Two years ago, Exxon Mobil had big plans to create a centrally managed identity management infrastructure that would automate the process of issuing new user accounts for access to its many corporate applications. Unfortunately, it had to put those plans on hold last year when the technology couldn’t meet the business’s needs.
“Our vision includes full lifecycle management of all user identities and access privileges,” says Patricia Hewlett, vice president of global IT. The problem was achieving that vision at scale. Exxon needed to manage identities and provision access based on each user’s role and the types of system access required to do the job, but that was difficult with 84,000 employees in 200 countries.
“Available products could handle a small number of static roles but were not well suited to managing dynamic, attribute-based roles,” Hewlett says.
Many of Exxon’s applications also didn’t support role-based access. “We had to add those capabilities to each application,” Hewlett says. That was too much work, so she has “put the project in the fridge” for now.
The products have improved since Exxon first planned the project, but Hewlett says role-based access is still relatively immature. “We ... have not made a decision as to when we’ll resume the project,” she adds.
Like many other organisations that have travelled the road to centralised identity management, Exxon found the potential benefits — such as automated provisioning of accounts for new users and deactivation of accounts for departing employees — compelling. But getting the full benefit from an identity infrastructure remains challenging.
Identity management tools have made big strides in the areas of managing access, creating user accounts, designing workflows and providing an audit trail of who had access to what and when. The tools break down the stovepipe identity infrastructures in which each application has its own access controls and administrator — a design that doesn’t scale well when businesses have thousands of applications.
As the industry has consolidated many of the stand-alone identity management tools have been absorbed into suites that integrate user provisioning, web access management, single sign-on and other functions into one framework. But centralising the management of identity information is still a complex and costly affair that involves integrating application-specific and directory-based repositories.
“The integration of applications, the role management issues, many organisations find [these] very complex to plan and deploy,” says Ray Wagner, an analyst at Gartner. And identifying and managing user roles is still “a very early market,” he adds.
Applications that support a common directory system, such as Microsoft’s Active Directory, make role management easier, but even then there are challenges, says Rafael Rodriguez, associate CIO for infrastructure services at Duke University Health System. “Active Directory can keep track of roles, but in each application, you still have to maintain what those roles are allowed to do,” he says.
Many identity management deployments also lack granularity, allowing all-or-nothing access to applications. Fine-grained access controls, where users have conditional access based on their roles, have been implemented in very few organisations, Wagner says. That means that in most cases, administrators must still manage fine-grained access within each application.Cleaning-up and mapping data is another challenge. “Customers don’t always have their data in a form where you can bring it together into a common repository of identity, or they don’t understand the business processes well enough to deploy role-based systems,” says Peter Houston, senior director of identity and access product management at Microsoft.
Deployments can also be costly, and complexity increases with the size of the organisation. IT executives should expect to pay US$20 to $30 per user for the software and two to six times that amount on integration, Wagner says.
Nonetheless, businesses are increasingly motivated to move ahead. Identity management systems can improve overall security and privacy while providing an audit trail to meet the requirements of the Sarbanes-Oxley Act and similar.
Because of this, compliance issues are driving identity projects that couldn’t be justified by return-on-investment alone. Without an identity management infrastructure, organisations are finding that “it’s either very painful to produce compliance reports, or they can’t do it at all,” Wagner says.
A centralised identity management infrastructure is also foundational for projects that can cut administrative costs and increase productivity. The systems can reduce replication of administrative tasks by allowing identity information to be updated in one repository and propagated out to all others. User provisioning and deprovisioning tasks can be automated or delegated to others. Self-service initiatives, such as automating the password-reset process, can cut down on help desk calls.
Compliance was a motivator at Florida-based Health First, which manages 15,000 user accounts. It has several authoritative sources of identity information, including a PeopleSoft application, a physician credentialing system called Midas+ Seeker from Affiliated Computer Services and a suite of clinical applications.
The problem is that as people change roles, they gain cumulative access to the various systems, says Dan Tesenair, senior network engineer at Health First. “We’re very good at getting people what they need, but we’re very poor at taking it away,” he says.
Health First brought in Novell’s Identity Manager and has been using the product’s meta-directory features to manage identity information among 20 applications. Like most vendors, Novell offers connectors for commonly used directories such as LDAP, popular applications such as PeopleSoft, and databases such as SQL Server and Oracle, which some applications use as back-end repositories for identity information.
For other applications, Health First needed to write new connectors. But customisation wasn’t what slowed the project, Tesenair says. “On average, we spend two or three months dealing with the business processes and two to three weeks writing the connector for any given application,” he says.
