding layers of identification to access a given system. For example, with two-factor authentication, users identify themselves in two ways: (1) typically by means of something they know, such as a PIN or password, and (2) by means of something they possess, such as a smart card or USB token that provides single-use, time-specific passwords. Biometric systems authenticate by means of the end user's fingerprint or retinal scan.
Vendors: Imprivata Inc., RSA Security Inc., Cryptocard Inc., Secure Computing Corp., VeriSign Inc.
Single sign-on (SSO) gives end users access to all applications and services for which they are authorized via a single procedure. It is often combined with multi-tier authentication, says Jonathan Penn of Forrester Research.
Vendors: RSA Security, Imprivata, Passlogix Inc., ActivIdentity Inc., IAM suite vendors.
IAM suites provide a combination of IAM applications integrated at least at the user interface level. While they rarely include strong authentication, they typically support a range of third-party authentication products. Suites typically include SSO, plus the following:
Vendors: CA, Hewlett-Packard Co., IBM Corp.-Tivoli, M-Tech Information Technology Inc., Courion Corp., Oracle Corp., Novell Inc., Siemens AG, RSA Security.
Still, Blue Cross and Blue Shield of Kansas City (BCBSKC) got the job done. The platform went live this fall, and Sparks has high hopes of achieving all his goals. He has already seen some payback: RSA Security Inc.'s Access Manager has eliminated many help desk calls by reducing the number of passwords end users have to remember from about 10 to one. As a result, the staffers dedicated to dealing with password-related problems -- the equivalent of two full-time positions -- have been redeployed to "high-value tasks," he says.
When it began its deployment, BCBSKC was something of a midmarket pioneer. But today, more and more midsized firms are adopting IAM if not whole hog, then one step at a time. Some are starting out with one comparatively simple IAM application. Others are taking advantage of a growing body of midmarket-oriented IAM suites. These products enable midmarket firms' IT staffs to meet progressively more stringent security and regulatory requirements for an increasingly diverse user base without overburdening IT administrators or end users.
How? IAM automates basic security tasks such as managing passwords and controlling user access rights. As applications and systems proliferate, performing such tasks manually becomes complicated and arduous; each directory or user database requires a manual login and a different set of tools for managing user accounts. As a result, "access controls build up over time like barnacles on a boat," notes Jamie Lewis, CEO of Burton Group, a Midvale, Utah-based consultancy. Furthermore, system access now often extends to business partners and contractors, widening the pool of users for administrators already struggling to keep up with growing or shrinking corporate rolls.
The Compliance Card and Other Benefits
While midmarket figures are hard to come by, the total IAM market is growing at a quick clip of about 20% a year, according to research firm Gartner Inc.
And IT executives at midsized firms are dealing with the same internal security concerns and regulatory pressures that are driving enterprise adoption, notes Burton Group's Lewis.
Take Unicco Service Co., the Newton, Mass.-based $700-million firm that provides janitorial and landscaping services. It doesn't come directly under the Health Insurance Portability and Accountability Act or Sarbanes-Oxley (SOX), "but our customers do," says Bill Jenkins, the firm's senior director of IT. "They're always asking us questions about what controls we have in place, how we're managing user accounts, how people get access. If we are not [complying with security regulations], we become a liability for them. It's not a big issue yet, but our CFO wants us to move in the right direction." Jenkins recently deployed a limited, prepackaged version of IBM Tivoli Identity Manager.
At Financial Engines Inc., a financial consulting firm based in Palo Alto, Calif., "We're subject to Gramm-Leach-Bliley, but we also are increasingly coming under SOX, because while we're not public, we provide services for public financial firms," says Matthew Todd, CISO and vice president of risk and technical operations. The company has set up formal processes for terminating departing employees' access rights and automated workflow procedures for hiring and firing using Serena Software Inc.'s TeamTrack. It also uses two-tiered authentication for critical applications: To gain access to important financial applications, end users must key in a password and a onetime code supplied by an RSA SecurID fob.
But regulatory compliance is just one benefit of IAM; another is quick payback from fewer help desk calls. "We've seen real instances where a company eliminates about 80% of [password-related] help desk calls by putting in password management," says Lewis. "It can be as simple as a self-service password reset console." Given Burton Group's estimate that 30% to 40% of help desk calls are password related, self-service password management can save a lot of IT man-hours, even at a midmarket company. "Seven-hundred-million-dollar companies have lots of people and a lot of help desk calls," Lewis notes.
Single sign-on (SSO) can also minimize help desk calls as well as boost security and end-user satisfaction. In mid-2005, an RSA Security survey of approximately 1,700 end users found that 25% of respondents keep their passwords on a spreadsheet or other document stored on a PC; 22% on a PDA or handheld device; and 15% on a piece of paper. By enabling employees to access all applicable systems with one password, SSO not only makes life simpler for employees but also makes these insecure practices unnecessary. And it strengthens security by enabling IT staffs to enforce strong password policies -- frequent changes or complex character strings, for example -- without overburdening end users, says Jonathan Penn, a principal analyst at research firm Forrester Research Inc.
IAM Dos and Don'ts
| Like any complex, enterprise-wide system, identity and access management (IAM) requires considerable up-front planning and has more than its share of pitfalls and gotchas. Here are some important dos and don'ts.
Do take a holistic approach to your IAM deployment. Different IAM systems need to work together. For example, Web access management can use single sign-on (SSO) to give customers easy access to corporate systems. With today's networks extending far beyond the corporate firewall, a common ID management and authentication system "becomes the only organizing principle for managing access and delivering services," says Jonathan Penn, a senior analyst at Forrester Research Inc.
Ask specific questions about the level of integration vendors provide between different IAM products (not just their own but those of partners as well). Can different IAM suite components share a common end-user repository, management console, and consistent set of administrative tools and policies? Such integration is still more an ideal than reality, warns Jamie Lewis, CEO of Burton Group.
Do be pragmatic about whether a particular application is right for your company. "A midsized company's business processes may not be mature or documented enough" to apply to user provisioning, says Kevin Sparks, CIO at Blue Cross and Blue Shield of Kansas City. Furthermore, for many midmarket firms, role-based provisioning, which expedites the process by automatically assigning access rights by group or job title, is impractical when employees wear several hats.
Don't be too granular in your approach. "Security wonks can tighten things to the point where usability is gone," says Sparks. "You can theoretically whiteboard a perfect system, then discover that it is administratively unmanageable."
Don't take a one-size-fits-all approach to strong authentication. Physical tokens, for example, may work fine for workers on the corporate campus. But distributing them to employees who are overseas or on the road can be a costly hassle. Physical tokens are also generally impractical for authenticating users over the Web. A common strategy is to ask for a password and some kind of personal information, such as a mother's maiden name.
Do plan for the future. Just because your company doesn't fall under the Sarbanes-Oxley Act now doesn't mean it won't if it gets acquired, goes public or otherwise. Don't wait until you need an IAM system to start shopping for one.
A Suite Solution
For several years, companies such as CA, Hewlett-Packard Co., IBM Corp.-Tivoli, Oracle Corp. and Siemens AG have sold traditional IAM suites that include password self-service, user provisioning and, often, SSO. These comprehensive, integrated packages are usually built around a meta directory that collects end-user data from various directories and databases, eliminates redundancies and inconsistencies, and creates a single set of entries in a central repository. User identities and access privileges can then be administered centrally using a consistent set of policies. Changes to a user account are automatically propagated across all user databases.
Until recently, these suites targeted enterprise customers, largely because setting up a meta directory is a major project, requiring extensive IT resources and expertise that midsized companies may not be able to spare. "Midmarket companies rarely want to do their own user- provisioning system with a meta directory," says Joe Anthony, director of IAM solutions for IBM's Tivoli division. Those that do typically bring in a systems integrator, he says.
Traditional IAM suites aren't cheap, either. "These are expensive tools," says Ray Wagner, a research vice president at Gartner. "User provisioning to be used internally, with full ID management plus maintenance, can cost $80 to $100 per user."
And the license cost is just the beginning. "You can't just buy tools and expect to solve problems," Wagner warns. "You need to look at the process currently used and define how you want it to be." For a midsized company, "planning, buying and installing the software, implementing ID management for the first, say, five or 10 key applications like email and Active Directory, will take six to 10 months on average, sometimes more," says Wagner.
Yet the landscape is changing. Most leading IAM suite vendors now have products geared to the limited IT resources and budgets of midmarket firms. Preconfigured appliances and "lite" versions of enterprise suites may be less feature-rich and customizable than full-fledged enterprise IAM systems, but they are also much cheaper and easier to implement.
And indeed, midsized organizations are signing on to these simpler options.
Unicco, for example, found IBM Tivoli Identity Manager far too complex, Jenkins says. "Setting up the rules would be a three-month engagement; it wouldn't get off the ground." But IBM Tivoli Manager Express, a more limited, prepackaged version, was "competitively priced" and easy to deploy; it offers templates to enable companies to set up user provisioning without having to go through a meta directory design process. "We set it up in five days, got some quick wins," Jenkins notes. "We'll modify it as we move forward and identify areas of opportunity."
For SSO, an appliance can be the way to go. Because of the product's speed of deployment, Edward Martinez, CIO at the H. Lee Moffitt Cancer Center & Research Institute, chose Imprivata Inc.'s SSO appliance to give doctors one login for as many as 10 systems. "It could be rolled out in a couple of weeks" instead of months, he says. "Other IAM products are good, but the cost and the implementation were mind-boggling." The product uses an application profile generator to automatically determine the procedure for logging into a particular application, eliminating the need for an IT person to create specialized scripts for each application.
