Who needs identity and access management? At some level, every organization does. But deciding which level of IAM you need, and how to deploy it successfully, requires a bit of planning. Based on his years of experience implementing IAM at some of the world’s largest corporations, Avatier Corporation chairman & CEO Nelson Cicchitto provides his step-by-step advice for understanding and evaluating the various stages of an IAM deployment.

In the first of this two-part series, Cicchitto covers the ten stages of IAM deployment. In part two, he advises on deciding the next steps of the process, including outlining the four factors for considering an IAM investment, as well as obstacles to success and a long-term view on IAM.

Part I: Evaluating Your Identity and Access Management Options; Ten Stages of IAM Deployment

By Nelson Cicchitto

Three years ago, Linnie Gooch, an IT manager at Wescom Credit Union realized he had a growing security problem. The company’s employee population had grown rapidly in recent years and the IT staff no longer knew everyone in the company. That meant that the usual method of screening employee requests for a new password – by recognizing the voice on the phone – wasn’t working any longer.

“When I first started six years ago there were only 300 users and we knew everyone’s voices,” says Gooch, manager of server administration and helpdesk. “As we grew to 500, 600, 700 users, we couldn’t keep a handle on who we were talking to on the phone. We needed a way to make sure we weren’t re-setting passwords for the wrong person and compromising accounts.”

The solution, Gooch and his staff discovered, was to automate the process via an identity and access management application that employees could access themselves. Employees could prove their identities either by using their current password or an alternate piece of information, and then reset the password, all without having to bother the help desk staff.

Not only did that enhance security, but it also cut help desk calls dramatically – by 75%.

Wescom’s situation illustrates the benefits that organizations can realize by automating identity and access management. Organizations need better automated security solutions not only to decrease their risk from external and internal security threats, but also to take the administrative burdens off of IT and improve the productivity and efficiency of IT and other employees.

Moreover, regulatory requirements have forced organizations to take a hard look at how secure their applications and databases are against theft. Given that virtually all organizations have employee and customer data on their systems – social security numbers, birth dates, credit card accounts, etc – all carry a substantial risk of liability should a security breach occur.

Unfortunately, organizations have been slow to implement IAM controls. According to a recent report by the Aberdeen Group, a Boston-based IT research firm, an estimated 40% of all firms are performing at sub-par levels when it comes to automating access to core business information. And, they note, that’s assuming a fairly modest goal of equipping 40% of a company’s business functions with automated access. If the bar were raised to 60%, says Aberdeen, most businesses would be at a sub-par level.

While most large organizations have begun implementing identity and access management projects, few have fully deployed IAM across the enterprise nor have they deployed IAM at its most advanced capabilities. IAM has ten stages, or layers, of capabilities that can be successively deployed. Most companies attempt to implement several phases at once with limited success or complete failure.

The Ten Stages of IAM Deployment

What, exactly, does identity and access management entail? Identity management involves administration and policy creation, while access management entails enforcement of those policies. Together, IAM is a hierarchical collection of security practices and technologies, each new stage building on the prior one.

Typically, the most efficient and practical way to approach an IAM implementation is by deciding where your organization is currently in this hierarchy, and then deciding whether, and how, to move up to the next level. Ideally, you’ll reach a stage at which 80% of your security needs are met, and the remaining 20 are either low-risk items or have minimal impact on the bottom line. Organizations that attempt to get 100% coverage by implementing all IAM stages in one mega-project inevitably wind up with a nightmare -- a never-ending deployment, ever-increasing costs, and the inevitable political infighting.

Rule number one: Preparation and politics. Understand as your organization implements the later phases there is less a vendor or product can do to prepare your organization for those stages. The later stages require more hands-on involvement by your organization to implement and typically more upper management support.

Rule number two: Pick your benefits. Before selecting any IAM phase determine which of the following four benefits are most important to your organization and then determine which of the four that phase will address by deploying that phase of IAM.

The Top Four Main Benefits of IAM

1. Cost Reduction
2. Improved Security
3. Achieving Compliance
4. Improving Efficiency through Automation

Rule number three: Don’t panic. It is easy to become overwhelmed by any IAM project. If possible attack the lowest hanging fruit first. Remember to use the 80/20 rule. Usually 20% of your applications or provisioning processes generate 80% of headaches. Automate them first.

The ten phases of IAM are:

Phase One. Password management. It’s an oft-quoted fact that 30% of all helpdesk calls involve password problems. So the first phase of IAM is aimed at automating that 30% of calls. This first stage is password management -- an automated solution for managing password assignment and resetting passwords via phone or desktop.

It enables users and customers to do limited self-service management of their accounts without bothering IT. For instance, they can reset passwords if they’ve forgotten them or as passwords expire.

Because a password management system is fairly easy to cost justify to a CEO (that 30% reduction in help desk calls translates into hard payroll dollars), it is represents the “low hanging fruit” of IAM and should be implemented before moving on to other phases.

Phase Two. Password policy enforcement. Every organization needs security rules, including rules about how passwords may be created, used, reset, and so forth. In phase two, you need to create policies that will protect passwords from being stolen or guessed by outsiders, but which don’t over-burden users. An automated policy manager will enforce those password policies, for instance by not allowing a user to put his user name as the password, or create a password of less than seven letters, or use common words and names. Easy-to-guess passwords are extremely vulnerable to exploitation by outside thieves, so ensuring the enforcement of corporate security rules is critical to network security.

