Two years ago, Exxon Mobil Corp. had big plans to create a centrally managed identity management infrastructure that would automate the process of issuing new user accounts for access to its many corporate applications. Unfortunately, it had to put those plans on hold last year when the technology couldn’t meet the business’s needs.
“Our vision includes full life-cycle management of all user identities and access privileges,” says Patricia Hewlett, vice president of global IT. The problem was achieving that vision at scale. Exxon needed to manage identities and provision access based on each user’s role and the types of system access required to do the job, but that was difficult with 84,000 employees in 200 countries.
“Available products could handle a small number of static roles but were not well suited to managing dynamic, attribute-based roles,” Hewlett says.
MARKET SNAPSHOT | |
|
Many of Exxon’s applications also didn’t support role-based access. “We had to add those capabilities to each application,” Hewlett says. That was too much work, so she has “put the project in the fridge” for now.
The products have improved since Exxon first planned the project, but Hewlett says role-based access is still relatively immature. “We ... have not made a decision as to when we’ll resume the project,” she adds.
Like many other organizations that have traveled the road to centralized identity management, Exxon found the potential benefits — such as automated provisioning of accounts for new users and deactivation of accounts for departing employees — compelling. But getting the full benefit from an identity infrastructure remains challenging.
Identity management tools have made strides in the areas of managing access, creating user accounts, designing workflows and providing an audit trail of who had access to what when. The tools break down the stovepipe identity infrastructures in which each application has its own access controls and administrator — a design that doesn’t scale well when businesses have thousands of applications.
As the industry has consolidated, many of the stand-alone identity management tools have been absorbed into suites that integrate user provisioning, Web access management, single sign-on and other functions into one framework. But centralizing the management of identity information is still a complex and costly affair that involves integrating application-specific and directory-based repositories.
“The integration of applications, the role management issues, many organizations find very complex to plan and deploy,” says Ray Wagner, an analyst at Gartner Inc. And identifying and managing user roles is still “a very early market,” he adds.
Applications that support a common directory system, such as Microsoft Corp.’s Active Directory, make role management easier, but even then there are challenges, says Rafael Rodriguez, associate CIO for infrastructure services at Duke University Health System in Durham, N.C. “Active Directory can keep track of roles, but in each application, you still have to maintain what those roles are allowed to do,” he says.
Many identity management deployments also lack granularity, allowing all-or-nothing access to applications. Fine-grained access controls, where users have conditional access based on their roles, have been implemented in very few organizations, Wagner says. That means that in most cases, administrators still must manage fine-grained access within each application.
Cleaning up and mapping data is another challenge. “Customers don’t always have their data in a form where you can bring it together into a common repository of identity, or they don’t understand the business processes well enough to deploy role-based systems,” says Peter Houston, senior director of identity and access product management at Microsoft.
Deployments can also be costly, and complexity increases with the size of the organization. IT executives should expect to pay $20 to $30 per user for the software and two to six times that amount on integration, Wagner says.
Motivating Factors
Nonetheless, businesses are increasingly motivated to move ahead. Identity management systems can improve overall security and privacy while providing an audit trail to meet the requirements of the Health Insurance Portability and Accountability Act or the Sarbanes-Oxley Act. Because of that, compliance issues are driving identity projects that couldn’t be justified by return on investment alone. Without an identity management infrastructure, organizations are finding that “it’s either very painful to produce compliance reports, or they can’t do it at all,” Wagner says.
A centralized identity management infrastructure is also foundational for projects that can cut administrative costs and increase productivity. The systems can reduce replication of administrative tasks by allowing identity information to be updated in one repository and propagated out to all others. User provisioning and deprovisioning tasks can be automated or delegated to others. Self-service initiatives, such as automating the password-reset process, can cut down on help desk calls.
Compliance was a motivator at Rockledge, Fla.-based Health First Inc., which manages 15,000 user accounts for three hospitals and a health plan. It has several authoritative sources of identity information, including a PeopleSoft application, a physician credentialing system called Midas+ Seeker from Affiliated Computer Services Inc. and a suite of clinical applications.
The problem is that as people change roles, they gain cumulative access to the various systems, says Dan Tesenair, senior network engineer at Health First. “We’re very good at getting people what they need, but we’re very poor at taking it away,” he says.
Health First brought in Novell Inc.’s Identity Manager and has been using the product’s metadirectory features to manage identity information among 20 applications. Like most vendors, Novell offers connectors for commonly used directories such as LDAP, popular applications such as PeopleSoft, and databases such as SQL Server and Oracle, which some applications use as back-end repositories for identity information.
For other applications, Health First needed to write new connectors. But customization wasn’t what slowed the project, Tesenair says. “On average, we spend two or three months dealing with the business processes and two to three weeks writing the connector for any given application,” he says.
