How to choose a provisioning tool

"When I left my position as an investment adviser, no one asked me to return my physical access card, despite the fact that I was going to work for a competitor virtually across the street. I could easily have re-entered my former employer's office and accessed the files of every single one of their clients. And because my former employer failed to turn off my e-mail account, I received group e-mails from my former colleagues discussing how they planned to attempt to steal my clients!"

This real-world anecdote is an example of a horror story told to my company. Such situations occur at organizations around the globe every day. Digital resources are a critical factor of a company's success. Yet there is poor control of who has access to these vital resources, which include computers, cell phones and PDAs, as well as access to a plethora of business, security, and IT applications and services.

A new category of software, known as provisioning solutions, is designed to help a business protect itself against identity abuse by securely automating IT tasks, facilitating secure self-service and providing the accurate and detailed IT audits that are increasingly required by governmental and industry regulations. Here are some guidelines you should consider when your company is getting ready to select a provisioning product.

Provisioning is a business issue, not an IT issue

Controlling access to IT resources is not an IT problem. This use of IT resources often means the difference between a company's success and failure. Making sure that employees have access to the resources they need to do their jobs (and that they no longer have that access when they don't need it) is clearly a business issue.

What to look for: Look for a solution that allows business managers to define changes that affect an employee's access rights, such as adding a new partner or moving personnel among task forces.

Laying the foundation: Standards and directory-based infrastructures

Since provisioning products touch many parts of an organization's infrastructure, it's important to know that your provisioning vendor is committed to standards that will allow disparate systems to communicate over a standardized interface.

What to look for: Look for support for products based on important standards such as Service Provisioning Markup Language (an XML specification for provisioning) and Web services, which together will commoditize IT system connector development, as well as LDAP directories, the universally accepted infrastructure for storing personnel profile data.

Business-process integration

Employees join projects and task forces, and companies work together to build products. Companies that hire employees may later lay them off. Each time a person moves, his needs for IT resources also change. The mapping of business changes to IT resource changes can be quite complicated.

What to look for: Since business people are the only ones who can accurately define a business change (such as a transfer or task force creation), they must be able to directly define the changes in the provisioning system. The system must be able to interpret the change and automatically understand how each business change affects a person's IT resource entitlements.

1pixclear.gif
Opinion
David Lavenda
1pixclear.gif

Workflow

When a business change occurs, such as transferring an employee named Janice from the New York office to San Diego, several steps must be taken before Janice is ready to work in her new office. These include moving her mailbox, changing her e-mail group associations, and disabling old accounts and creating new ones. The list can be quite long.

Furthermore, approvals for each task must be obtained, different groups of people have to be informed of tasks to complete, and automated tasks, such as changing Janice's e-mail group associations, have to be executed. Remember, all these tasks have to be assigned to the right people, in the right order, and there has to be a mechanism for escalation if a task should fail.

What to look for: For small-business scenarios, simple provisioning products provide approval workflow, which obtains authorization before triggering provisioning tasks. For most provisioning projects, look for a product that provides dynamic workflow that can perform the following functions:

  • Automatically build the workflow based on the context of the business change.
  • Handle task delegation.
  • Use business logic to calculate how to treat task failure.
  • Have a built-in escalation mechanism to handle approval request failures.

IT automation

Provisioning products must automate many common IT tasks. Examples of automated tasks include the following:

  • Create nework operating system accounts.
  • Disable e-mail accounts.
  • Change entitlements of smart cards.
  • Configure private branch exchanges.

The provisioning product communicates with IT and security systems using software called a connector. A different connector is typically built for each system that you need to control.

What to look for: Not all connectors are created equal. Some create and disable accounts, while others also perform sophisticated manipulations of account entitlements. Look for the product that best fulfills your business needs and allows you to accommodate future needs.

Make sure the vendor offers a connector generator that you can use to create connectors to your proprietary and homegrown systems without having to hire programmers.

Password management

A typical user has access to many systems, each of which has a separate password that has to be periodically updated. To remember passwords, people either use trivial passwords, or they write them down and leave them in easy-to-find places, such as a sticky note pasted to a desk drawer. Either approach leads to big security holes, and unauthorized people can get easy access to restricted resources.

What to look for: Simple provisioning products provide basic password reset capabilities, which let users reset their passwords to different systems from a Web interface. More robust products provide both password reset and password synchronization, which automatically changes many system passwords when a designated system password-is changed. Look for good synchronization functionality, since it vastly simplifies the user experience.

