CA tackles identity management challenge

Network managers know how hard it is to manage the multiple user identities of their employees, but Computer Associates International Inc. (CA) says it has the answer with eTrust Admin 2.0.

Released in July, the upgrade from eTrust Admin 1.7 features role-based user provisioning functionality that is the hallmark of the product.

Simon Perry, vice-president of security solutions for CA, described the role-based user provisioning concept by saying it involves “providing to a user all the identities and access rights they’re entitled to according to their role.”

Employees usually have numerous identities to access different systems in the company, and keeping track of them can be difficult. eTrust Admin keeps them all in one directory, and can access other system directories. If an employee is fired, an administrator can access their profile and delete their access to all the company’s systems at once. If an organization laid off 7,000 employees, all the identities that give them access to systems would have to be deleted. If each employee had five, that would mean 35,000 identities would need to be deleted.

eTrust Admin 2.0 manages all the employees’ identities in one directory – instead of making 35,000 deletions the administrator would only need to make 7,000.

Brigham Young University (BYU) in Provo, Utah purchased eTrust Admin 2.0 to control what systems people have access to when they’re hired, fired or switch positions.

“We like eTrust Admin 2.0 because it gives us a greater ability for identity management,” said Karl Jackson, an infrastructure engineer at BYU.

Jackson said BYU hooked up eTrust Admin 2.0 to Microsoft Active Directory, Microsoft Exchange, Novell Netware and CA’s eTrust Access Control.

One of the key changes from version 1.7 to version 2.0 is eTrust Admin’s ability to work with more directories. The supported environments for eTrust Admin include Microsoft Windows NT domains, Active Directory, Exchange Server, Lotus Notes/Domino, multiple Unix platforms and Red Hat Linux.

CA says scalability has also been improved. Previously, eTrust Admin could handle only 60,000 users. The latest version of the product has been tested with 250 million users. Theoretically, more users could be added if more hardware was added, Perry said.

Self-password management is a new feature that could off-load typical call centre problems by empowering the end-user to reset their own passwords.

According to a report, The Business Case for User Provisioning by DataMonitor, a research firm based in New York, eTrust Admin 2.0 can save a company with 21,000 employees about US$5 million in password reset administration costs; Perry said about 70 per cent of help desk calls are about resetting passwords.

End-users can reset their own passwords through a challenge/response interface that asks users a set of pre-determined personal questions and changes their password for them. As a result, IT administrators can spend more time taking care of more serious issues rather than resetting passwords.

Finally, eTrust Admin 2.0 links into physical provisioning. When a user profile is created or modified, that is, when a person is hired, changes jobs within a company or is fired, eTrust Admin automatically sends out e-mail notifications to various departments responsible for allocating physical resources such as telephones, computers and even company credit cards.

It also contains an intuitive interface, according to CA, which is important because the product is designed to give someone without high-level level IT skills access to a system.

eTrust Admin 2.0 can also increase security. According to the report by DataMonitor, experts say around 80 per cent of attacks occur from within a network. It prevents former or current employees from gaining access to unauthorized information. It would also prevent hackers from exploiting unused identities to gain system access.

Computer Associates International Ltd in Islandia, N.Y. is at 1-800-225-5224. For more information, visit the company on the Web at