Phase Three. User de-provisioning. Once you’ve got password management and password policy enforcement in place, you’re now in a position to move up to a de-provisioning solution. De-provisioning is much more than simply pulling the plug on a user ID. It involves terminating access to multiple accounts across various systems, archiving mailboxes and directories that may be required in case of an audit, and deleting the account from the system. It eats up time the IT staff could use for other projects and, conversely, if left undone exposes the system to access by disgruntled ex-employees. Automating the de-provisioning process increases security and takes one more administrative burden off of the IT department’s shoulders.

Phase Four. User provisioning. This involves the automating of account creation across multiple systems and platforms. It’s a big step up on the ladder, because this is the first stage that requires you to define user naming conventions, roles for employees, and what levels of access to various systems each role requires. However, the benefits of automating this level are significant, because once you’ve defined the roles, you no longer have to manually provision each new employee. You can simply assign them a role or job code and the provisioning software will handle the rest. No more guessing if the new HR assistant is supposed to be able access individual payroll information or not, or trying to remember which printer is closest to the new persons’ desk. Conversely, some products allow you to simply select and copy a source user to a target account. For organizations that cannot afford to reap the benefits of User Provisioning and do not have the time to define roles, this option works well.

Phase Five. Self-Service Role Matrix and Rights Management. This stage is even more dependant upon systems your organization must have in place prior to deploying this type of solution. In this phase the concept of automated self-service password management is taken one step further, to enable your end users to request access to specific systems and accounts and have the authorization handled automatically by a predetermined workflow. For instance, an assistant accounting representative might submit a request for access to a sensitive system such as payroll, or to certain restricted functions such as the ability to change data or tables. The employee request is then forwarded, based on the preconfigured workflow, to managers authorized to approve such access. This also enables new employees to self-provision themselves, by inputting their name and job code and getting the necessarily approvals to access whatever systems are part of his or her job code. Existing employees also benefit because they will have a self-service method for updating their employee contact info. However, this phase is impossible to achieve without an organizational chart, defined roles, and for some products a high level workflow design in place prior to rollout.

Phase Six. Metadirectory. Many organizations believe they need a single directory that contains identities of all of their disparate directories. Metadirectory is, as it sounds, a combined directory of the metadata on all enterprise data located on all of the organizations’ servers. It sounds like this phase could be fairly automated, however that is far from the truth. To bring all of these identities together on a scheduled basis requires someone to manually check identity mappings of critical identities as well as monitor the automated process. For environments with over 200,000 employees and several unique identity repositories this technology does not scale well.

Phase Seven. Enterprise Reduced Single Sign-On. From a user perspective, it’s considerably more convenient to sign on just once for access to all applications and databases, rather than h having to log on to each system separately. So enterprise reduced single sign-on is a phase that can help boost user productivity by reducing security-related tasks. But just like the prior phases, this phase requires even more preparation by your organization before it can be successfully deployed. Prior to deploying any SSO technology you must identity the apps you want to enable, record the logon process of each app, test sso, determine who you should distribute the app too, and maintain the sso process as interfaces to web apps change. Additionally, it is best to rollout sso applications from the easiest to most difficult. The easiest apps includes recording the logon macros for your internal Web applications; next easiest application to tackle are your external Web applications (such as Expedia, Partner sites, and other Web sites); moving on the third is to automate your Windows 32-bit applications; and fourth phase requires automating would legacy or java applications.

Phase 8. Authentication Services. For highly security conscious firms, authentication is a key element of identity and access management. As the traditional “Who you are, what you know and what you have” saying illustrates, a user ID and password are only two of three possible ways to make sure the correct person is gaining access. The third, required along with the first two, is some hardware element – a smart card or dongle or VPN—that determines which applications will be accessible to you. Many organizations never get this far up the security latter, and many don’t need to. However, if you do decide to implement this phase be prepared for even more planning and a disruptive change to existing authentication procedures.

Phase 9, Enterprise Access Management. Enabling restricted access to web applications is the primary goal at this phase. In this phase you must identify which web apps and end users you want to provide restricted access to, enable those apps, test restricted access, monitor access of resources, and distribute the restrictions to end users.

Phase 10, Federated Identity Management. There are hardly any organizations which have implemented the last phase, federated identity management. Like phase 6, the majority of firms don’t really need this phase for better security or work efficiencies, and it can be both expensive and problematic to implement.

Federated identity management gives users the ability to log onto one network and be able to then access all trusted networks. While all of the prior phases of IAM provide elements of federated management, full federated identity management also entails access to networks of trusted partners, and their access to your network. The complexity of enabling partners to access internal systems is enormous. It requires not only technology for ensuring secure and automated access by outsiders, but also requires negotiation and agreement between the two organizations first. There are liability issues to be considered, contracts that must be drafted, and, finally, the technical details how the partners will access systems, what level of access they will be granted, and what their responsibilities are in the event an employee loses a password, leaves the firm, etc. For most organizations full federated identity management is unnecessary. For a few, however, who engage in constant data exchanges with highly trusted partners, it is becoming a necessity.

Nelson Cicchitto is chairman & CEO Avatier Corporation. www.Avatier.com