Identity Management Success

Hello Everyone:

This post discusses an issue that most vendors would just as soon forget — how do Identity Access Management suites and tool sets become relevant, when organizations do not have enough repeatable or documented process to make the tools useful? 

Does this sound familiar?

1. Organization defines strategic goals around Identity Access Management / Compliance / Reporting, Role Engineering, etc.
2. Organization determines that it needs a tool or suite of tools to solve all of its problems
3. Organization contacts vendors and conducts an evaluation process
4. Organization determines that a particular vendor can solve some, most, or all of its problems
5. Organization purchases costly tools and infrastructure to support the tools
6. Organization implements the tools, typically with a large contingent of vendor staff
7. Organization tries to determine how to make the tools useful, because of lack process (e.g. it’s easier to buy a tool, then to fix a process)
8. Organization creates test cases to fit a tool, rather than model real-world business
9. Frustration builds when vendors are not able to live up to either realistic, or perceived expectations
10. IAM Program is jeopardized, or failed outright

The preceding steps are of course shortened and intensified to make a point. The point is that vendors are out to sell tools. Some are just interested in selling only tools, some are more service and consulting oriented, others have a foot in both camps. Unfortunately, all tools start from a fundamental premise — that what an organization wants to do is either understood well enough to be placed into the context of a toolset, or that the organization will get there eventually with the help of the tool. This is a rife assumption, especially in the realm of provisioning and compliance automation.

Enter reality

Many organizations are not as organized as they should be, or want to be. It is not the fault of the organization necessarily. Businesses expand and contract, companies are acquired or spun off, key people leave for other opportunities, stakeholders get too busy with meetings and daily running of the business that processes are not documented. Processes live in peoples heads, on scraps of paper, in emails, faxes, digital images, websites, etc. In other words — real life happens. We all get busy and yearn for more control over our productivity. We strive, struggle, learn, and apply what we can — all the while, coping with real-world business requirements, client demands, and ever-changing market factors. It is how we do the latter, that really defines us as business entities, not as regulators would have us be.

Enter standards and regulations to combat human and business reality

In the “old days,” organizations and individuals that were so inclined could strive for ISO or Six Sigma certifications. Organizations that wanted process control had choices at their disposal. As a co-worker explained to me many years ago “ISO is simple. Doc what you do, and do what you Doc.” Yeah….real simple for diverse, busy, real-world business executives. In the “new days,” regulators have determined that organizations need standards, even if they have to be fined and continually audited to get there. So…organizations that were not….shall we say “ISO inclined” now had a new unwelcome option ‘ comply or get slapped.’ Like a penitent dieter, companies spend millions or billions on tools to become “compliant,” achieve “separation of duties,” and “accountability.” Not that I’m knocking these things at at all - organizations of all kinds should always strive (just as individuals) for continual self improvement, or “Total Quality Management.”

Enter the magical tool to make it all happen….

Wouldn’t it be nice if there were a tool - a point and click tool - that we could install in our business environment and take care of this onerous mess for us? Too many identities? No problem - just click a button. Need to run access reports on all of your financial databases? Click another button. Provision and de-provision? Just two more buttons. I will grant that IAM-related tools have come a very long way since the mid 1990’s, but they are far from living up to most claims made about them. Tools still run on computer systems, computer systems are binary systems that take input, perform actions, and generate output. If what is input is not that good…..well……

There is an an old adage which bears repeating:  if it seems too good to be true, it probably is. Tools are great - with the right people, processes, and policies behind them, tools can truly achieve high levels of automation and even realize a comfortable Return on Investment (ROI). In fact, the right tools, documented the right way, and in the hands of the right people, can make or break a business. But, there is a lot of human and real work needed before the tools come along. Start with your people first — worry about the tools after the processes and policies are defined.

Decide to take the hard road early

Don’t start with the tool. Don’t start with even thinking about vendors. Don’t think “gee, now that we have fully committed to Identity and Access Management we will just outsource the whole thing, and a third party will take care of our business process for us.” Instead, make the commitment to work through processes. Don’t worry yet about higher-level tasks such as “role engineering” and “compliance baselining.” If you start there, chances are it will not be worth the paper it’s printed on by the next fiscal quarter. Instead, collect processes. Start with “business snippets” and work up from there.

How do I start?