But the connectors issue derailed Nancy Birschbach’s plans to deploy CA Inc.’s eTrust Admin for user provisioning. Two years ago, Birschbach, information security officer at health care provider Agnesian HealthCare in Fond du Lac, Wis., hired a consultant to plan the transition. Her staff spent more than a year mapping data between repositories and changing all user IDs to a common naming convention.
But then they found that the versions of the Lawson CRM and Cerner Millennium clinical software she had deployed — both key repositories of user identity data — wouldn’t connect with eTrust Admin without substantial integration work. Newer versions of both products will work with eTrust Admin, but upgrading will have to wait.
Agnesian had recently deployed both applications, and upgrading again would have required changing out both hardware and software. “Those applications are our bread and butter, and we’re not going to ditch that and put in something new,” Birschbach says. Another alternative was to write a custom interface, she says, but “it wasn’t worth our while to do custom programming.” So she abandoned the project. “I had to back out all of the policies and procedures and write new ones for manual provisioning,” Birschbach says.
Still, the organization is benefiting from the work done so far. All of the data repositories have been cleaned, and Agnesian created roles and mapped each to the appropriate applications so administrators could provision at a group level. “I met with every director and department leader to define a role for every job code,” says Birschbach, who found that her version of Lawson software doesn’t support group-based provisioning. “We’re using that information. It’s just, unfortunately, not in an automated process,” she says.
Tesenair says such problems shouldn’t be a showstopper. “I don’t see technology being a barrier. If you need data, you can get it in some way or another,” he says. But although Health First has built connectors for its identity repository, it has yet to take full advantage of that for user provisioning. Applications that work with a directory service are supported, he says, “but if it has its own repository, it’s manual.”
Tesenair has created workflows that automatically notify administrators when a user is terminated or his credentials change, but the actual provisioning is manual. “We’ve held off until we get a better handle on our roles first,” he says.
Defining those roles has been a challenge. “We don’t have this figured out from a business process perspective,” Tesenair says. For example, it’s unclear whether a nurse manager should get access to medical records or if only nurses should have that access. “I don’t find technology to be as much of a barrier as the business processes are,” he says.
While role modeling is a challenge, it hasn’t stopped Health First from leveraging its identity infrastructure. Tesenair rolled out a password self-service application that cut help desk calls from more than 6,683 to 534 a year. The organization is also piloting a mobile clinical workstation, deployed on a Tablet PC, that supports single sign-on to a suite of clinical applications and e-mail. The identity management system synchronizes username and password data among the applications, a biometric authentication system and Novell’s eDirectory service.
Role definition also can be tricky when several business units are involved. Montvale, N.J.-based Ingersoll Rand Co. supports different Web portals for dealers of each of the company’s three construction equipment lines: Bobcat, Club Car and Ingersoll Rand. A dealer that carries all three brands had seven different log-ins to access all required applications. Jim McDonald, manager of IT, says he used Oracle Corp.’s Identity Manager and other Oracle tools to create a single identity and single sign-on for each user. Now he’s working on assigning users roles so each user inherits role-based rights and attributes automatically.
The problem is that different groups define the same role names differently. For example, a parts manager at one dealership may be able to see prices and costs, while at another, management may not want the parts manager to see what the company pays for a part. Different constituencies will never agree on a single set of role definitions, says McDonald, and you have to work around that. “We let each brand define their own roles. We’re not trying to dictate the business requirements,” he says.
“After mapping all of your accounts, the second most challenging task is defining roles,” says Jim Shattuck, lead systems analyst at Children’s Hospital Boston. The teaching hospital has been consolidating identity repositories and uses Microsoft Identity Information Server to link 14 applications to perform automated user provisioning. As part of that effort, the hospital defined about 90 minor roles.
“The roles help us provision about 80% of the users, but there are 20% that are too disparate,” Shattuck says. Those “do not justify the effort involved in defining and maintaining them,” he says, so they are handled as one-off requests.
The number of applications included in the project is also limited. “For the most part, the roles affect applications and permissions that are integrated tightly with Active Directory and not beyond,” Shattuck says. The rest of the more than 100 applications, including the hospital’s primary clinical application, aren’t yet integrated. “As far as roles go, we’re maybe 20% of the way there,” he says.
Shattuck cites both technical and management challenges. For example, to provision the clinical application, the hospital needed to define key roles and add new “departmental” and “manager” fields in PeopleSoft, the authoritative repository of identity data for provisioning users in the clinical application.
While identity projects may be complicated and costly, organizations can be successful by taking small steps and limiting the scope to key applications — at least initially. “We don’t believe that all of those legacy applications will ever be fully integrated,” Wagner says. Despite the challenges and limitations, he sees clear benefits to moving ahead: “You can, through the application of some of these tools, make your business run more efficiently.”