Not about the technology

1 November 2006

Identity management encompasses anything from people to processes to passwords. One thing it is definitely not about is the technology.

The concept of identity management, and the underlying technology that supports it, has been around since the late '90s. While a solution that takes care of user identity, security, provisioning and audit trails would seem to be a no-brainer, it hadn't taken off to a great degree - until recently.

Simply put, identity management, according to Wikipedia, is "the management of information (as held in a directory) which represents real-life identified items (users, devices, services, etc)".

Practically speaking, an identity management solution enables the identification of users, secure verification of that identity and, following roles-based policies and procedures, the provisioning of access to systems and information based on that verified identity. This may include physical access to buildings, rooms and secure areas, as well as systems access to e-mail, applications, information, etc. By obtaining all of its information from one central repository (usually called an identity vault or directory), identity management solutions give an organisation one view of the user, one set of accesses to monitor, and one switch to flip to enable or deny access when, for example, someone joins or leaves an organisation.

Today's solutions should encompass audit trails, so that you can track exactly who did what, where they did it, when they did it and how they got access to it in the first place. This is critical given current corporate governance requirements. It is these requirements, says Mick Coady, EMEA VP for security at CA, that have resulted in the sudden uptake of IDM around the world, and in the US in particular.

"South Africa is still an emerging market for IDM. The US is adopting the concepts faster due to the regulatory environment. This has been the trigger. The proposed Data Protection and Privacy Act here will have a dynamic impact on what South African companies have to do," he states.

Where to start?

The proposed Data Protection and Privacy Act will have a dynamic impact.
Mick Coady, CA
The best approach to IDM is to look at it in bite-size chunks, says Coady, who believes that IDM is not an IT project. "It's not infrastructure and it's not IT. It impacts the entire business, identities moving within business units and the business owner of that unit who has to grant permissions. It's also not about security."

IDM is about knowledge - whether it's knowing who you employ, or who has access to that high-security lab or who last logged onto a system and made changes. The most important part of any identity management initiative, of course, is knowing exactly who it is you are trying to identify. If you don't know who your people are, and don't have a single, accurate view of them, then the initiative is doomed to fail.

It is also critical to have a clear and well-defined policy, which outlines role-based access to systems and physical locations. This ensures that permissions and privileges can be granted based on job description the moment someone is entered into the HR system or the entry is updated when they change roles.

Baby steps

Standard Bank has embarked on an IDM initiative that architecture and technology engineering director Herman Singh says should ultimately see it rolling out a single sign-on solution. "That is the ultimate end game," he notes.

Standard Bank has conducted a review of the number of staff who had access to systems after they'd resigned. As Singh puts it: "We were surprised that names did appear, so we decided to do a full audit and review of the total system because there were obviously weaknesses."

The bank is piloting an automated password reset system, which works in the same way as the one-time password offered to internet banking customers. Standard Bank also has an RFP out for an identity and access management system.

"We're planning to deploy [this system] over 2007/2008. It's a long process," he says. "The bank has 42 000 PCs, 36 000 to 38 000 staff and 45 000 contractors in at least 800 locations in SA, in 100 locations in South America and hundreds more in the rest of Africa and dozens in the rest of the world," states Singh. Standard Bank SA plans to acquire four banks in the next four years, and is in the process of acquiring the fourth biggest bank in Argentina. The bank has hundreds of applications, thousands of systems (servers and discrete points of technology), and a couple petabytes of data, much of which is sensitive. Needless to say, managing identities is crucial.

"As a bank, data sensitivity is something we take very seriously," says Singh. "The general approach is that, in the past, we certainly used to grant access rights and privileges less rigorously than we do now. We've adopted a more rigorous approach going forward; that approach is about process initiatives, not about technology. If you have a bad process and automate it, you have a bad process that goes wrong very quickly."

In terms of these process initiatives, the bank has categorised data and systems according to sensitivity, i.e. how critical is the data or system? It will then classify rights and privileges into different levels. For example, who may or may not have administrative rights on a PC? It will classify what rights may exist and what privileges are afforded to those rights.

Says Singh: "The next thing is a single view of staff and contractors. Who works here? Who are these people? Information regarding staff rights and privileges is often stored in different systems. HR, access control and so on all have different sets of data and it is rare that it is all synchronised. We need a single view of staff. For each job, we've defined rights and privileges - what do you need to do your job? Then, where possible, we will move towards a single sign-on solution. We're not there yet. We've tried to combine logical and physical access. Physical access gets you into the building, which can often be the point of failure, so we're converging those two.

"We're also looking at ways of automatically updating the rights and privileges system, on departure or sign-on. So if someone leaves, their rights are instantly revoked."

That part of the system is currently being scoped, Singh says. The bank has also implemented regular reviews of the appropriate nature of its processes to ensure that the classifications, rights and privileges remain relevant.

Breaking point

As BMC SA country manager Arjen Wiersma notes, having the best technology is not enough, because IDM is about people behaviour. "A chain is dependent on its weakest link," he says, "and the weakest link is the people who know each other and do favours for each other (like letting each other into a building) and circumventing the system. This is a risk to the company as processes and technology aim to minimise the risk to and exposure of sensitive information."

It is for this reason that everyone's old friend, change management, is a key component of an IDM initiative. If managers are now going to have to give their permission before their staff can access a certain system, they need to make that mental shift. They must realise that it is important and non-negotiable, and know why it is non-negotiable. They must also know why they shouldn't just yell at IT in the hope that someone will give in and grant access.

The weakest link is the people who [circumvent] the system. Processes and technology aim to minimise the risk.
Arjen Wiersma, BMC SA
Says Standard Bank's Singh: "We've noticed that it is easier to get changes through when there's a crisis, for example, a virus attack. 'Oops, some guy had access to a server that he shouldn't have.' We can then say, 'Now you see what happens. Sorry, but we're taking away your rights and privileges'. We've also done that with laptops and had a very emotional reaction to that. Taking away rights to the server was easier.

"You need to get the processes right before you put technology in. Change management is a critical factor. Over the next two to three years, we'll be spending more time on change than on technology," he notes.

That really is the most pertinent point about IDM. It's not about the technology. Companies looking to embark on such initiatives should firmly bear this, and one other small fact, in mind: when it comes to the technology that IDM isn't about, there is no single vendor that can supply all the pieces of the puzzle. This has far-reaching implications for projects and rollouts.

Companies need to keep their requirements and their business firmly in mind. Don't buy something from people making promises that their technology can't keep, as is the case with any ICT solution really, which, of course, IDM is not.