• Start small. At Links Business Group, we have a term called “business snippets.” These are the little bits of process that we all have a piece of, and collectively comprise an end-to-end process.
• Focus on the process and snippets collection first. Like a brainstorming session, your process collection team (yes — you will have to dedicate some valuable resources to the task, but trust us — it’s worth it) collects all “process bits”, tags each with descriptive meta language (we like Wikis and related tools for this process, but it can be anything….as long as it is easily searchable and retrievable) and posts the information in the “BPR” or Business Process Repository.
• Add diagrams and charts as needed, or available (Basic PowerPoint or Block Diagrams with simple arrows can really help people visualize process in a business-relevant way with relatively little effort)
• Add in-house application descriptions. Though process collection, collation, and validation is a time-intensive process, it need not be as bad as it seems. Think of your in-house applications as capsules of process. Your applications have to already have a good foundation of process, because they are algorithmic.
• Cross-reference the snippets with their parent processes, and map relationships with other processes
• Maintain focus on what is core to your business. This is an important point - never focus your collection efforts on what your auditors or others in your industry want you to do. The process effort is focused specifically on what makes sense for your organization. Only after your data is collected, and processes documented and shared in a way that makes sense to anyone and everyone in your organization, should you go back and overlay your processes with regulatory, audit, or industry-specific process requirements.
• Ensure that all processes are fully collected, defined, cataloged, indexed, searchable, repeatable.
• And now…. you can understand truly where your organization is, where it wants to go relative to business goals, and ready to consider tools to help your organization achieve the next level.
• At the end you may then ask (or the CFO may ask….):  Was it all worth it? I leave that to the reader to decide. To throw in another grandpa-ism:  a job worth doing, is a job worth doing right. If you take the time and do the job right, your ROI and growth potential can grow many fold. If not, well your organization may end up hopping from vendor to vendor, and from tool to tool. Remember that most organizations that attempt Identity Access Management Programs have tried and failed at least one or two times, leaving many valuable business dollars wasted on tools and techology, rather than business growth and improvement.

Need help sorting things out? Looking for a second opinion? Links Business Group LLC can help. Call us today at +1 877 769 8938 or send email to request a complimentary initial consultation. Thanks for reading our blog, and we look forward to working with you in the future.

Until next time, all the best, of Identity Management Success.

Corbin H. Links, President
Links Business Group LLC

 

©2003-2007 Links Business Group LLC. All Rights Reserved.

This post deals with a real issue in the Identity and Access Management (IAM) space and describes the concept of Identity Management and its investing effectiveness. The main question under discussion is whether it is worth investing in Identity Management or not. To find out, let’s scrutinize the notion of IdM, present-day weaknesses of the Internet Identity, and benefits and perspectives of IdM.

The Notion of Identity Management

Digital Identity Management (or simply put, Identity Management - IdM) is focused on maintaining the asserted characteristics of a user, which are created, used, and eventually deleted in an Identity system. Primarily Identity Management is used for two main purposes, which are inventory and access control. For example, shipping companies store their Identity records about packages to allow their clients to track packages en route to their final destinations. Access control is crucial for permitting only a certain group of individuals to enter a building, allowing access to various digital resources to only a number of specified users, etc.

A couple of broad issues exist nowadays in connection with Identity on the Web. They are safety that includes privacy and security, and convenience. Consider the following problems that exist in present Internet Identity Systems:

1. Unreliable Subjects Identification

Originally, the World Wide Web was designed without any reliable means of knowing exactly who or what you are connecting to. This weak side has been extensively used by hackers in a plethora of ways.

IP spoofing may occur when a hacker is able to send data to a remote machine as if it comes from another, trusted machine. He does it by modifying the data in a TCP/IP transmission and the source IP address in the IP header to make it appear that the data packet is coming from another source, so that the recipient does not suspect that the data packet was sent from a malicious source.

E-mail forgery occurs in the situation when an e-mail is sent to the recipient, and it appears to have come from an e-mail address, which the sender was not authorized to use. Because the SMTP protocol does not require any verification of the source e-mail address, forging the sender of an e-mail appears to be quite easy. It’s the same as changing the return address on a postal mailing. Moreover, without a reliable way of defining who an incoming e-mail is from, there are no effective ways to block out the unwanted spam e-mail.

Phishing is a technique that is used to illegally get sensitive information, like bank account information and credit card numbers, by assuming the Identity of a trusted party. During a common phishing attack, a user receives what appears to be official correspondence from his or her bank, PayPal, or another trusted online service. The user is then usually directed to a Web site that may seem identical to that of the trusted online service, and asked to submit his or her sensitive data.

Sensitive information can be easily leaked to hackers, who are responsible for the fraudulent transactions conducted online, as it is impossible to identify remote parties with the required level of certainty.

2. Inconsistent User Experience

The most simple registration system requires that the user selects his or her username and password. Very often they are directed through a multi-stage process, where the user must verify the e-mail address, after which a special message is sent to the user’s mailbox. Often online services use devices that are called CAPTCHAs (“completely automated public Turing test to tell computers and humans apart”) in order to prevent non-humans from creating various accounts. However, the tasks required of the users in CAPTCHAs can be inconvenient and difficult to figure out. Moreover, the extent to which an Internet user can manage his or her account with an online service varies a lot. Some online services provide quite easy ways for the user to retrieve access to his or her account in situations, where they have forgotten the password, however many online services provide no easily accessible ways to reset account passwords or even delete accounts altogether.

