Managing consistent and accurate user credential information across multiple information systems accessed by many users can be a major challenge for organisations, particularly larger organisations or organisations with diverse information systems. This results in operational costs arising from employing technical staff to spend significant amounts of time managing user credential related issues. In more severe cases this can be a full time occupation for multiple individuals.
Risks arising from human error are also an issue. These can present as information security risks for the organisation, arising from failure to remove legacy accounts or to manage permissions properly. Identity management software solutions can substantially alleviate these issues by providing integration of identity information between disparate information systems. This might include administrative workflows to automate user creation, user removal and permission assignment processes all across multiple diverse systems. Functionality is also available to provide users with self-service management capabilities, particularly around managing and resetting passwords.
Taken together, a properly implemented identity management solution will provide cost savings from automation of repetitive administration tasks and reduction of business risk in the form of human error or oversight.
Identity management solutions can represent a substantial investment. It is important to understand what the specific identity management challenges are within the organisation and target identity management solutions accordingly. Correctly designed and implemented solutions will deliver a return on investment and a reduction in risk.
What is identity management?
In the context of an information system, identity management is the set of processes responsible for dealing with the entire lifecycle of user accounts (identities) within the system, from creation through to eventual deletion. This encompasses account provisioning, maintenance, synchronisation, security, and deprovisioning. Effective identity management is a challenge which faces all organisations. As the size of the organisation grows, the identity management challenge escalates at an increasing pace. The effectiveness of Identity management has a direct impact on productivity, security, and auditability. An ineffective Identity management solution will result in excessive administrative effort being spent on user account maintenance, and can quickly lead to support teams becoming overwhelmed.
The need to support identities across multiple systems
Nearly every organisation will have a requirement to support multiple different systems which users will log on to on a regular basis. Some of these systems may share an authentication provider such as Active Directory to identify users, but will often retain their own user-specific information for logon accounts – whether externally or internally authenticated. Other systems will independently maintain a separate set of user accounts and authentication mechanisms. This may be due to isolation requirements, incompatibilities, or the use of legacy systems.
Larger organisations may employ the use of multiple directory services such as Microsoft Active Directory, Novell eDirectory, SUN Directory Server, IBM Tivoli Directory Server, etc. perhaps due to organisational or administrative boundaries, a requirement to support legacy systems, or changing business needs. Adopting a 'best of breed' systems selection strategy will only serve to increase the number of systems which are unable to natively integrate with each other and share user information.
The challenge of growth
As an organisation grows, not only does the user count increase, but so does the number of discrete systems for which user management tasks must be accomplished. Both of these factors combine to increase the administrative burden associated with user management, with the effort required scaling at a greater than linear rate compared with the user count. The administrative burden of maintaining user accounts can be thought of as being a multiple of the number of users, as well as a multiple of the number of discrete systems. Once provisioned, user accounts must be maintained to keep up with changes in employees’ roles, job titles, statuses, name changes, changes in personal circumstances, etc. The more systems which must be modified to account for these changes, the greater the effort required to keep them up-to-date, and the larger the opportunity for redundant and inconsistent data to creep in.
How identity management solutions can help
Synchronising user information
Identity management solves the problem of maintaining multiple redundant copies of user data by providing powerful synchronisation solutions that are capable of communicating with virtually any system which contains user data. Relationships between the data in disparate systems can be defined and changes automatically synchronised across all connected systems. Workflows can be created to automate user maintenance activities – eliminating the need for manual changes, facilitating the immediate enforcement of changes across multiple systems, and dramatically reducing the potential for error.
To give an illustration of a hypothetical sequence of events:
- An employee’s role is changed in a legacy HR application.
- The identity management solution reads this change from the HR application’s database which triggers the remaining steps.
- The employee’s job title in various directory services and contact information databases are updated.
- Security and distribution group memberships in Active Directory to reflect the employee’s new role are updated.
- Permissions in bespoke applications are updated through a series of workflows and synchronisation rules.