Reporting and auditing in a world of compliance

With increasing interest in information security and identity management, there is a corresponding increase in the need to accurately track and report on who has access to IT resources. New governmental regulations associated with information security are driving many provisioning projects today. Examples of government regulations and the markets they affect include the following:

  • Health care and insurance: HIPAA
  • Finance: The USA Patriot Act and the Gramm-Leach-Bliley Act
  • Pharmaceuticals: 21 CFR Part 11, on electronic records and signatures
  • Education: The USA Patriot Act and the Student and Exchange Visitor Program
  • Energy: Rules set by the Federal Energy Regulatory Commission and the Nuclear Energy Regulatory Commission

To comply with these regulations, you need to provide accurate IT reports on who has access to what and when they had that access.

What to look for: Most products provide some level of resource allocation information. Look for products that also provide the business reason for why access was given in the first place and who approved that access.

1by1.gif
WHAT TO LOOK FOR WHY IS THIS IMPORTANT? EXAMPLES
Business process integration
blue_square.gif
Product that enables business managers to drive personnel changes

blue_square.gif
Automatically capture personnel changes entered via business systems (e.g. HR)

blue_square.gif
Bulk-loading capabilities

blue_square.gif
Mistakes can be made in interpreting what people need to do in their jobs, leading to security holes and productivity losses.

blue_square.gif
By making provisioning a part of the business process, people get the right resources on time and in a secure fashion

blue_square.gif
Most efficient way of handling massive changes

blue_square.gif
HR manager hires new employee

blue_square.gif
Project manager creates a task force

blue_square.gif
Engineer adds new people to partner's extranet project

blue_square.gif
New employee is entered into PeopleSoft, which automatically triggers the provisioning process

Workflow
blue_square.gif
Dynamic workflow
blue_square.gif
High rate of organizational change makes preconfigured workflow impractical

blue_square.gif
Many tasks can't be scheduled when the business change begins

blue_square.gif
The type of account needed requires manager input

blue_square.gif
Resources needed may change between the initial request and implementation

IT automation
blue_square.gif
Connectors/ adapters for many systems

blue_square.gif
Bidirectional connectors

blue_square.gif
Ability to create new connectors without programming

blue_square.gif
Connectors that use XML technology

blue_square.gif
Off-the-shelf connectors save time and money

blue_square.gif
Changes made outside the provisioning system have to be tracked and reversed, if necessary

blue_square.gif
Most organizations have a large number of proprietary/homegrown systems for which no vendor will have connectors

blue_square.gif
Over time, connectors will be commoditized through XML/SPML standards

blue_square.gif
Windows 2000, Lotus Notes, RACF, VPNs, PBXs and many others

blue_square.gif
A Windows administrator makes a change to a user account from the Windows admin tool

blue_square.gif
Business applications based on Oracle or MS SQL

Reporting and auditing
blue_square.gif
Product that ships with many "out-of-the-box" reports

blue_square.gif
Reports based on a popular reporting tool

blue_square.gif
Reports can be viewed on the Web

blue_square.gif
Off-the-shelf reports are a good starting point for organizational reports

blue_square.gif
Save time and money creating/maintaining reports

blue_square.gif
Reports can be viewed anywhere

blue_square.gif
IT audits, "who has access to what" reports, provisioning performance reports, etc.

blue_square.gif
Crystal Reports, MS-Access, Oracle

Password management
blue_square.gif
Password synchronization

blue_square.gif
Password reset

blue_square.gif
Good synchronization handles many password issues without user intervention

blue_square.gif
Reset increases productivity and user satisfaction

blue_square.gif
Changing Windows passwords every 30 days; automatically refreshes all other passwords

blue_square.gif
Reset passwords anytime, anywhere

Directory-based infrastructure
blue_square.gif
Product uses any v3-compliant LDAP directory as primary user store
blue_square.gif
User profiles need to be shared with many other resources and services
blue_square.gif
MS Active Directory, Novell eDirectory, IBM SecureWay, Sun Directory Server, Oracle
User interface
blue_square.gif
Self-service capabilities

blue_square.gif
Web-based products

blue_square.gif
Fast payback while increasing productivity and user satisfaction

blue_square.gif
Product is available everywhere; no need to support clients

blue_square.gif
Self-register for e-mail group access
Design and maintenance tools
blue_square.gif
Robust tools for configuring and maintaining the system (with little or no programming necessary)
blue_square.gif
It is cost-prohibitive to hire programmers to maintain the system

blue_square.gif
Organizations change often; businesses need to be able to make configuration changes themselves

 
Related:

Copyright © 2003 IDG Communications, Inc.

  
Shop Tech Products at Amazon