Know Thy Users

With the right identity management system, you can save money, make users happy and improve your IT security. Woe to those who ignore it.

You've got thousands of employees tapping into a dozen internal enterprise applications apiece, a growing base of external business partners and a slew of customers visiting your new portal. You need to give this fluid population the right channel for reaching their authorized resources. You need an identity management system.

An identification management system will help stem a flood of user-access complaints and serve as an essential bulwark to your security system. If you don't have one, build one. But build it right the first time by addressing your most pressing needs now, with an eye toward adding features in the future. There are proven ways to do this, so don't be the poor soul who doesn't get it right the first time.

"I was talking to a client the other day who was developing a very customized proprietary [identity management] solution that didn't leverage standards," says Roberta Witty, an analyst at Gartner Inc. "The application was very questionable from an infrastructure perspective. You have to ask, Who's liable in that case?"

Most identity management projects can be broken down into these areas: Planning, adopting standards, determining when to centralize password administration and when to delegate it, and leveraging early successes to cost-justify future initiatives. Here are some tips for implementing an identity management project.

  • Plan a quick-hit list. Start by determining what portions of identity management will make the most positive impact on your business today. For example, when the state of North Carolina began looking at its identity management needs in January 2000, the state's Office of Information Technical Services (ITS) determined that the most important thing to address first were password resets, which chewed up 40% of help desk costs, according to Ann Garrett, chief information security officer for the state.

    "We have 75,000 users using different systems who were forgetting their passwords, and I couldn't afford to be in business any longer," says Garrett.

    ITS wanted a tool that would give users the ability to reset their own passwords with a challenge-response system; it chose Oblix Inc.'s NetPoint.

    "The system has a Resume feature, so when a user forgets their password, all they have to do is answer a secret question, which takes the overhead off the administrator," explains Brent Roberts, the state's identity administrator. Now, he adds, password reset requests have dropped to nearly zero.

  • Plan for the long haul. But it wasn't just the immediate password reset needs that North Carolina looked at, continues Roberts. ITS also took into account the state's long-term access initiatives, starting with a Web-based portal that state employees can use to access their human resources and other interoffice data, which was recently deployed online.

    "We needed an infrastructure that could support the coming onboard of agencies in phases," Roberts explains. "So we put workflow and policy into the system that allows employees to change some of the noncritical fields, such as an office phone number. But other fields, like what data resources an employee has access to, are handled by their managers."

    The next initiative is to open certain data first to state-based businesses and later to citizens. For that, the infrastructure must also support a variety of endpoint access controls such as tokens, smart cards and biometrics, which may be coming in 2005, Roberts says.

  • Think standards. The only way to facilitate North Carolina's short- and long-term plans was to build an identity infrastructure based on standards, which is another reason the state decided on Cupertino, Calif.-based Oblix, says Roberts.

    For starters, Oblix works with the state's current directory standard, Lightweight Directory Access Protocol. But it also supports current and up-and-coming Web-based standards, including an XML-based authentication and authorization standard called Security Administration Markup Language and an emerging provisioning standard called Service Provisioning Markup Language -- both of which come out of the Organization for the Advancement of Structured Information Standards in Billerica, Mass.

    With standards-based infrastructures, you can plug in new rules and roles, and you can add cross-vendor identity management applications as they develop, says Gary Loveland, a partner in the security and privacy practice at PricewaterhouseCoopers in New York. In addition, a standards-based infrastructure makes it easier to grant access to outside business partners without making them use the same products you use, adds Witty.

  • Know when to centralize administration. Just as many organizations prefer to centralize administration of user accounts, says Loveland. This choice is usually made when a company determines that its most important identity management problem is inconsistent user data and rogue internal user accounts, particularly when workflow policy is already centralized around the company's human resources system.

    This element of identity management is called user provisioning. For example, ProBusiness Services Inc., a human resources outsourcing services and technology vendor in Pleasanton, Calif., determined that its most immediate ID management problem was cleaning up inaccurate user account information for its 1,500 distributed employees whose metadata (telephone numbers, titles, spellings and the like) was often different than that stored in the company's Siebel Systems Inc. human resources system.

    Human resources wanted to maintain control of adding new users and provisioning their resources, along with deleting users and deprovisioning their resources upon termination or transfer. In addition, human resources requested a system that could help enforce hiring, staffing and salary guidelines and alert the human resources managers when such policies are violated, says Phil Blank, vice president of IT at ProBusiness.

    For this, Blank's team settled on Austin-based WaveSet Technologies Inc.'s Lighthouse Enterprise Edition because it has built-in connectors to Siebel and because it could provision anything -- access to data resources, telephones, office space, even parking spaces. More importantly, it keeps user data consistent from application to application. And it automatically deprovisions access to data resources, ending the dangerous problem of having rogue passwords that trespassers can use to break into systems.

    "The payback," Blank says, "is the human resources folks say they're seeing tremendous efficiencies in terms of accuracy of user information. And they don't have to spend so much time doing clerical work."

  • Work in phases, and justify each through ROI. Baking in money-saving and efficiency features like the human resources policy enforcement tools that ProBusiness added will go a long way toward helping IT departments justify subsequent phases of development, says Wendy Steinle, director of marketing for Novell Inc.'s Nsure identity management products.

    And identity management is a lot easier to bite off in phases, say IT managers. Start with steps that can show a return on investment or cost savings, such as North Carolina's reduced help desk costs, which Garrett believes will pay for the state's identity management system in two years. She uses these numbers to cost-justify future projects, such as the addition of more robust access controls.

"Identity management done the right way can save a lot of money," adds Steinle. "That takes planning, evaluating your solution options, building a road map and creating measures of success."

Radcliff is a freelance writer in Northern California. She can be reached at

Special Report

Tips From Security Experts

Stories in this report:


Copyright © 2003 IDG Communications, Inc.

7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon