Identity and Access Management Best Practices

Security and speed are desirable yet often incompatible goals. Driving 55 MPH lowers highway fatalities, but raises the blood pressure. Airport checks keeps passengers safe, but at a cost of billions of hours waiting in line. As CIOs, you must continually balance the needs of security while giving users rapid access to the applications and data. Identity management and access control systems (IdM) can go a long way to reconciling those needs. However, it is not as simple as just deploying a new application.

“Especially when considering best-of-breed products, people tend to look at the technology first and then have to do a lot of backtracking,” said Bill Nagel, an analyst for Forrester Research in Amsterdam. “This is very much a process problem, where there is a whole raft of policies and processes you want to develop before selection.”

Picking Apart the Pieces

Successful implementation of IdM begins with defining the scope of what you are hoping to achieve. A full-fledged approach to IdM, after all, consists of an array of tools and processes that are deployed across a wide variety of hardware, applications and services relating to different user groups. This is highlighted by the way Forrester compares vendors in this space based on 14 different technologies in use:

  • Directories (LDAP)
  • Enterprise single sign-on
  • Entitlement management
  • Federation
  • Identity audit
  • Meta-directories
  • Multi-factor authentication
  • Password management
  • Privileged user and password management
  • Provisioning
  • Role management
  • User-centric identity
  • Virtual directories, and
  • Web single sign-on.

You can’t implement an entire IdM infrastructure all at once,” agreed Gerry Gebel, VP and service director of Burton Group’s Identity and Privacy Strategies service. “With an overall strategy, you can then select phases of projects or incremental functionality that you want to implement and have it fit into the overall goal and objective.”

Before formulating a strategy, it is vital to find out what you already have in place. Every company is already using some sort of IdM, even if it is just Active Directory. This means examining the policies, procedures, work flows, hardware and data sources, in addition to software. This survey must include looking at departments other than IT, since physical security, HR, finance, sales and other parts of the company may have their own systems in place that cover part of the field. For example, HR will already have some way of verifying employee identities, and physical security may be issuing access cards that can double as a smart card for logging into IT systems. In addition, the sales and finance departments may have their own modes of granting access to vendors and customers.

Another key step in strategic planning of IdM is to gain agreement on what policies and procedures that balance the needs for security and ease of use. Only then can you get around to selecting the set of technologies that will best meet those needs. “A lot of people are coming to realize that ID management is first and foremost not a technology problem,” said Paul Donfried, VP of Identity and Access Management for Science Applications International Corporation (SAIC). “It is an issue that permeates organizations.”

Suite or Best of Breed

Once you have defined the scope and direction you want to move in, it’s time to evaluate the products that will achieve the desired end state. As usual there are two camps: suites and best of breed. Whichever route you take, Donfried recommends a focus on flexibility, especially since this is likely to be a multi-year project.

“More than anything, you want to avoid lock-in to any single vendor or any type of proprietary solution,” he said. “Whatever we view as the right standard and the right solution today, by the time we have it installed, configured and operational, it is outdated.”

Suites (at least theoretically) offer smoother integration than best-of-breed. But integrated means different things to different vendors. And since the IdM vendor space is rapidly consolidating, today’s suites may be composed of software recently acquired from competitors. “Sometimes these products have been integrated seamlessly, but with others it is an ongoing process,” said Nagel.

Analysts rate the top five suites as Oracle Identity Management, Novell Identity Manager, CA Identity Lifecycle Management, Sun Identity Management and IBM Tivoli Identity Management. With Oracle’s planned acquisition of Sun, there is uncertainty surrounding Sun’s IdM line. Nagel said there is significant redundancy between those two company’s offerings and Oracle already tops rankings by both Forrester and Gartner.

In addition to the big five suite vendors, there are dozens of niche products in one or more of the IdM technology spaces listed earlier. Since the field is rapidly evolving, it is best to consult the latest analyst papers before finalizing any decisions. Forrester just issued a vendor comparison, The Forrester Wave: Identity and Access Management, Q3 2009 and has scheduled a paper comparing IdM integrators for release in January 2010.

Gartner divides the IdM vendor space into three broad categories: single sign on, user provisioning, and Web access management, and publishes Magic Quadrants on each. During selection, it is important to also evaluate the existing infrastructure and skills in the organization, not just the functions of the application itself. “If you have an affinity for a certain vendor, you might want to go back to that same vendor for IdM software,” said Gebel. “Most companies prefer to deal with fewer vendors rather than more.

Looking Ahead

Initially, it may be impossible to obtain the ideal IdM solution out of any given suite or grouping of best-of-breed tools. But, since deploying IdM is a long range process, that isn’t necessarily a problem, as long as you don’t become firmly locked into a particular vendor or technology. If deploying a suite, therefore, emphasize the selection of elements that are the most mature or best integrated.

“There are a number of technologies that are relatively mature and can produce a lot of benefits,” said Gebel. “People can have a different set of starting points―Web single sign on, an organized directory environment, or provisioning and automating account set up―there is not one tier or path people have to follow.”