But the connectors issue derailed Nancy Birschbach’s plans to deploy CA’s eTrust Admin for user provisioning. Two years ago, Birschbach, information security officer at health care provider Agnesian HealthCare, hired a consultant to plan the transition. Her staff spent more than a year mapping data between repositories and changing all user IDs to a common naming convention.
But then she found that the versions of the Lawson CRM and Cerner Millennium clinical software she had deployed — both key repositories of user identity data — wouldn’t connect with eTrust Admin without substantial integration work. Newer versions of both products will work with eTrust Admin, but upgrading will have to wait.
Agnesian had recently deployed both applications, and upgrading again would have required changing out both hardware and software. “Those applications are our bread and butter, and we’re not going to ditch that and put in something new,” Birschbach says. Another alternative was to write a custom interface, she says, but “it wasn’t worth our while to do custom programming.” So she abandoned the project. “I had to back out all of the policies and procedures and write new ones for manual provisioning.”
Still, the organisation is benefiting from the work done so far. All of the data repositories have been cleaned, and Agnesian created roles and mapped each to the appropriate applications so administrators could provision at a group level. “I met with every director and department leader to define a role for every job code,” says Birschbach, who found that her version of Lawson software doesn’t support group-based provisioning. “We’re using that information. It’s just, unfortunately, not in an automated process,” she says.
Tesenair says such problems shouldn’t be a show-stopper. “I don’t see technology being a barrier. If you need data, you can get it in some way or another,” he says. But although Health First has built connectors for its identity repository, it has yet to take full advantage of that for user provisioning. Applications that work with a directory service are supported, he says. “But if it has its own repository, it’s manual.”
Tesenair has created workflows that automatically notify administrators when a user is terminated or his or her credentials change, but the actual provisioning is manual. “We’ve held off until we get a better handle on our roles first,” he says.
Defining those roles has been a challenge. “We don’t have this figured out from a business process perspective,” Tesenair says. For example, it’s unclear whether a nurse manager should get access to medical records or if only nurses should have that access. “I don’t find technology to be as much of a barrier as the business processes are,” he says.
While role modelling is a challenge, it hasn’t stopped Health First from leveraging its identity management infrastructure. Tesenair rolled out a password self-service application that cut help desk calls from more than 6,683 to 534 a year. The organisation is also piloting a mobile clinical workstation, deployed on a Tablet PC, that supports single sign-on to a suite of clinical applications and email. The identity management system synchronises username and password data among the applications, a biometric authentication system and Novell’s eDirectory service.
Role definition can also be tricky when several business units are involved. New Jersey-based Ingersoll Rand supports different web portals for dealers of each of the company’s three construction equipment lines: Bobcat, Club Car and Ingersoll Rand. A dealer that carries all three brands had seven different log-ins to access all the required applications. Jim McDonald, manager of IT, says he used Oracle’s Identity Manager and other Oracle tools to create a single identity and single sign-on for each user. Now he’s working on assigning users roles so each user inherits role-based rights and attributes automatically.
The problem is that different groups define the same role names differently. For example, a parts manager at one dealership may be able to see prices and costs, while at another, management may not want the parts manager to see what the company pays for a part. Different constituencies will never agree on a single set of role definitions, says McDonald, and you have to work around that. “We let each brand define their own roles. We’re not trying to dictate the business requirements,” he says.
“After mapping all of your accounts, the second most challenging task is defining roles,” says Jim Shattuck, lead systems analyst at Children’s Hospital Boston. The teaching hospital has been consolidating identity repositories and uses Microsoft Identity Information Server to link 14 applications to perform automated user provisioning. As part of that effort, the hospital defined about 90 minor roles.
“The roles help us provision about 80% of the users, but there are 20% that are too disparate,” Shattuck says. Those “do not justify the effort involved in defining and maintaining them,” he says, so they are handled as one-off requests.
The number of applications included in the project is also limited. “For the most part, the roles affect applications and permissions that are integrated tightly with Active Directory and not beyond,” Shattuck says. The rest of the more than 100 applications, including the hospital’s primary clinical application, aren’t yet integrated. “As far as roles go, we’re maybe 20% of the way there,” he says.
Shattuck cites both technical and management challenges. For example, to provision the clinical application, the hospital needed to define key roles and add new “departmental” and “manager” fields in PeopleSoft, the authoritative repository of identity data for provisioning users in the clinical application.