Automation of user provisioning & deprovisioning
As more systems are added and the complexity of user provisioning and deprovisioning grows, the potential for security breaches becomes more apparent. To take the example of an employee leaving the organisation: this will typically trigger a deprovisioning process during which all accounts which that employee would have used to access various systems would be disabled or deleted. As an organisation supports more discrete systems, this deprovisioning process becomes extended. More systems mean more accounts which must be deprovisioned. These accounts may be administered by different teams or departments, and may be subject to different approval processes. The resulting deprovisioning exercise will resultantly have a longer duration to completion, during which the systems involved remain vulnerable. As the process grows more complex, it consequently introduces the potential for steps to be missed or mistakes made – potentially leaving a component vulnerable to exploitation.
An identity management solution will automate the provisioning and deprovisioning processes through the use of workflows. Various discrete systems which may be managed by different teams can be automatically configured with the correct permissions etc. without manual intervention. Provisioning and deprovisioning automations serve to reduce the workload of administrative staff, accelerate the administrative process, and reduce administrative errors. Automated provisioning empowers new employees to become productive more quickly as they are no longer waiting for access to various systems and components. Automated deprovisioning enforces security policies and protects valuable data.
Thus far we have explored the benefits in terms of security, promptness, and workload from an administrative perspective. From a user’s perspective however, the principal grievance of being required to use multiple discrete systems is frequently the inconvenience of having to remember multiple sets of logon credentials. Apart from the inconvenience, this typically results in lost productivity as users wait for passwords to be reset after forgetting them, or worse – the security threat of users writing down passwords in order to avoid this scenario in the first place!
Identity management solutions can be applied to solve this problem. Password change events which occur within Active Directory are captured, and the change replicated to connected systems. The end result is that users are able to log in to multiple disparate systems which do not themselves share authentication providers, using a single set of logon credentials. Furthermore, they are able to change their passwords on all of these systems simultaneously by simply changing the password they use to log on to their computer.
How identity integration can reduce the cost of increasing user counts
As we have considered, the application of identity management solutions can dramatically reduce the problems and burdens associated with maintaining a number of systems; however there is another side to the problems that come with organisation growth. Regardless of the number of systems supported, an increasing number of users means an increasing administrative effort is required to support them.
Self-service group management
Identity management solutions offer automated provisioning of security and distribution groups. Many security and distribution groups serve special purposes and are not security critical and as such lend themselves to delegated or even self-service management. Without this kind of flexibility administrative staff can be overwhelmed with requests for creating new distribution groups, adding individuals to these groups, removing individuals from these groups, and of course following the relevant approval processes before making said changes.
Solutions alleviate this problem by providing a mechanism for empowering users to manage these tasks themselves, often via an intranet web portal, and/or through application plugins. As an example, group membership requests could be made directly from within Outlook. These requests will trigger automated workflows which will seek approval from the relevant manager where appropriate and automatically carry out the necessary administrative tasks to implement (or reject) the change, without the need for a systems administrator to be involved.
Self-service password reset
Yet a more obvious burden to front-line service desk staff is that of password resets. No matter how clever our IT systems become, people will still remain forgetful, and will from time to time require their passwords to be reset by an administrator. Improved security through the use of more complex and regularly changed passwords will only make this more abundant. The greater the number of users a service desk must support, the greater the volume of these requests they will receive. It is not uncommon in larger organisations to have a team of administrators dedicated to the task of resetting forgotten passwords.
Identity management solutions lighten the load on the service desk by providing a mechanism by which users can reset their own passwords. This can even be seamlessly integrated with the Windows login screen. An authorisation workflow which can be customised to suit the organisation’s requirements (e.g. it may ask a series of security questions) will be invoked.
Upon successful completion of the authorisation workflow, the user is able to reset their own password and unlock their account. As there is no longer a requirement to contact the service desk for assistance, there are dual benefits: users can bypass ticketing queues and be serviced immediately, leading to less lost productivity; and there will be a reduction in the service desk resource required to support the process.
As an organisation grows, the volume and complexity of tasks associated with identity management increase at an ever growing rate. This places an escalating administrative burden on support staff, and extends the duration of management tasks, negatively impacting productivity. Powerful synchronisation and automation platforms are available which can reduce costs by alleviating the load placed on service desks and increasing security. This enables an organisation to scale IT services more efficiently, without overwhelming their support teams.
Identity management solutions can be a significant investment, however the benefits increase more steeply than the costs as an organisation scales. Although this places it beyond the reach of most small businesses wishing to see a reasonable return on investment, large organisations will benefit greatly from the time and efficiency savings that these solutions make it possible to achieve.