3. Account Management

Presently, any Internet user must often create separate accounts at each of the online services they wish to use. Each of the accounts typically requires a password be set in order to prevent unauthorized access to the user’s account. Maintaining separate accounts creates some problems.

Users do not usually create strong passwords. Published research and our own experience showed that users typically choose insecure passwords that are often based on words (known as “dictionary passwords”) that are quite easy to guess. They are not eager to change their passwords, and regularly use the same password across different accounts. The practices mentioned above leave the users’ accounts vulnerable to unauthorized access.

Internet users can’t easily keep track of the accounts. For any user, it’s quite difficult to see which accounts have been created with what online services. Users, who have forgotten about the account created years prior at service xyz may create another one.

4. Security Weaknesses

Online Identity Management systems have some weaknesses inherent in all systems. Any data that machines contain can be compromised as a result of viruses, trojan horses, spyware, etc. Hackers are able to set up monitoring systems in order to log users’ keystrokes. Operating system security holes can leave computers open to hackers attack.

5. Propagation of Sensitive Information

The task of Identity Management is often put into limiting the amount of sensitive information that is being distributed over the Internet. A user has little control over his or her personal information once it is in the hands of the online service. Information sharing is not minimized. Online services usually ask users to provide information that is completely irrelevant to direct needs. Moreover, some online services, banking services, typically use social security numbers, that were originally issued by the government in order to enable social security account holders to access their personal accounts. Extraneous information is often supplied to various online services in cases in which only basic information is needed. For instance, if an online service must verify your age, it does not need to see your birthday.

Sensitive information is shared without users consent. In many cases, some online services provide no reasons why personal information is being collected from Internet users. In addition to that, with the online service’s data handling practices that are hidden from users, sensitive data can be sold for a profit without users’ knowledge.

Account de-provisioning doesn’t occur in a timely manner. An employee that has changed the job may be surprised to find out that he or she still has access to his or her previous company’s sensitive information if access had not been disabled in time.

On the one hand, you might think that these 5 weaknesses of IM can stop you from dealing with it and investing in it. On the other hand, just try to think what you would do if you did not have IM environment implemented at your company. It is true that a good Identity Management scheme can solve all the problems mentioned above using the latest techniques and expertise or applying password synchronization or single sign on.

Identity Management Major Perspectives

1. The pure Identity paradigm: creation, management, and deletion of identities with no regard to access or entitlements.
   
2. The user access (log-on) paradigm: a smart card and the data it contains that a customer uses to log on to one or more services.
   
3. The service paradigm: a system delivering personalized, online, on-demand, multimedia, presence-based service to users and their devices.

A great number of potential solutions have been proposed in the past decade to provide decentralized Identity Management on the Internet. These solutions will hopefully remedy the problems of the present, third-party-controlled Identity Management landscape. Possible solutions are more robust federated ID systems operating according to versions of the open WS-* architecture, and simpler URL-based Identity Management systems that can become most useful for basic authentication purposes. With the increasing support for WS-* among leading software companies, it is very likely that if any Digital Identity framework is successfully introduced on the Internet, it will become this one.

InfoCard, allowing Internet users to manage Identity claims centrally, is at the forefront of the new Digital Identity revolution. Theoretically, the InfoCard system based on WS-* should solve many of the Internet’s existing Identity Management issues, and will be able to provide a means for online services establish business relationships that are based on trust and which will enable federated Identity. The successful work of any new Identity Management solution will be decided by how willing Internet users and organizations are to invest in the new technology.

Considered in the long term, Web and Internet-centric (not to be confused with classic enterprise IAM solutions, which are discussed in our other materials) Identity Management solutions have many strategic benefits. They standardize user administration and make a significant contribution to improving the data quality of user and authorization data through automation and data synchronization. Cross-platform reporting capabilities supply information that would otherwise not be available or could only be accessed with great difficulty.

Overall, if you ask me if it is worth investing in IdM, I would definitely say “yes”. Long-term implementation of IdM will smooth its possible drawbacks, and IdM will definitely be to your advantage.

Looking for more information on Identity Management systems and their advantages? Contact us today to schedule a consultation.

Until next time, all the best, of Identity Management Success
-Olga

©2003-2007 Links Business Group LLC. All rights reserved.

Hello Readers!

In our continual quest to bring you the most useful and business-relevant Identity Access Management information available on the Web, we are pleased to be joined by Olga Makhnach. She will be working with myself, and other members of our Identity Team to bring you fresh content to meet your information and Program needs. As always, please call us at +1 877 769 8938, or send email with comments, questions, or content suggestions.

Until next time, all the best, of Identity Management Success.

Corbin H. Links, President
Links Business Group LLC

©2003-2007 Links Business Group, LLC. All rights reserved.