Per Verdelin, director of IT security at Danish mobile telecommunications operator TDC, had a problem that many CIOs will be familiar with: more than 17,000 users; a complex environment of IBM, Tandem, Sun and Compaq hardware; and about 400 applications, including a multiplicity of legacy billing systems, each with its own unique user authentication and log-in procedures.
“Because access control was different from platform to platform, users had to live with a lot of passwords,” says Verdelin, “leading to errors, forgotten passwords and user accounts that were not closed when people left.”
Such a scenario not only increased the risk that a disgruntled former employee could break in to critical corporate systems and wreak revenge by amending or erasing files, but also played into the hands of hackers.
For Verdelin the means of addressing the problem quickly became clear: TDC needed some kind of identity management infrastructure – a means of managing and automating common access control and authentication for logging into corporate applications and systems.
What makes identity management different from, say, single sign-on (SSO) technology, is its breadth. It is not just about better management of employee access to internal systems, but better management of everyone’s – and with the development of web services, potentially everything’s – access to corporate systems based on web technologies.
Instead of requiring specialist systems administrators to manually add and subtract never ending streams of users to and from different systems, identity management promises a single console with a simple interface. That means, for example, that human resources staff could potentially provision new employee accounts instead of calling in IT staff to do the job.
But why the need for such software? The major reason boils down to the increased complexity of managing multiple user accounts. “It is not uncommon for the average user in the average company to have between five and ten registrations each,” says Neil Chaney, CEO of user provisioning software vendor Open Systems Management (OSM).
For example, at the very least, an average user will need to log in to his or her PC, the corporate network, an email system, an intranet, and some form of database-driven application.
Even if the user has some of these ‘cookied’, in an organisation of 20,000 users, that means that IT staff still have to manage between 100,000 and 200,000 user accounts. And each account will not just consist of a user name and password, but will include profile information, file systems, access rights and other elements of data.
Furthermore, replicating that identity management structure among electronic business partners increases the complexity, not to mention the workload, for the systems administrators at each level of the architecture who have to manage the users on their respective systems.
The labour intensity of manually adding and subtracting users from all these different systems is an inevitable source of inefficiency and eats into the time of highly paid staff who could be engaged in much more productive work.
Chaney estimates that to tackle the task of identity management the average organisation is currently employing the equivalent of one full-time IT person for every 500 users. That equates to 20 full time members of staff for a company with 10,000 staff, for example.
There are many other problems associated with the manual approach to identity management, such as security.
Because of the amount of unproductive work associated with the de-registering of user names and passwords, and a lack of co-ordination between HR and IT, accounts often do not get deleted until well after someone leaves an organisation. As a result, up to one-quarter of all accounts on a network may be redundant – often enabling former members of staff to log back into their old accounts.
On top of that, there is also a lack of audit controls. In the event of a security breach, staff will need to scour the various system logs to track activity, and even this is unlikely to pinpoint who was online at what times and the tasks they performed.
Finally, end users need to cope with an ever-increasing number of log-in names and passwords. On the one hand, this encourages users to indulge in unsafe practices, such as keeping passwords simple, writing them down or even logging into systems with other peoples’ details. On the other, users forgetting their passwords is the biggest single cause of calls to corporate IT help desks, accounting for up to half of all calls – a situation often exacerbated by IT staff allocating meaningless alphanumeric strings as log ins.
A key enabler of identity management has been the emergence of a standard application delivery mechanism and front end in the form of the Internet and web technologies.
But one of the big drivers is the push for higher corporate governance standards, exemplified by the Sarbanes-Oxley Act in the US. “The return on investment justifies it, but often it is originally driven by auditors over corporate governance issues,” says Neil Chaney of OSM.
This may sound far-fetched on the surface, not least because all kinds of opportunistic IT vendors are citing the need for improved corporate governance procedures following a spate of corporate scandals as reasons for buying their software.
But Verdelin at TDC confirms such beliefs and indicates that it is not solely a US concern. “External auditors had been knocking on our doors because they said that our procedures were not correct and managers are very touchy when auditors tell them to do something,” says Verdelin.
Jörg-Andrees Otte at food manufacturer Kraft Jacobs Suchard backs this up. “Our administrators could just about keep up with the demand for new accounts but we really didn’t know and couldn’t control who had access to what. From an audit point of view the situation was simply unacceptable,” admits Otte.
In some cases, auditors have even refused to sign-off accounts unless organisations make specific undertakings to improve the access control mechanisms of their computer systems. If companies cannot find out who has had access to their systems and when, they say, how can they be sure that critical financial data has not been accessed and altered?
But can a robust business case be put together? Because of the nature of security software, this can often be difficult. But there are a number of areas where savings can be generated.
Frequently, the ROI can be justified purely in terms of reduced calls to IT help desks by users who have forgotten their passwords. Partly, this is because users can have their passwords synchronised across multiple systems so there are fewer to remember.
At the same time, those who do forget can be put through to an automated self-help feature instead. The user can provide details, such as their mother’s maiden name, in order to gain a new password and access to their systems.
More difficult to calculate is the amount of time IT staff spend on user provisioning and de-provisioning. At one major investment bank, the chief security officer reports that the organisation achieved its return on investment purely in terms of better asset management: it was able to more efficiently strip departing staff of company laptops, mobile phones and the perk of paid-for home phone lines. In some cases, it found it had been paying the phone bills of staff who had left years earlier.
Such savings must be offset against the time and cost of implementing the software. While it might be relatively straightforward to absorb recent applications into the identity management architecture, analysts warn that integrating legacy applications may take some time.
Yet others, such as Scott Schnell, vice president of marketing at RSA Security, suggest that a further factor driving the adoption of identity management software is the way in which it can be implemented application-by-application, providing some modest but clear, measurable goals by which the project can be evaluated.
As a result, analyst group IDC forecasts that the market for identity management software will grow in value from about $750 million in 2003 to $4 billion in 2007. “Key drivers for securing identity will continue to be web application and increasing web service deployments, regulatory/legal requirements and service-level goals,” says Meta Group analyst Earl Perkins.
What is certainly clear is that the market is in a state of flux and that confusion still surrounds the very definition of the term identity management (see box, The technologies behind identity management). Given that, even as organisations tackle identity management with urgency, they must do so with a degree of caution.