Identity Management: Implementation Dos and Dont's

Just getting started on an IDM roll-out? Some pointers from people who've been there, done that.

IDM (Identity Management) implementations promise big rewards but demand big investment. Here's advice on getting the biggest return on all that investment.

DON'T underestimate the amount of preparation involved. For Mike Petosa, IT director at the American National Standards Institute, the two biggest challenges for implementing an IDM system from Novell were cleaning the data and defining the business processes surrounding identity management. (To learn more about the components of and considerations for a full-blown IDM project, see "Identity Management: Critical Components."

Data cleansing was 60 percent of the project, he estimates. For instance, his team had to clear up semantic differences among various departments, such as the term "inactive record." "That needed to be accurate to create the correct workflow and rules," he says.

Defining business process required exposing intuitive knowledge that individuals had stored up for years, he says. "It took a lot of probing to expose the workflows because it was distributed among many people," Petosa says. For instance, member registration involved several departments working separately to provide access to applications and services based on membership level.

Petosa's group had to define workflows and business rules that would streamline these processes and minimize errors. Now, when a member registers online, a record is created in the CRM system, and access is automatically provided to a limited area of the SharePoint portal server. When the membership department receives notification of the new membership, it authorizes further access, based on the membership level.

"All these rules are stored in the identity management system, and all the member identities are stored in the identification vault," Petosa says. Now, when updates such as change of address or membership level are made in the CRM system, the changes are synchronized across all other systems and databases.

DO prepare your environment to smooth implementation. When Equifax implemented Sun's IDM system, it didn't plunge right in, says Tony Spinelli, chief security and compliance officer. He first worked with the IT department to create one authoritative source for all the company's employees and contractors, which required creating one logical database from databases throughout the world.

Second, Spinelli wanted to develop a way to connect the IDM system with all the other applications that Equifax used, rather than having to write scripting languages and adapters for each application it wanted to integrate. To do this, he worked with IT to develop identity repositories in Active Directory and LDAP. "We didn't want to write adapters between Sun and every application we wanted to connect--that really would have elongated the process," he says.

DO prepare for a long project. Because of the complexity of IDM, implementations can easily last a year or more, experts say. ANSI's IDM implementation took about a year and half, according to Petosa.

This can lead to frustration, Perkins says. "I've been surprised by the number of people who've expressed disappointment and disillusion at the progress and process of installing these systems," he says. "These are very complex and difficult systems to install, and the more complex your environment, and the more applications and platforms you wish to have on the workflow system, the more complicated it becomes."

One way to ease the frustration is to stage the project. At ANSI, Petosa's group started with the company's CRM and online system and later added the accounting and human resource systems, defining more rules as they went to achieve the process flow they wanted. "It's like re-engineering; you can't do it in one step," he says.

DON'T assume you can accomplish this in-house. Both Petosa and Spinelli say they couldn't have succeeded with their implementations without lots of vendor support. "This is not for the weak of heart," Petosa says. "You need to look for a company with excellent VAR support." The risk of making a mistake, he says, is huge. "It will destroy your data and your systems if it's poorly designed."

But DON'T rely 100 percent on outside help. "You have to be an active participant," Petosa warns, especially when it comes to defining your business processes. "Integrators can't dig deep enough," he says. "You need a dedicated staff working with the implementation team."

Spinelli says it was beneficial to have staff that was already experienced with Sun's Java environment. "We can leverage our Java development team to code the identity management tool," he says. In addition, he hired a team of coders who had previously worked at Waveset Technologies, the identity management software vendor that Sun acquired.

DO get upper management support. At Equifax, Spinelli kicked off the effort by inviting the company's CTO as well as high-level executives from HR, architecture, operations, legal and financial to a three-day meeting. The group determined the business drivers for an IDM system, which turned out to be compliance, simplifying identities, leveraging data and metrics, and--down the road--enabling federation.

Mary Brandel is a freelance writer. Send feedback to Editor Derek Slater at

Copyright © 2008 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)