Home » Identity & Access » Identity Management

Identity Management in the Real World

What's identity management? Ask 20 vendors, get 20 answers. But CSOs aren't waiting for a universal definition; they're busy tackling whatever projects meet their business needs.

"We're seeing that the average user has roughly 15 user IDs and passwordsall expiring at different dates," says Roberta Witty, a vice president of research at Gartner. As a result, corporate help desks are inundated with requests for password reminders and resets. Cutting sign-on complexity is, for most companies, the low-hanging fruit when starting identity management efforts and demonstrating immediate payback.

For example, Motorola, using existing user directories, has reduced sign-on for "tens of thousands of employees" to two primary account passwordsone for Web services and the other for Windowsaccording to Vice President and CISO Bill Boni.

The trick is to avoid being seduced by the word single in single sign-on. Boni says reducing sign-on to a number of other applications proved too problematic from a technology standpoint. BellSouth's project demonstrates a second benefit of reduced sign-on: faster service time. "In a highly sensitive call center environment, it's critical to take as little time as possible per call. So not having to log in with a lot of credentials and passwords to different applications saves time and money," says Monique Shivanandan, vice president of information technology strategy, security and business continuity for BellSouth. Since January 2003, BellSouth has converted 20 percent of its busiest call center applications into one sign-on, with plans to convert remaining applications during their regular new-release schedules (so long as there are no functional conflicts). Packing Provisions BellSouth's work illustrates a common result among today's identity management projects. Those who start and succeed with a single manageable task often find their systems being stretched to take on additional functionality.

Shivanandan says that almost from the onset of the company's sign-on reduction project, IT and business managers started envisioning new uses for identity managementprovisioning, workflow management, inventory management, vulnerability management and multifactor authentication (including biometrics). "We realized all sorts of business cases around why we're doing this and started identifying other places we could make improvements," she says.

Eventually, for example, a provisioning system would also achieve regulatory compliance for access audit trails, stabilize the system by creating a common identity structure and dramatically reduce the cost of account administration, she continues. In particular, the process of getting a new worker up and running with all his resources could potentially be cut to an hour instead of taking several days to a week.

For BellSouth, those provisioning dreams face some technical hurdles. For now, it's difficult to provision across a wide swath of applications because of the middleware-agent model these tools usenot to mention the time it takes to determine the resources each employee would need in the first place. But as with reduced sign-on, provisioning isn't so daunting when companies start by identifying a small handful of applications that are most used, and don't worry about how many roles their system can accept.Roles are a critical concept in identity management. A role is essentially a job description that is connected to certain access rights. For example, a role broadly defined as "human resources" might be provided appropriate access rights to a suite of HR and payroll applications. When a new HR employee starts, the system administrator creating the employee's network account can simply assign her the "HR" role instead of having to set up access to those applications one by one.