Home » Identity & Access » Identity Management

Identity Management in the Real World

What's identity management? Ask 20 vendors, get 20 answers. But CSOs aren't waiting for a universal definition; they're busy tackling whatever projects meet their business needs.

Nextel, using Xellerate provisioning software from Thor Technologies, started by developing only four basic user roles: employees, contractors, trading partners and customers. These roles are provisioned simply with the right access to Nextel's three most commonly used services: e-mail, LAN and intranet. "In time, we want to move to a more granular approach, like identifying whether [employees] are in sales or customer care," says Tom Deffet, Nextel's director of IT strategy and architecture. That way, he adds, they can better tailor resources to employees' specific job functions.

In fact, trying to define too many roles could be the kiss of death, says Gartner's Witty.

"Companies that try and establish roles for an entire enterprise, as opposed to one application or department, will end up with as many roles as there are employees," she says. "And it's hard to maintain because the business is always changing. So you must start small and look at all of this identity management as evolutionary."

In fact, this kind of provisioning exercise brings to light another important principle. Identity management, while it can involve numerous technologies and products, is ultimately more about business processes. "Setting and automating access across all systems used by people to do their jobs is a very nontechnical thing to tackle," says Gerry Gebel, senior analyst with the Burton Group. "It's more a social exercise in organizational dynamics. You've got to figure out how the company operates and how you can use technology to improve those processes."Planning PhasesHalliburton is an example of a company that has progressed a bit farther down that road. The company has already defined close to 100 user attributes in its role-based provisioning system, including country code, cost center, product service line and employee type. Halliburton's system uses three productsOpenNetwork's Universal IdP, Microsoft Identity Integration Server and Ultimus BPMfor provisioning, password change, workflow management and resource entitlements. "We take a holistic approach to identity management," says Mark Johnson, Halliburton's CISO. "Our approach is access to information anywhere, anytime, by anybody. To accomplish that, we need fine-grained access and authorization when employees need it, where they need it."

That's a daunting profiling task; Halliburton has 100,000 employees (although Johnson notes that only half that number use computers). The company is managing the risk inherent in that complexity by biting off projects in digestible pieces. The first phase is the creation of "stub" accounts, which allocate to users only basic resourcesincluding Windows, the employee portal, online learning, the performance review system, e-mail, storage and remote access. These stub accounts are automatically created when a new hire is keyed into the company's SAP system.