Provisioning employees with passwords, user accounts and security privileges is the bane of every IT department. It's time consuming, often boring and, increasingly, a security risk in organizations with thousands of employees and dozens or even hundreds of IT systems, many containing sensitive data.
To deal with the problem, companies are increasingly turning to role-management software. This helps analyze and map employee job functions to the appropriate IT privileges, and helps create and manage these roles.
Early in 2007, insurance giant Cigna Corp. needed to standardize the way it assigned IT privileges to its 27,000 employees accessing Cigna's 300 or so applications. The company's traditional method -- giving new employees the same privileges held by employees in similar jobs -- wasn't keeping up with complexity and volume of new account requests.
"Without roles, you're creating IDs helter skelter," says Craig Shumard, the chief information security officer at Cigna. "So when Bill gets promoted, you might say 'Let's give Bill whatever Joe had access to, because Joe had that same job before.' But Joe might have a lot of other privileges accumulated over the years that Bill shouldn't have."
Cigna initially created an in-house provisioning workflow tool that allowed users to initiate the provisioning process by selecting job functions and IT needs via drop-down menus. But Cigna soon realized it needed a more automated system for creating user roles, one which also had reporting and monitoring capabilities.
Cigna selected the Aveksa 3 suite, which includes role monitoring, reporting and management features. The software provides analysis tools for evaluating roles and defining new ones, audit trails for proof of regulatory compliance and automated certification that routes employee role reports to business managers for validation.
Who needs role management, who doesn't?
Large organizations are most likely to want and need role management, because they usually have enough users and user roles that the process has become a burden to the IT staff. This can justify the time and cost of a role-management rollout. Also, companies in regulated industries like finance or healthcare are also good candidates for role management because of the compliance aspects of the software.
"It obviously helps us out in terms of complying with regulations" like Sarbanes Oxley and HIPAA," says Cigna's Shumard. "But having a role manager is also cost effective."
Still, not every company needs, or can afford, a role management application. Considering that the average cost of a role-management implementation is $1.17 million, according to the Burton Group, an IT analyst firm in Midvale, Utah, there should be a clear need for role management to justify the cost.
Also, companies that rush into a role-management project may be disappointed in the result. In a survey of companies that were implementing role management, responses indicated that 60% of organizations which attempt a role management project fail on their first attempt. The reasons for failure included too much emphasis on technical aspects, lack of participation and support from business users and managers, and a lack of a standard deployment approach and organizational strategy.
As with any major application rollout, role management requires a great deal of up-front planning and inventory-taking of applications that use and store role information, users and their roles, and the role definitions themselves. Then there is the analysis of the roles and whether they should be reused or rewritten.
"In general, you're looking at months, not weeks [for a deployment]," says Kevin Kampman, senior analyst for the Burton Group, an IT research firm."There's a fair amount of interpretation that goes on. Even if I know that all these people have access to these resources, I still have to determine whether these groupings are appropriate, or just an artifact of bad practices."
Safeway Inc., the grocery chain, is a case in point. In 2006, the company began implementing the Oracle Role Manager (formerly Bridgestream's SmartRoles) and Sun Microsystem's Access Manager. Earlier this year, Safeway completed the first stage, which chief architect Paul Rarey calls the "plumbing" phase. That involved cleaning and reconciling data and implementing an identity engine to map employees and their job functions to specific access rights. The company also installed adapters to connect the Oracle Role Manager to the Sun Access Manager, which will create the roles used by the Role Manager. The next stage, going on now, involves linking the Role Manager to various enterprise applications that will use roles or which have data needed by the Role Manager. These applications include including corporate directories, facilities management applications and the PeopleSoft HR system. The two-year rollout will finally be completed later this year.
Rarey says his company is implementing role management to help it deal with the growing number of employees and corporate locations. Before 2006, it had no automated process for assigning IT access privileges. Now with over 1,700 grocery stores in North America, along with corporate locations and 17 distribution facilities, the company needs to automate the process.
