Today’s business is a world of mobile work forces, networks and scattered places where information about employees is stored. Wouldn’t it be great to have technology that makes it easier to manage the flow of corporate information, improve the quality of data gathered by a business, and have a tighter rein on what users can do when it comes to computing?
Identity management could be just the ticket.
Think of it as a set of tools and technologies that let companies control the use of IT-enabled corporate programs or business processes, and determine what information and data can or cannot be viewed. It’s a system that acts like the gatekeeper, applying defined rules and policies regarding who should be doing what on the network, and then letting through those who have permission and keeping out those who don’t.
ID management is a concept typically associated solely with IT security, and it’s why the big adopters have tended to be the companies that have to comply with legislation that requires close control, monitoring and logging of processes and business activities – big corporations and financial institutions, for instance.
But there’s much more to ID management that many people aren’t aware of, and even companies that aren’t so security-conscious ought to be thinking about it these days.
“It’s seen as a security tool rather than as a productivity tool,” according to David Senf, a research analyst with IDC Canada Ltd. in Toronto, who points out that ID management is really a collection of technologies that helps improve efficiency. “There are password resets and single sign-on as the typical technologies you’d consider as identity management. But one of the core components that often gets overlooked is user-account provisioning. That allows a business to take user-account activation and deactivation and integrate these into its business processes.”
Plus, the technology is a whole lot simpler to purchase, install and use these days, Mr. Senf says, making it easier for smaller organizations to adopt.
Inventure Solutions Inc., part of Vancity Group, a financial services company located in British Columbia, embarked on an identity-management project shortly after migrating from Windows NT to Windows 2003 about three years ago.
“We wanted to come up with something that was a single place to keep data about employees and keep it consistent – then use it for other things like single sign-on,” says Tony Fernandes, Inventure’s vice-president of IT operations. “We saw it as a huge efficiency benefit. [Without it,] you can end up duplicating coding in all types of systems to identify employees.”
Among the first and toughest steps was to think centrally and start gathering all human resources (HR) information into a single data repository. From there it’s fed out into other applications and systems by an ID management engine – in this case, Microsoft Corp.’s Identity Integration Server (MIIS) coupled with Active Directory software.
Rob Church, Inventure’s manager of software architecture, says the actual deployment of the identity management system was relatively straightforward compared to mapping of places where data might end up.
“We joked within this project that the technology was the simple part,” he recalls. “The hard part was in understanding the business processes.”
Inventure’s IM system builds user-rights profiles for access to IT and communication systems, and dynamically administers these rights throughout all relevant systems, applications and processes across the company’s network. This saves a lot of time for human resources and IT staff, who would otherwise have to configure all the systems for each employee manually. “HR sets them up, but once [information on an employee] is set free in the organization, other things occur,” Mr. Church says. “An employee gets space on a [business server] disk, for example. It happens as a result of a record that triggers some action.”
The ID management system drives security-related functions you’d expect, such as single-sign on to networks and programs, but an employee is also automatically allocated things such as a number on the company’s telephone system. If a teller is transferred to another credit union branch, for example, the staffing change gets noted in the ID management system by HR, which triggers the necessary changes in the phone system.
Any changes noted by HR of an employee’s status or location automatically triggers appropriate changes in IT resources permissions, too. And when an employee leaves the company, the HR’s removal of that employee’s identity likewise triggers the immediate deactivation of all IT services and rights.
That’s one of the most significant security-related benefits of identity management, says Mr. Senf. “It’s important to have a handle on what accounts are active and to ensure which aren’t active if they aren’t supposed to be.”
Credit Valley Hospital in Mississauga is another good example. It is working on a project using identity management to administer a set of security policies for a wide range of old and new applications and processes. Different applications required separate administration and tracking that was time-consuming and costly, so ID management is being used to tie everything together in a centralized way.
“There are audit requirements, so we need to ensure there is an audit trail from access to patient information,” says Leigh Popov, the hospital’s manager of technical infrastructure. “On top of that, there are simple operational issues. The less places you manage security, the more secure your environment will be.”
The hospital is creating a centralized identity management engine to administer a common set of security rules for its applications and processes. It’s an ongoing effort, and Mr. Popov says he eventually hopes to be able to automate the activation and deactivation of IT resources for staff through ID management to save the major time and effort that is otherwise required when doing things manually.
Mr. Popov says that automating processes through ID management is a cost-saver, even though it’s difficult to build a specific return-on-investment model because of the number of groups and systems involved.
“We’re a publicly funded institution, so we try to do things as cost-effectively as possible – price is a big factor for us,” he says. “My gut feel is that typical payback is less than 18 months, and in a lot of cases payback is less than a year. I think as you get into that sort of thing and use more [activation and deactivation] systems, the return gets even better.”