With the security policies tightening across corporate America, small wonder that CIOs are increasingly interested in the concept of identity management (IDM). "In terms of popularity, it consistently comes up in the top three on our surveys of CIO concerns," said Earl Perkins, an analyst at Meta Group, a research company in Stamford, Conn. Perkins said that today's heightened security awareness and the current issues around regulatory compliance, have made CIOs all the more sensitive about having rock-solid knowledge around just who is accessing particular types of data.
But while the topic is hot, there's also a lot of confusion as to what identity management really is. While technology plays a part in it, IDM is really more of a strategy than a particular piece of software, said Jonathan Penn, an analyst at Forrester Research in Boston. "You can tie technology to it, but it's really about business policies and service delivery, both of which are bolstered by technology," he said.
"Identity management focuses around the management of the various accounts and duplicative efforts of managing accounts and access rights. It's about getting a full view of a person and simplifying and streamlining management of all the IDs of a person -- as well as of knowing from an audit perspective what that person has been doing."
Because the topic is so broad, it's impossible to find a perfect IDM strategy, although companies are trying. According to Phebe Waterfield,
They have good reason. The number of passwords or systems accounts that corporate workers must remember and deal with on a daily basis is mushrooming. "That number has gotten overwhelming," said Waterfield. "If you assume at least half a dozen per person and multiply by the number of employees, CIOs end up managing tens of thousands of accounts." Because it costs between $15 and $30 per help desk call every time somebody forgets his or her password, multiple accounts can also be expensive.
So IT executives have turned to identity management to streamline the problem. The utopian vision is that of 'single sign-on,' in which users need to log on to the corporate system only once to be granted access to the appropriate systems they need to do their job. The next step is automation of issues such as provisioning, in which new employees are automatically given access to the appropriate systems, and employees leaving the company have access shut down immediately. This is particularly attractive to security people, said Penn.
"At some organizations, as many as 30% of accounts are dormant," he said, meaning that ex-employees could, in theory, log back onto the company network -- a possible security threat.
All of this must take place across the polyglot of systems and platforms that are the norm at any large company. "Most companies have heterogeneous platforms, each one with native controls," pointed out Waterfield. "You can't go to one vendor and get an end-to-end solution."
There are various methods of authentication in identity management, such as RSA tokens, biometrics, and password controls. Companies looking to save money through streamlined administrative processes may opt for provisioning software, while others want a single directory. It all depends on the pain point of each particular business. Penn said that there are three basic drivers for implementing identity management technology: "Extending and improving business service delivery, improving internal efficiencies and cutting costs, and improving compliance and corporate oversight."
The question a CIO has to answer is, which driver has the biggest chance of gaining approval for the project? The following tips can help CIOs increase their chances of success:
Get business buy-in
Identity management does indeed have a technology component, but it's hugely process- and people-driven. "There are technology elements and challenges, but what's tough for CIOs is that it changes company culture," said Waterfield. "It changes business processes and user processes, and that's the main reason it takes a long time to implement."
For that reason, it's imperative to get the support of business executives and make them see the value of the project. One problem is that many IDM projects lack a cut and dried ROI. Reducing help desk costs is one popular way to tie ROI to an identity management project, but overall, security isn't about ROI. "It's about reduction of risk, and that's a much harder sell," said Waterfield.
Penn suggests tying the IDM project to whatever lure is most likely to appeal to the business decision makers. "It has to be enticing," he said. "For example, the ability to develop tighter relationships with customers, partners and suppliers, or be able to improve user control over how a service is delivered -- those things are in the language of the business guys."
The other thing is to make sure that the budget is assured up front, because these projects are not cheap. "For a 10,000 employee company, a very conservative estimate would be a half a million dollars and a year of work," said Waterfield.
Conduct a risk analysis
Because risk reduction is at the core of so much identity management technology, CIOs should start their work with a risk analysis. CIOs should aim to discover their risks around three areas: the confidentiality, availability and integrity of corporate data. "Doing a risk analysis starts to identify areas of the company where that's more important," said Waterfield. "Things like what systems are covered by regulations, or where the most important information assets reside." Companies can then properly focus their initial projects.
Inventory your Identity Infrastructure
Another step is to inventory the corporate identity infrastructure, which may not be as simple as one thinks. "There are lots of moving parts in the enterprise today that CIOs may not be aware of," said Perkins. "For example, during the Web mania period, people were putting out extranets and Web applications, and they deployed directory services to allow access." As a result, companies could be sitting on repositories of ID and password resources that they don't know about.
Start small and buildBecause IDM is such a large and expensive a concept, most experts recommend taking small bites and implementing enterprise identity management in pieces. "Take the component you'll get the most ROI from," advised Perkins. Once that is successfully completed, CIOs will have the table stakes to leverage that project's success into getting approval for the next phase of the project.
This was first published in August 2004