Over the past few years, the world of digital identity concepts, technologies, methods and practices has mushroomed, and it seems everyone — from technologists to academics to law enforcement professionals — has weighed in on the subject.
This surge of interest in identity has taken something that was once the purview of the IT department and broadened its scope to include business executives and company boards. The result has been an explosion of identity projects, allowing businesses to manage identities inside and outside of their organizations.
Implementing an identity management framework can provide a variety of benefits to the organization, but for the purposes of this article we are going to focus on one that is high on every CIO’s list of priorities — security.
At a business level, everyone knows there are problems with password security, which relies on the human factor and is often difficult to control, especially on a large scale. But all too often, businesses tend to simply accept such problems as unavoidable, and don’t bother to investigate the long-term consequences of doing nothing. It’s a mistake they sometimes come to sorely regret.
There are a number of reasons why password security has become a problem area. For starters, businesses often fail to provide good education to the user community about the critical implications of security breaches, from both a technical and a business perspective. As a result, users are often not conscious of, nor do they spend enough time managing, security. For a lot of users it’s simply too much work to remember all the passwords they have, which is why they jot them down and leave them in places where even the dimmest of intruders can find them.
Essentially, employees want good security, but they don’t want to go to a lot of trouble to get it. From their perspective, the best security is invisible. On the other hand, technologists — at least some of them — often don’t equate good security with ease of use. Which is why it’s a balancing act.
Agribusiness simplifies it password approach
One way of addressing identity issues and improving the overall quality of security is through the creation of an identity management framework. Winnipeg-based James Richardson International (JRI), one of Canada’s leading agribusinesses, recently discovered the benefits of such an approach.
The company’s 800 computer users had to remember multiple IDs and passwords to access applications. Notes taped to keyboards and monitors with passwords written on them were a common sight, according to Paul Beaudry, director of technical services at JRI. When the company created a new portal, an identity management solution provided single sign-on entry, giving employees easy access to all the resources they needed based on their roles within the company. Remote users are now also prompted to change their log-ins every 90 days, as other users have always done.
With user identity information synchronized across applications, accurate user data is maintained. As a result, simplified access has significantly reduced the amount of password-related helpdesk calls at JRI, thereby reducing costs, and eliminating the taped-on passwords.
“We needed to integrate a diverse environment and make everything work really well together,” explained Beaudry, who noted that while security was not the primary reason the company adopted an identity management solution, it turned out to be a nice — and valuable — side effect.
According to Joe Greene, vice president of IT security research at IDC Canada, identity management has traditionally been implemented to address issues such as compliance, but more companies are discovering the same benefits as JRI. In fact, security now tends to be the focus of companies putting identity management solutions in place, he explained, adding that companies want to control who is getting access to corporate information.
“When you’re bringing in new employees or letting old employees go, it automates the process of ensuring that an employee who has left the company, for whatever reason, no longer has access to any corporate information,” Greene noted.
A step-by-step approach to IDM
Implementing an identity management solution doesn’t have to be a daunting undertaking, especially if you approach it step by step. Just keep in mind: you are building upon your existing security policies, and now adding the technology to ensure end users can follow them more effectively.
Here are some key points to keep in mind:
Education. How much education have you done for end users about what security is, and why it is important? Do they understand what you are trying to protect, and why protecting that information or those resources is important to the company? What are the positive outcomes of doing so, and what are the negative outcomes of not doing so?
Ensuring end users understand the business implications of breached security is imperative, because with that knowledge they will be more willing to adopt security practices. For that reason, you absolutely must involve end users and your human resources department from the beginning of this endeavour. The solution you choose must be easily consumable by design, or you run the risk of spending a lot of time and money building something that employees may ignore. In fact, end users may work hard at circumventing whatever solution is put in place simply because it is confusing to them, so educate and discuss with them what the goals and measurable outcomes are.
Inspection. This step is the business and IT assessment — the consultative procedure. Some companies may already have security specialists on staff, but it may be desirable to involve an outside provider, as experience counts for a lot for these types of solutions. These are the people who will help determine the process of going from your existing situation to where the organization needs to be. The security specialists you use for this task should be able to tell you about any existing gaps, where you need help, and where you are already doing well.
Learning about what would be most successful in your environment is not a trivial undertaking, so if you’re not sure who to turn to, contact an organization such as Certified Information Systems Security Professionals (CISSP, http://www.cissps.com), which certifies many CSOs and can help you find resources. Take into consideration that most security professionals focus on a particular area, so you may need to speak with more than one of them to get a full understanding of what is required.
Policy. An identity policy should already be in place, even if it is as simple as instructing employees not to share their passwords. At this point, however, you are going to begin building upon that policy — in effect creating a set of consumable and manageable identity policies — to include and address the solution that is being implemented. As employees will have a better understanding through education, the policies should make better sense and will be more meaningful to them. It’s more valuable to construct your policy framework from a collection of small, simplified policies rather than to try to create, maintain and teach a single grand unified policy.
Proof of concept. At this stage, vendors come in and demonstrate what their solution will do to facilitate the policy that has been decided upon, independent of the technology. Your policy should be set before a technology is chosen, but it may require some refinement because of limits in the available technology.
Pilot. When creating a pilot, ensure you are not using technical people to test the technology. The testers should be the people who were most inconvenienced by the original approach, because if you can’t make the new system work simply and effectively for the least technical of your users, it won’t work for anyone. As well, consider implementing the pilot in a number of phases. Continue to test and pilot until the new approach is successful, a status which is determined by the testers. Keep communication flowing, and ensure you get feedback from testers during and after each phase.
Roll out. IDM projects are only successful when rolled out in a phased approach with integrated measurement as part of the project plan. Over the course of the project, applications will change and new services will likely be required, so be prepared. There will always have to be ongoing measurement of effectiveness.
Audit. This is the ongoing measurement mentioned above. Are you seeing inappropriate behaviours? Provide an authoritative document that indicates how the process is unfolding, and communicate the outcomes of the audit findings to all constituents. This status report will allow them to understand the process and how it is affecting them.
A good policy framework has various success criteria, which your audit process should measure. In so doing, the audit framework then allows for reporting on compliance and other business requirements.
Beyond the human component
It should be noted that identity management goes beyond end users, and needs to be thought about in more than just human terms, or simply in regard to an application or a service. At the end of the day, it does not distinguish between a human and a box, because everything has an identity — processes, applications, solutions and services are all components of identity, or the consumer of the serviceable aspect of identity.
A well-planned and thoroughly tested IDM solution will help organizations execute business in a more effective manner without changing the people or requiring dramatic retraining. The CIO will be able to demonstrate that the company has reduced risk in terms of all things bad and unexpected. Finally, expenses will be reduced, as liabilities will be removed from the line of business, resulting in more profitability.
–Ross Chevalier is CTO/CIO of Novell Canada, a company that helps customers manage, simplify, secure and integrate their technology environments by leveraging best-of-breed, open standards-based software.