Enterprise IT Identity & Access Management : 7. How To's

How to Reduce TCO of Identity & Access Management

Yale Li — Wed, 07 Jun 2006 10:00:00 GMT

Identity & Access Management is an expensive investment in IT. Here are some tips to reduce Total Cost of Ownership:

Follow the rule of economy of scale - If more people use the same solution, the unit cost of the solution will decrease. Therefore, you should always search and use the most popular out of shelf IAM solution in the market place first. Your own custom built solution should be the last resource only when no other commercial solutions are available or they can not meet your needs.
Automate repeating manual tasks - Labor time is always expensive than machine time. You should identify the repeating manual IAM tasks and automate them as much as possible. Most of those tasks can be done by scripting. Technet Script Center is a good resource for Microsoft solutions such as Active Directory: http://www.microsoft.com/technet/scriptcenter/default.mspx. I'll provide more IAM script in Sample Code category in the future.
Outsource your IAM operations - If your company's IT team is based in North America or Europe, you should definitely consider outsourcing IAM Tier 1 or Tier 2 support to offshore, such as India or China. The cost could be reduced to 1/8th for US companies. It will also help to outsource IAM Tier 3 and Architecture/Integration work to larger IT service companies such as Microsoft*, IBM and HP.

In TCO, hardware is the smallest portion, support is the largest portion, and software is in the middle. Currently, Microsoft MIIS is the lowest cost solution for identity lifecycle management service and Microsoft CA is the lowest cost solution for certificate service.

*Note: Microsoft has a new IT service offering called Microsoft Managed Solutions. This is different from Microsoft Consulting Service.

How to Improve Security with Identity & Access Management

Yale Li — Sat, 03 Jun 2006 06:00:00 GMT

Every time I told a friend I got an IT security job, I was always asked a similar question "Do you catch hackers or virus?". Of course, the popularity of the Internet definitely puts external threats and attacks on enterprise IT security's radar. However, I still personally believe internal threats and attacks cost more damage.

According to a 2003 study by the Computer Security Institute (CSI) and the United States Federal Bureau of Investigations (FBI), nearly half of all security breaches—an astounding 45 percent—come from within the enterprise by disgruntled or malicious employees. Industry analyst firm The Gartner Group estimates that more than 70 percent of unauthorized access to information systems is committed by employees and believes that more than 95 percent of intrusions result in significant financial losses.

SUA, LPA and SAT are good IAM defense weapons against internal identity theft:

SUA (Strong User Authentication): Password is always weak. You should plan for 2 factor authentication (see Technology Category for definition) such as Smart Card, USB Token, or RSA SecurID. When you evaluate/buy a technology, an important thing is to give equal weight to associated lifecycle management system.
LPA (Least Privileged Authorization or Access): A strategy to minimize internal security risk is to reduce attack surface area. LPA is an execution of this strategy. First, you need to classify your data. Then, the access will be granted for different class of data on a "need to know" basis. A suite of software products could be used to help LPA (such as group management, role management, rule management, authorization management, access management, self service, workflow etc.).
SAT (Security Awareness Training): IAM is about process and software is just an enabler. One import process is user security awareness training. For example, it is easier to prevent social engineering through this training process and it is hard (or even not possible) through technology. You need to develop training courses and deliver it to all users.

An IAM project to improve security will cost money. Here is a rough estimate formula to calculate cost justification:

value of all data ($) × probability of breach (%) > cost of project ($)

How to Increase Productivity with Identity & Access Management

Yale Li — Fri, 02 Jun 2006 06:00:00 GMT

With right IAM solutions, your business can increase employee's productivity (or avoid the loss) significantly. Before you look into IAM solutions, you should identify major factors impacting employee's productivity in your business. Some common factors are:

New employee setup time - the waste time to get a new network/system account and proper permissions to access resources. An employee could loss up to two day's productivity.
Existing employee transition time - the waste time to get proper permissions to access new resources. An employee could loss up to one day's productivity.
Employee password (or PIN) reset time - the waste time to get a new password or PIN after it's forgotten. An employee could loss up to half day's productivity.
Business merger/acquisition transition time - the waste time to consolidate identity and access for two or more organizations. This is also referred as business agility problem.
IAM service/support overhead - the waste time to get a new IAM related service or support.

The productivity loss can be calculated by average lost hours multiplied by average wage. In the case of the password reset, industry data shows the productivity loss is from near $100 to over $200 per employee per year.

After you analyze business productivity loss, you can look for effective IAM solutions (which of course should cost less than the lost dollars). In this area, the IAM solutions are:

· Automated real-time provisioning management - the system will create/update accounts and groups instantly in Directory after data in authoritative HR system is updated. For example, you run SAP as HR system and MIIS as Meta Directory/Lifecycle Manager, your will need MIIS SAP connector (such as Microsoft MIIS SAP MA Beta or M-Tech ID-Sync MIIS SAP MA).

· Self Services - the intranet web applications (some with a workflow engine at back) enabling employees to help themselves. For example, a Q/A based Password Reset web app will allow employees to reset password instantly (such as Microsoft MIIS 2003 SP2 or M-Tech P-Sync).

· Automated group/entitlement management - similar to automated provisioning, the system will take care employee’s group membership and entitlement automatically without manual intervention. Currently, this type of IAM solution is new and not mature in the market (such as Quest ActivRoles Server, upcoming Microsoft MIIS code name Gemini, and Microsoft Mission Ridge).

You don't have to spend extra dollars for a dedicated IAM product to resolve the agility problem. This solution should be just a bulk provisioning feature in a good provisioning management product.

How to Help Regulatory Compliance with Identity & Access Management

Yale Li — Fri, 02 Jun 2006 01:00:00 GMT

You can use IAM solutions to help demonstrating regulatory compliance such as SOX Section 404 and 302, HIPPA, GLB, Basel II Capital Accord, FDA 21-CFR-11, HSPD-12, EU Privacy Directive, PIPEDA, and LSF.

SOX: There are many SOX compliance tools and you may wonder why IAM is needed. SOX compliance tools are very good at roles and SoD (separation of duties) analysis, but are weak at workflow management, reverse synchronization, and integration with multiple target systems, etc. IAM solutions are strong in those area and can meet following SOX requirements:

Controlling the accessibility of financial information
Monitoring and auditing financial information accessibility in real time as well as periodically
Making sure that users access permissions to financial data are added and removed in a timely manner
Making sure that these controls are applied to all systems associated with financial or business transactions and not only to the traditional financial systems

HIPPA: Similarly, IAM provides very specific solutions to help healthcare organizations meet following HIPAA requirements and reduce overall organizational risk:

Each user must be uniquely identified before being granted access to confidential information.
Access to PHI must be restricted to only those persons who need access as part of their role, and the conditions of this access must be clear.
PHI must be reasonably safeguarded against intentional or inadvertent disclosure.
Access to protected resources must be tracked, so that complete access reports can be generated.
Login attempts must be tracked so that suspicious login attempts can be analyzed and corrective action taken.
Access to protected resources must be terminated quickly when an employee leaves the company.
A user's session can be terminated after a specific period of inactivity.
For large corporations, procedures must be implemented to protect private information of a healthcare entity from access by someone in the
larger organization.
Procedures for creating and managing passwords must be implemented.

GLB: IAM solutions will help addressing following GLB requirements:

Evaluate IT environments and understand the security risks
Establish information security policies
Conduct independent assessments
Provide training and security awareness programs fro employees
Scrutinize business relationships to ensure adequate security
Upgrade security programs that are in place