Managing Your Identity Crisis

By Darwin John,

Strategic Advisor,

and Arthur Hopkins,

VP Technology Consulting

Blackwell Consulting Services

Many CIOs are in the midst of an identity crisis. Some are working out their issues, others are in turmoil and looking for help, while a few are so numb they don't realize how serious their crises have become. With corporate America's increased emphasis on security, as well as the scrutiny brought about by regulations like Sarbanes-Oxley, there is a new flurry of activity around identity management and control of users' accounts.

First, let's examine what an identity crisis is.

An identity crisis is the malaise associated with having costly or inefficient management of users' identities - their accounts, passwords and access credentials. The most common symptoms of an identity crisis are passwords written on sticky notes, droves of staff manually handling every facet of account creation, revocation and password mismanagement, seemingly interminable delays in account provisioning for new employees and even longer delays in deprovisioning of former employees and compliance audit citations

Below are three steps for CIOs to focus on when resolving this issue.

Step One: Diagnosis

Early diagnosis and self-check are keys to rehabilitation and an effective means of early identification. I would suggest that CIOs should ask the following:

How are we dealing with password management?

Most corporations enforce password complexity and expirations of between 30 and 90 days for their most business-critical applications, especially if there are compliance drivers like Sarbanes-Oxley. Invariably, the periodic expiration of complex passwords leads to locked-out users. In many cases the "quick fix" is to increase the help desk staff to service this demand. As more applications are brought under this enforcement, and as users exhaust their most familiar passwords amid a blur of previously used passwords that can't be repeated or incremented, the demand grows.

However, the real crisis occurs like clockwork on the first workday after a long holiday weekend or vacation. As users return to work rested and refreshed, they sit down at their PC and stare at the blinking cursor next to "password" and realize that something is wrong. How many users will call the help desk between 8 a.m. and noon? How will the IT department adequately staff the help desk to field the calls for those four hours of terror?

Perhaps your company has outsourced help desk functions to a vendor and staffing isn't a primary concern. However, each call to your outsourcer incurs a cost. Conservative estimates indicate that a user requires an average of two password resets per year. If every user in your corporation places two calls per year, the out-of-pocket expense is not trivial. In organizations with manual password support services, the costs range from approximately $15 to $40 per call. Perhaps your organization is indifferent or has already come to terms with this arrangement. What seems like an accepted practice is actually an opportunity to dramatically impact the bottom line by eliminating the unnecessary cost of the manual servicing of these basic needs.

How are we dealing with account provisioning and deprovisioning?

For years we've observed the lag time in getting new employees productive as they wait for sets of IDs and passwords in order to begin their job. Yet after all is said and done, much more has been said than done. The wasted time associated with new employees sitting idle is now an assumed cost, which can be avoided if the IT department implements a "zero day start."

Without a controlled process or an integrated solution for deprovisioning, you may experience an identity crisis. As employees leave, the legitimacy of their access expires but the ability to access their accounts persists. For many CIOs, the associated risk has reached the crisis point. Beyond mere risk, however, there are real bottom-line ramifications. For example, failure to terminate corporate credit cards, calling cards, conferencing services and critical payroll systems in the separation process often leads to costly misappropriations by former employees.

Step Two: Managing Your Identity Crisis

Even with all these issues, remember, you can't manage what you can't measure. The first step in managing the crisis is to do an assessment of the current state of identity management. While the benefits of single sign-on and password synchronization are often emphasized, the business case is a tough sell because the benefits are mostly in the form of productivity gains and reduced effort for future development - neither of which are compelling business concerns.

One approach to assessing the current state of identity management is to focus on the user lifecycle. This approach traces the path of a single individual through the onboarding and offboarding processes as they collect various IDs and passwords along the way. As the user meanders through this real-life adventure game, the assessment identifies and quantifies the individuals who are involved, including the processes, controls and audits that bound the process, and the associated costs, risks and inefficiencies. The intent of the audit is not to trace every possible route and exception, but rather to identify the major routes and quantify the exceptions.

For example, in many organizations there is a single, official process by which user accounts are locked and unlocked, but an overwhelming number of "back door" resets that occur. Quantifying the scope of the activity that circumvents the official process is crucial to developing the justification for change. This approach includes examination of the processes by which passwords are managed and accounts are (or are not) deprovisioned. Upon completion of the assessment, you have the means to categorize and quantify the business impact.

An alternative approach to this key step is the system-centered assessment. Some organizations have certain systems that are known, prima facie, to be a top priority, due to several factors including, its critical nature, the number of users, the cost of administration, or who "owns" the accounts. In contrast to the user-centered approach, this approach focuses on the lifecycle of an account within a single system or directory. Other approaches to the assessment include focusing on processes, workstreams or resources.

Step Three: Prognosis

Typically the business impact of the current state of identity management can be measured across three dimensions: cost, risk and productivity. The justification for an identity management solution (including the infrastructure, integration and process change) parallels these three and is based on the pillars of cost reduction/avoidance, risk containment/mitigation and productivity gain.

Generally, the business impact from provisioning comes largely in the form of productivity gain. Implementation requires consolidation of provisioning processes and/or significant process reengineering in addition to the technical integration. In most organizations, provisioning is a long-term strategy with an ROI that is difficult to calculate. One notable exception is the case of organizations with significant "churn" of accounts. For example, in higher education there are seasonal influxes of new accounts as students matriculate. Automated provisioning enables universities to streamline these processes, which are otherwise staffed manually (albeit with relatively lower cost student resources). With the right executive level sponsorship and realistic expectations of the process changes, automated provisioning can deliver significant productivity gains for new users, staff responsible for getting accounts to those new users and significant cost reductions for companies that have consolidated their provisioning processes.

Deprovisioning has the ability to "cure" leakages and misappropriations that occur when sleeper accounts of former employees are exploited. Implementing deprovisioning tends to have less organizational upheaval than provisioning, often because the processes around deprovisioning are more lax and loosely defined/enforced. In one case, an organization had 30 employees dedicated to the manual provisioning of accounts with no one assigned the responsibility of deprovisioning. In cases like this, automation of deprovisioning can be done correctly without disruption of the current processes and can quickly affect cost reductions in the form of leakage and misappropriation, while also dramatically mitigating risks.

Implementing password self-service in an environment currently serviced by a help desk quickly and dramatically reduces costs of password-related calls. In some organizations, password-related calls comprise as much as 70 percent of the help desk call volume. For organizations that staff call centers internally, capacity planning for the spikes that occur as users return to work after long weekends and vacations is a major challenge. This is further complicated by the exposure inherent in making credentials and authentication information accessible to such a volatile workforce. Thus, automation of password self-service requires limited process reengineering, mitigates risk, reduces costs and avoids future costs borne out of increased scrutiny and enforcement of password policies.

Moving Forward

Regardless of how the identity crisis began, it is up to the CIO to resolve the situation. An identity crisis provides CIOs with the opportunity to be proactive and deliver real business results to a company, whether through productivity gains, financial savings or increased IT security.

Identity management is a business issue that has tangible impact to any business. For organizations seeking to reduce costs and increase revenues, identity management is a problem that can be easily justified. However, it starts with a sound business case, and in developing your business case, remember that everyone wants provisioning, everyone needs deprovisioning and everyone benefits from identity management.

Copyright © 2004 IDG Communications, Inc.

Microsoft's very bad year for security: A timeline