FRAMINGHAM (09/26/2003) - Southwest Airlines Co. has just implemented software that allows hundreds of its engineers and mechanics to access proprietary information from its aircraft supplier's systems, using a single Web sign-on.
By year's end, Lehman Brothers Holdings Inc. will have in place a technology for automatically creating, modifying and deleting user accounts across the company in a fraction of the time it takes to do the same task manually.
In August, Sharp Healthcare Inc. rolled out software for secure self-service password reset and password synchronization across its major IT systems.
Those are examples of the kinds of projects that companies are undertaking to streamline access to applications and reduce the costs associated with managing enterprise identity information.
And there are other impetuses for such projects, says Deepak Taneja, chief technology officer at Netegrity Inc., a Waltham, Massachusetts-based vendor of ID management products. In some cases, the business driver is cutting costs. In some cases, it is enhancing revenue. In others, it may be managing risk and regulatory compliance, Taneja says.
Identity management efforts focus on controlled access to information for employees, customers or business partners. Most ID management projects fall into one of three categories: Web access control, user account provisioning or password management.
Web access control efforts typically deal with managing identities to authenticate and authorize users to multiple Web applications using a single sign-on. The growth in e-commerce, business-to-business and Web services initiatives has driven companies to provide secure access to Web applications for business partners, customers and employees.
User provisioning initiatives, meanwhile, deal with the manner in which identity information is used to create or revoke individual user accounts on an enterprise network. Account-provisioning tools allow companies to accomplish both tasks far more quickly, securely and cheaply than manual processes allow.
Password management efforts are spurred largely by the need for companies to lower some of the administrative costs associated with managing identities. They enable self-service password management and synchronization, delegated administration of passwords and enforcement of consistent password policies for multiple applications.
User and App Explosion
"There has been a significant increase in the number of users accessing applications and network resources, leading to demand for ID management technologies," says John Worral, a vice president at RSA Security Inc. in Bedford, Massachusetts.
The growth of e-commerce and business-to-business applications and the trend toward Web services have opened up enterprise applications to a wider range of internal and external users than ever before, says Giuseppe Cimmino, director of corporate technology at Discovery Communications Inc. in New York.
Consequently, there is a need for tools that can help companies centrally track and manage user identities, Worral says.
For Southwest, the payoff comes from increased productivity and reduced administrative costs, says Brian Buege, manager of application frameworks at the Phoenix-based airline.
The company uses NetPoint from Cupertino, California-based Oblix Inc. to enable single sign-on access to multiple Web applications.
Oblix's technology has allowed Southwest to create a central identity profile for each employee that's used to authenticate and authorize access to Web applications.
NetPoint's support for the Security Assertion Markup Language (SAML) has also allowed Southwest to establish a more efficient process for logging on maintenance staff and engineers to supplier The Boeing Co.'s extranet. NetPoint allows Southwest to exchange SAML security assertions with Boeing that vouch for the identity of its employees, so they can be automatically logged into Boeing's applications. Previously, Southwest's engineers had to log in and authenticate themselves separately on the Boeing site.
"We pride ourselves on being a low-cost airline. We can't afford any additional cost when it comes to maintaining infrastructure," Buege says.
Web access-control products also allow companies to apply shared security measures for accessing multiple Web servers and applications, says Don Richman, manager of authentication and directory services at Raymond James Financial Services Inc. in St. Petersburg, Florida.
The approach is more efficient than having separate identity stores and access policies associated with each application, Buege says.
Raymond James is implementing centralized, policy-based access to Web applications using RSA's ClearTrust Web access software.
ClearTrust allows Raymond James to centrally control, manage and audit functions such as user access entitlements and authentication policies. It also enables Raymond James to delegate certain administrative tasks, such as password management, to business units as needed.
"What it allows us to do is centralize common rules and system-access policies in one location rather than have applications with their own application-level security and access," Richman says.
New Access and Orphans
User provisioning projects deal with issues such as how quickly a new employee gets access to appropriate enterprise applications and services, or how to eliminate orphaned accounts.
