IAM Dos and Don'ts
Like any complex, enterprise-wide system, identity and access management (IAM) requires considerable up-front planning and has more than its share of pitfalls and gotchas. Here are some important dos and don'ts.
Do take a holistic approach to your IAM deployment. Different IAM systems need to work together. For example, Web access management can use single sign-on (SSO) to give customers easy access to corporate systems. With today's networks extending far beyond the corporate firewall, a common ID management and authentication system "becomes the only organizing principle for managing access and delivering services," says Jonathan Penn, a senior analyst at Forrester Research Inc.
Ask specific questions about the level of integration vendors provide between different IAM products (not just their own but those of partners as well). Can different IAM suite components share a common end-user repository, management console, and consistent set of administrative tools and policies? Such integration is still more an ideal than reality, warns Jamie Lewis, CEO of Burton Group.
Do be pragmatic about whether a particular application is right for your company. "A midsized company's business processes may not be mature or documented enough" to apply to user provisioning, says Kevin Sparks, CIO at Blue Cross and Blue Shield of Kansas City. Furthermore, for many midmarket firms, role-based provisioning, which expedites the process by automatically assigning access rights by group or job title, is impractical when employees wear several hats.
Don't be too granular in your approach. "Security wonks can tighten things to the point where usability is gone," says Sparks. "You can theoretically whiteboard a perfect system, then discover that it is administratively unmanageable."
Don't take a one-size-fits-all approach to strong authentication. Physical tokens, for example, may work fine for workers on the corporate campus. But distributing them to employees who are overseas or on the road can be a costly hassle. Physical tokens are also generally impractical for authenticating users over the Web. A common strategy is to ask for a password and some kind of personal information, such as a mother's maiden name.
Do plan for the future. Just because your company doesn't fall under the Sarbanes-Oxley Act now doesn't mean it won't if it gets acquired, goes public or otherwise. Don't wait until you need an IAM system to start shopping for one.
A Suite Solution
For several years, companies such as CA, Hewlett-Packard Co., IBM Corp.-Tivoli, Oracle Corp. and Siemens AG have sold traditional IAM suites that include password self-service, user provisioning and, often, SSO. These comprehensive, integrated packages are usually built around a meta directory that collects end-user data from various directories and databases, eliminates redundancies and inconsistencies, and creates a single set of entries in a central repository. User identities and access privileges can then be administered centrally using a consistent set of policies. Changes to a user account are automatically propagated across all user databases.
Until recently, these suites targeted enterprise customers, largely because setting up a meta directory is a major project, requiring extensive IT resources and expertise that midsized companies may not be able to spare. "Midmarket companies rarely want to do their own user- provisioning system with a meta directory," says Joe Anthony, director of IAM solutions for IBM's Tivoli division. Those that do typically bring in a systems integrator, he says.
Traditional IAM suites aren't cheap, either. "These are expensive tools," says Ray Wagner, a research vice president at Gartner. "User provisioning to be used internally, with full ID management plus maintenance, can cost $80 to $100 per user."
And the license cost is just the beginning. "You can't just buy tools and expect to solve problems," Wagner warns. "You need to look at the process currently used and define how you want it to be." For a midsized company, "planning, buying and installing the software, implementing ID management for the first, say, five or 10 key applications like email and Active Directory, will take six to 10 months on average, sometimes more," says Wagner.
Yet the landscape is changing. Most leading IAM suite vendors now have products geared to the limited IT resources and budgets of midmarket firms. Preconfigured appliances and "lite" versions of enterprise suites may be less feature-rich and customizable than full-fledged enterprise IAM systems, but they are also much cheaper and easier to implement.
This was first published in November 2006