Who are you and what are you doing on my network?
It’s a question at the heart of security, and yet a number of organizations still haven’t battened down the hatches to make their networks completely protected.
But as organizations increasingly plug in wireless LANs and let partners and customers connect to their systems, identity and access management (IAM) will become vital for survival. For these reasons alone it’s important that organizations regularly review their IAM strategies.
In addition, there are some recent technology-related reasons as well.
What could be a seismic event in the pedestrian world of identity and access management took place this spring when Hewlett-Packard got out of the business. One might think that IAM was the perfect fit for HP and its network management applications. After all, competitors with network management suites such as IBM (through its Tivoli division), CA, and Sun Microsystems fuse identity management with their applications.
But just over four years after getting into the business through an acquisition, HP sold its Identity Centre line to Novell, which is now eagerly trying to migrate those customers to its Identity Manager, Access Manager and Sentinel products No doubt that if you’re an Identity Centre user, IAM competitors have been knocking on your door trying for a piece of that business with some tempting offers.
Also this spring Hitachi Ltd. quietly snapped up majority control of Calgary identity management software maker M-Tech Information Technology. Now called Hitachi ID Systems, it will be encouraging Hitachi customers to shift to the company’s P-Synch password management and ID-Synch user provisioning software.
Just as this article was being finished, CA bought IDFocus LLC, which makes the ACE entitlement management application. It will be rebranded and sold as part of CA’s Identity Management software line.
Get ready for more consolidation among IAM companies, warns Perry Carpenter, a research director in Gartner’s information security and privacy group. “It’s significant that a company as large as HP would pull out of that market,” he observes. “They were considered a market leader.”
Because of the increased potential your supplier will disappear, Gartner warns organizations to ensure licence agreements with vendors at least address the possibility of mergers or acquisitions, including early-out and discount clauses.
Beyond M&A activity, there are other recent activities to watch. There’s no shortage of standards out there for securely exchanging identity information across networks, none of which has seen universal acceptance. Another one, called Information Cards and promoted by Microsoft, Novell, Nortel, VeriSign and others, has emerged and is worth keeping an eye on.
Under this approach, individuals could hold many digital cards, which would let them be authenticated on multiple Web sites without maintaining passwords for each site. Last month the open standards Oasis consortium formed an identity metasystem interoperability technical committee to develop the concept. Another emerging technology to meet the compliance demands of knowing who is going where on internal networks is the move to make networks identity-aware. It’s what Gartner analyst Lawrence Orans calls “the intersection of network access control and identity and access management.”
Pushed by veteran network suppliers as well as startups such as Applied Identity and AEP Networks, there are three approaches: deep packet inspection (backed by Nevis Networks and Enterasys among others), packet tagging data, which can then be controlled through an identity firewall (Cisco’s TrustSec approach) and putting a role-based certificate that lists permitted activities on every end point (Microsoft’s IPSec-based solution, called server and domain isolation). These solutions can put a strain on today’s networks, Orans points out. But he believes the concept will spread as the cost comes down.
Before getting to that point organizations have to take stock of where they are now. Those managing user identities through a spreadsheet need to at least invest in a directory, says James Quin, an analyst at Info-Tech Research of London, Ont. All-Microsoft shops should at least be using Active Directory, he says, which for many organizations can be enough.
Those wanting to take IAM seriously not only should be using a directory but also roles-based management software, which makes provisioning easier by assigning staffers pre-defined roles with permissions for logging on to various data stores. Look for features that automatically change roles when a staffer is promoted and deletes names when people leave the company. Ross Chevalier, president and CTO of Novell Canada, says some studies suggest as many as 60 per cent of user accounts may be invalid in many organizations because they aren’t updated.
Organizations running mixed platforms should by now either be trying to consolidate directories or have a major integration project underway. At the very least, say industry analysts, every organization should have an identity and access management strategy.
This will not be easy, cautions David Senf of IDC Canada. It can take a while just to classify data to determine who should have access to what.
Gartner’s Carpenter warns that a serious approach to IAM is more than evaluating a few vendors, choosing one and installing the solution.
“Where I see people fail is they buy technology and expect to implement technology and be done with it and succeed,” he says. “Technology is just a sliver” of IAM, he says. IAM, he says, is the most pervasive technology to be deployed in an organization that has to relate to its business processes as well as compliance mandates. So doing it right means not dumping the project on the IT or network manager, but forming a team from across the organization because departments are best at defining who gets what. Getting support from management is also vital.
“You kind of need a dictator at some points to set priorities,” says Hitachi ID chief technology officer Idan Shoham, such as deciding access to this platform is more important than that one.
Shoham, whose company also implements its technology, urges customers to do IAM projects in small phases rather than monolithic three year spans. Don’t go more than six months without releasing some sort of valuable business deliverable, he advises.
One of biggest mistakes organizations make is not listening to the vendor and/or the system integrator, says Carpenter. “It’s arrogant at the least and stupid at the worst.”
On the one hand suppliers may have an interest in their products, he acknowledges, but they don’t have an interest in projects that go over budget or time—that’s bad for their reputation.
Another major mistake Carpenter sees organizations make is changing the scope of the IAM project to meet a new and immediate need. Before spending a dollar on technology know how the IAM team will make decisions, says Carpenter, to eliminate ad hoc decisions. Go through the organization and define what you want to do and why. (And, he adds, the company might save time if it finds it already has some parts, such as a user provisioning system.)
Perhaps most importantly, define what success will look like. The worse