Vendors are also fitting existing IAM platforms with ease-of-use features: templates, wizards, and knowledge-based tools designed to minimize the grunt work and complexity in setting up and maintaining such systems.
In September, for example, Courion announced a series of "jump-start options" designed to help customers quickly set up a basic provisioning workflow that provides access to AD, email and some core applications, according to Kurt Johnson, Courion's VP of corporate development. "You can get started on a specific pain point without doing a long, heavy consultative project," Johnson says. "We've seen a lot of interest in the midmarket." In addition, Courion's IAM suite uses pre-written "connectors" to pull in data from existing directories, eliminating the need for a meta directory, Johnson says.
A growing number of suites can be purchased a module at a time. Novell Inc.'s Identity Manager, for example, allows customers to start with a basic ID management package that includes a meta directory, identity integration, user provisioning and password synchronization. They can then add workflow-based provisioning and/or Web SSO capabilities as needed. Several vendors offer user-based as well as site-based pricing. For example, the basic package of Novell Identity Manager is available for approximately $18 a user, including discounts, Novell says. Adding Web SSO costs an additional $7 a user.
Meanwhile, midmarket companies that are mainly Microsoft shops have the option of building their IAM infrastructure around Microsoft products. Of 358 IT professionals responding to an April SearchSecurity.com survey on identity and access management, 85% say they use Microsoft products for directory services, group policy and provisioning. Nearly two-thirds say Microsoft is their primary vendor for this purpose. In addition, 73% say they use Microsoft products for authentication and authorization.
"As long as enterprises are willing to make Active Directory their central authentication service and rely on the access control infrastructure of the Windows server, fewer user IDs will be needed, and those that remain can be managed as an Active Directory account," says Gartner. In its 2006 Magic Quadrant report on user provisioning, the research firm notes, "Customers report that the software license fees and integration costs are so much lower than other [user-provisioning] product deployments, that it is worth the effort," even though Microsoft's IAM products tend to be less feature-rich than those of third parties. Microsoft partners like M-Tech Information Technology Inc. and BMC Software Inc. provide missing pieces like workflow and role management and connectors to non-Microsoft applications, Gartner notes.
A Modular Approach
For midmarket firms with a large number of specialized, non-Microsoft applications, however, a modular approach to IAM may be the only way to go. Setting up automated provisioning and de-provisioning in particular "is a tricky proposition that can fail dramatically, visibly and dangerously career-wise," according to Burton Group's Lewis. A company is more likely to succeed when it starts with 15 applications for which regulatory compliance is a top priority, he adds. "Get those working, demonstrate success and move on to the next phase."
Financial Engines has taken a "staged approach" to IAM, because "we lack the resources to tackle an enterprise-wide project with one comprehensive solution for everything from purchasing to customer management," says Todd. So too at H. Lee Moffitt, Martinez initially looked for a system that provided both user provisioning and SSO but decided to focus on SSO first. It was the higher priority, since end users, particularly doctors, were complaining vociferously about the need to use a different sign-on for each system, he says. "Our doctors now have one password instead of 10. Even if the system cost us a million dollars, it would still pay for itself," Martinez says.
Still, the project could not encompass all the cancer center's applications. With "best-of-breed applications for everything, we have dozens -- hundreds -- of applications," each with its own user database, Martinez says. As a result, he is initially focusing the SSO deployment on the applications that physicians and researchers use every day. "A lot of hospitals are moving toward a common user database schema, but for us that'll be years, if ever," Martinez says.
But Martinez still plans to deploy user provisioning soon. "From what I've heard and seen, it's worth the hassle." IT administrators currently have to deal with 30 or 40 employee terminations a week, with a typical end user having accounts for four or five applications. "That's a day's worth of manpower," says Martinez.
Get Your House in Order
IAM technology has become more accessible to the midmarket, but it won't bring benefits unless a company's security infrastructure is in order. To work as advertised, IAM systems like Web access management, SSO and automated user provisioning need a consistent, synchronized set of IDs, user profiles and access rights.
For example, "SSO is technically fairly easy to implement," notes BCBSKC's Sparks, but because it gives end users access to a wide range of resources with one login, it's imperative that IT get rid of security gaps and access-right anomalies like "orphan accounts" (i.e., the still-active access rights of departed employees).
Sparks' multiyear project involved diving deep into those considerations. Having just gone live with a full IAM platform, he is waiting to see how the investment pays off. "Our requirements in the marketplace were to find something that gives us peace of mind but also is not so onerous that people can't use the functionality of our Web site or our applications," he says. "IAM holds that promise: The jury is still out in terms of ROI, but we're keeping our fingers crossed."
Elizabeth Horwitt is a contributing writer based in Waban, Mass. Write to her at firstname.lastname@example.org.