While identity projects may be complicated and costly, organisations can be successful by taking small steps and limiting the scope to key applications — at least initially. “We don’t believe that all of those legacy applications will ever be fully integrated,” Wagner says. Despite the challenges and limitations, he sees clear benefits to moving ahead: “You can, through the application of some of these tools, make your business run more efficiently.”
NASA rebadges with identity management
Until recently, NASA used a different badge system in each of its 16 locations. “We didn’t have an agency repository of identity information,” says Portia Dischinger, datacentre manager at the Marshall Space Flight Centre. It also lacked a consistent badging process or any way to ensure that an employee who was terminated would be locked out of all facilities immediately.
Today, NASA has implemented new, consistent badging systems in most locations and configured each to work through a single identity-management entity to provide more tightly controlled, coordinated building access.
NASA started by creating a universal uniform personal-identification code (UUPIC) for every user. “We went through each badging system to pull in identities, assign those UUPICs and provide that back to the IT systems and badging systems as an anchor-attribute for identity,” says Sharon Ing, integrated services environment project manager.
Identities have now been created for some 20,000 staffers and 100,000 contractors and affiliates through human resources or through the badging system. Those changes are propagated through Sun Identity Manager, which handles workflows for badge-approval processes, and a back-end SQL Server database, which acts as the identity repository. Identity data also gets pushed to the enterprise directory and asset directory, although the system is currently used only for provisioning and deprovisioning of badges.
“We don’t have all of our applications integrated into our account management system yet,” Dischinger says.
Previously, a user who was terminated in one location might still have access to other facilities. Now, says Ing, “if somebody leaves, our check-out process disables the identity and starts a workflow identifying accounts [to disable].” Once a badge is turned in, that triggers an automated deprovisioning process that affects access in all locations.
The biggest technical hurdle was cleaning up identity data between applications and matching identities with old employee codes, says Dischinger. But implementation was the easy part. The bigger task, she says, is “understanding your current business processes and articulating that well.”
Bottom-up role reversal
The creation and modelling of roles is typically a time-consuming process that involves meeting department staff to hammer out role definitions and the access rights that should accrue to each. Fortunately, there are tools available that can help to automate the process. In contrast to this top-down approach, products from vendors such as Courion, Bridgestream and Eurekify take a bottom-up approach, inferring what your role infrastructure should be based on an assessment of what’s already in place.
Organisations still need top-down modelling to create the organisational hierarchy into which roles must fit. But, says John Grimm, product manager at Courion, “organisations can gain tremendous leverage by collecting and correlating operational user access data.” Such tools can also manage roles, establish policies and flag violations to ensure that users with more than one role don’t violate policy, for example.
Jim Shattuck is considering using modelling tools to help with role definitions at Children’s Hospital Boston. “We don’t intend to develop enterprise roles in the next 18 months because of the significant time and effort required to distil non-hierarchical health care application-authorisation levels into a practical set of roles,” he says.
But when Shattuck moves forward, he plans to examine role-automation software. “There’s a lot of room out there [to automate] roles and role definition,” he says.
Phasing in identity infrastructure
Duke University health system has been gradually building up its identity management infrastructure. The organisation, which supports more than 20,000 people in three hospitals and over 100 clinics, has already deployed single sign-on access to a suite of clinical applications.
Having completed its single sign-on project for a core set of applications, Duke is now working on deploying password synchronization among those applications as well as its email and hospital information system applications. It’s also moving forward with self-service password reset and automated provisioning and deprovisioning projects for email and clinical applications.
Provisioning is a big problem in teaching hospitals, says Rafael Rodriguez, associate CIO. “We have new users coming, new medical staff and every year a whole new class of residents. Getting all of those accounts set up and decommissioned takes a lot of time,” he says.
While users may log into 20 or more different applications, Rodriguez initially focused on eight of the most broadly deployed applications in the organisation. Duke has deployed IBM’s Tivoli Identity Manager as part of the effort and is in the process of moving these services into production this month. In a second phase, Duke will enable provisioning for those same applications and will add a clinical notes application as a managed system.
Ironically, the most complicated product to integrate has been another IBM program: Lotus Notes. “Notes allows people to be logged in locally or on the server. The [Notes ID files] can be kept on the client. Synchronising all of those Notes IDs is one of the bigger challenges,” Rodriguez says.
Adding to the complexity is the migration of Duke’s clinical workstations to Microsoft’s Active Directory. But if all goes according to plan, new clinicians will automatically gain access to the full suite of applications they need. Rodriguez says the key is to move carefully, communicate with all users, and focus on the process as much as on technology. “You’re affecting the way people work,” he explains, “and you need to understand that.”