"We might have 300 or 500 call center people distributed internationally, all with the same privileges in the same systems, but who report to different Safeway organizations. We need to be able to differentiate between those roles," explains Rarey.
Selecting the right role manager
Issues such as scalability and support for existing IT systems should be considered, say experts. But it's the specific mix of features and functions that make role management products vary the most. For example, Eurekify, based in Tel Aviv, makes the Sage Role Manager which is focused on role discovery and role modeling. Other software vendors, like Avatier and Oracle, have role management as a component of their identity management suites.
Functions that organizations may want in their role management product include:
Role mining and discovery. Role discovery identifies the users who have access to IT systems and categorizes them into logical groups, for role creation. The ABSA Bank in South Africa, which is part of the Barclays Group in the U.K., used Eurekify's Sage Role Manager, to mine its systems for user accounts and security privileges. That information is then automatically fed into CA's Identity Manager, which administers access to the bank's multiple IT systems.
To gather and analyze all of the bank's user access privileges and IT accounts manually would have been impossible, explains David Lello, CEO of Global Security Solutions, a business integration consultancy that did the work for ABSA Bank.
Role creation and publication. Role management products create roles based on a variety of employee attributes and job functions. Employees may have several roles, such as "payroll processing," "third floor offices" and "junior manager."
The number of roles any organization winds up with can vary greatly. When Debra Cuadros, vice president of operations for Simeio Solutions, an IT consultancy specializing in role-based identity management, participated in a project at one large entertainment firm, she says they converted 60% of the organization, or several thousand users, into just 25 roles. But, she says, "they all had very standard job functions, so it was an easier group."
Kampman says that the number of roles in an organization can range from 1% to 14% of the number of employees, based on the results of a recent Burton Group survey.
Role management applications typically offer templates and guides to help in identifying and defining roles.
Role management software "can provide you with role suggestions, or names for the groups you have -- often like a workbook," says Heman Vimadalal, managing partner for Simeio Solutions. Once the roles are created, the software then passes the role definitions along to a user provisioning application or access management system, which assigns and manages user accounts.
Policy creation and management. Role managers can help define corporate policies on security and access rights. They can also red flag conflicts, such as when someone is assigned two roles that combine incompatible duties -- such as if the procurement manager is also given the task of paying the vendors.
"Before we ever get to the access-control issue, we need to understand why people need access to resources. Role management allows you to articulate roles and policies, and separate duties where needed," says Kampman.
Reporting and auditing. Reporting is helpful to organizations concerned about compliance. Being able to show what roles and privileges employees have, as well as audit trails of role changes or conflicts, makes determining compliance much easier. Many role managers include reports specifically for compliance purposes.
The Bank Leumi, in Tel Aviv, Israel, used Eurekify's Sage to identify redundant, unused or conflicting privileges held by its 11,000 employees. Some 27% of the users had excessive or unnecessary privileges, according to Hanania Kafri, the bank's chief security officer. Kafri cleaned out the excess privileges, though not without some careful consideration.
"I was a little scared of the process, so I first deleted just 100 of them," he says. "When nobody shouted at me, after a few days I deleted the rest."
As with any major software project, a long evaluation process -- and pilot project or proof-of-concept -- is recommended.
" There might be a lot of different ways a product does role definition that might or might not suite your organization," says Simeio's Cuadros. "Vendors go by different methodologies, with different functionality that may or may not suite your organization. So you have to be very careful when you do a vendor selection. Just looking at a couple of the features does not qualify as a thorough product evaluation."
Nevertheless, IT managers should not be frightened away from undertaking role management, says Cuadros. It can provide substantial benefits if done with sufficient planning and support from the management. She recommends starting with departments likely to have the greatest need, such as HR and finance, and with the employees who have the most standardized roles.
" If you can take the 60% of your users that have a defined function and create set of roles for that group, then right off the bat you've got a big win that people can see. That will help you take on more complicated roles afterwards," she says.
Sue Hildreth is a freelance IT writer based in Waltham, MA. She can be reached at Sue.Hildreth@comcast.net.