Identity management is now top of mind for the various application development groups at The Canadian Broadcasting Corporation. But when the strategy was first introduced in its nascent form several years ago, the benefits were obvious to the IT department before the rest of the organization caught on.
But CBC’s identity management strategy has not remained static.
The corporation has moved to tighter security and improved ease of use by synchronizing passwords that its 11,500 users need to access applications. “When you’re accessing different systems,” said Jeffrey, “people have different passwords or use the same password, or have to publish their passwords on various spots to keep track of them.”
Logging on to different applications each time with the same strong password is less taxing on user productivity, said Jeffrey. But IT support gets a break as well. “If you look at most statistics, on a Monday your calls go up because people come in after the weekend and have forgotten what their passwords were,” he said. The frequency of calls is now lower, and should users forget their one password, they are routed to a self-serve Web site to obtain it.
In the future, Jeffrey said CBC may implement a single sign-on identity management system.
Idan Shoham, chief technology officer with Calgary-based identity management technology vendor Hitachi ID Systems Inc., said that identity management strategies will differ depending on an organization’s priorities. Perhaps, said Shohan, a business might first want a single sign-on product, or a software to automate access termination for departed employees, or a password reset system to reduce headcount at the help desk. Whatever the current initiative may be, he continued, the fact that an identity management strategy comprises myriad moving parts makes “the approach of trying to implement everything in one go is really a non-starter.”
Productivity? That’s so last year
Different components of a strategy will be more strongly driven at certain times, said Shohan. When times are good, businesses tend to focus on the user and productivity; when corporate malfeasance is rampant, they focus on compliance with regulations; and, when times are rough the focus is on IT cost savings. “We see industry taking turns with which is the most important.”
And while user productivity was the “big motivator” behind identity management strategies several years ago, it has now assumed a back seat as the rough economy has brought to the fore the need to reduce help desk and security administrative staff by automating previously manual user access processes, said Shohan. “People at least pay lip service to the idea of regulatory compliance and improving security, although I suspect in many cases, they… are really more interested in ROI and access termination,” he said.
Open door policies
Besides shifting cyclic priorities, other factors are making enterprises reconsider their strategies. The opening of the enterprise, for instance, requires that strategies be comprehensive because of an increasing number of remote employees who connect to the corporate network beyond boundaries of normal protection, said James Quin, senior research analyst with London, Ont.-based Info-Tech Research Group Ltd.
But corporate networks aren’t just open to employees anymore. Business partners and clients are granted access to select areas of the network “and we don’t necessarily control who all these people are,” said Quin. “We hire our employees, we don’t necessarily hire our clients.”
The integration, through portals, of internal applications that were previously segregated and requiring individual access by employees may appear on the surface to complicate identity management, said Quin, but it actually simplifies it. Although access is potentially opened more broadly across the organization, each application has inherent management and tracking capabilities needed for a better level of awareness. “So making use of a layer that authorizes connectivity and validates connectivity to backend applications,” said Quin, “is exactly what users need to be doing to get a great level of visibility.”
What IT administrators should be concerned about is collaboration through integration of applications across the corporate boundary, said Quin. It’s becoming common and is frequently observed in areas like inventory and supply chain management where interactive communicative portals exist to dynamically share data between businesses, said Quin, “as a partner of mine, when you access that application, you are coming onto my network and accessing my infrastructure, you’re getting at my sacred data and my sacred temple. So I definitely need to understand who you are and validate you.”
According to Andras Cser, senior analyst for identity and access management with Cambridge, Mass.-based Forrester Research, the advent of services-oriented architecture (SOA) is making IT administrators ask how they can expose the services of a “monolithic identity management product into more granular reusable services such as authentication services, authorization services, policy services.”
The benefit of SOA to identity management is it allows application developers to externalize security and authentication from the applications themselves, said Cser, adding that he’s observed North American organizations warming to the idea. But while infusing SOA into an identity management strategy is cheaper in the long run, Cser said the initial upfront cost is often a deterrent. And application developers, too, are often reluctant to give it their blessing because the labour of refactoring and partitioning code will fall to them, said Cser.
In light of the many influencing factors on an identity management plan, Quin said the strategy should be viewed as a concept that requires specific focus. “It can’t be viewed as an adjunct to the way that business is done. It needs to be given credence in and of itself.”
At a more granular level, a successful strategy requires processes and tools. Organizations should adopt policies around group roles and group role administration, instead of assigning permission and access on an individual basis, said Quin. That way, he continued, identity management becomes efficient because employees can be divided in groups and provisioned accordingly, and as roles change, those permissions automatically change as well.
As for tools, Quin said there is a wealth of providers in the market that offer identity and access management technologies.
But while IT managers are aware that their identity management strategies can’t remain static, Quin said the majority of them have not updated their approaches. One hindrance is the difficulty in getting validation for expenditures that aren’t project-based, he said. Cser agreed that it can be tricky proving the business value of identity management, however, IT departments can apply a cost and benefit model to measure expected value prior to implementing the strategy. That way, he continued, the impact of identity management on a business’ metrics will be observable.