Both are crucial issues, especially in large companies, says Pete Lindstrom, an analyst at Spire Security LLC in Malvern, Pennsylvania. It's not unusual in large companies for new employees to wait several weeks to get access to all the enterprise applications and resources that they need to do their jobs, says David Lavenda, a vice president at Business Layers Inc., a vendor of account-provisioning products in Rochelle Park, New Jersey.
What's even more common is the existence of orphaned accounts that remain on systems long after an employee has left a company, says Lindstrom.
It was the security risks posed by such orphaned accounts that drove Lehman's implementation of a third-party account-provisioning technology, says Ramin Safai, the New York-based company's associate vice president of information security. "For regulatory and other (security) audit-based requirements, we needed to have something to answer the question of who has access to what system," Safai says.
So Lehman is deploying a third-party tool that uses employee records from the company's main human resources database to create or delete user accounts. Safai says company policy doesn't allow him to disclose the technology that Lehman is using to implement the capability.
When a new user is entered into Lehman's human resources system, its third-party provisioning software immediately assigns the appropriate network and system access based on company policies and that person's role in the organization. Any changes to that user's status within Lehman, such as a promotion, trigger immediate changes in access levels.
Similarly, when an employee leaves Lehman, the provisioning software immediately disables access and checks back periodically to ensure that access remains disabled.
"What used to take a week can be done in a few minutes with the provisioning technology," Safai says.
The benefits that can be derived from such automation also drive password management efforts, Lindstrom says.
Sharp Healthcare, for instance, has used Boston-based Courion Corp.'s PasswordCourier product to enable users to manage their own passwords, says chief information officer William Spooner.
PasswordCourier has also enabled San Diego-based Sharp to enforce stricter rules relating to the creation and management of passwords, Spooner says.
The return on investment comes from the "fewer calls for password resets to the corporate help desk and much simpler (password) support requirements," Spooner says.
There are challenges to deploying such technologies that shouldn't be overlooked, users say. A lot of them have to do with having reliable sources for identity information. Since ID management tools automate manual processes, it's also crucial to have good policies for managing identities in the first place, users say.
It's also important to choose technologies that can work in multivendor environments, says Southwest's Buege. No product offers all of the functionality required by companies to manage identities and control access to applications.
Commonly used terms in identity management:
Web access management: The use of identity information to authenticate users and authorize access to multiple Web applications
Account provisioning: The use of identity information to automate the creation of new user accounts or revoke account access across the enterprise
Password management: Refers to self-service password resets, password synchronization and delegated user administration
Directory: A repository of user-identity information
Single sign-on: The process through which a user is authenticated once in order to access multiple applications
Knowing Who You Are
One of the fundamental requirements to successfully rolling out an identity management project is to have an authoritative source for identity information, users say.
"If you have no concept of who your employees are or where your core ID information is coming from, all you are doing is amplifying noise," says Brian Buege, manager of application frameworks at Southwest Airlines.
The sheer diversity of systems in an enterprise network, each with its own user profiles, has resulted in identity stores popping up everywhere. To have a good ID management process, it's vital to have one version of the truth when it comes to user identities, says Giuseppe Cimmino, director of corporate technology at Discovery Communications.
Discovery decided to use its main human resources database system as its authoritative source when it recently implemented a Web access management technology from Netegrity.
Human resources records offer the most accurate and up-to-date information on a user's status within the company and are therefore the best identity source, says Ramin Safai, associate vice president of information security at Lehman Brothers.
Lehman is in the midst of a major account-provisioning project in which it's populating its core user directory with information directly from the human resources system.
"You need an HR identity to get into our systems. No one gets in without it," Safai says.
Another big issue, especially when it comes to account provisioning, is role definition, says Don Richman, manager of authentication and directory services at Raymond James Financial Services..
Since provisioning systems create user accounts based on their roles within a company, it's vital to specify the right level of access for each role, Richman says. That can be an enormous task involving input from multiple groups, especially in large organizations. he says.