By Tim Landgrave
In 1998, I visited the North American headquarters of a large manufacturing company to deliver a presentation regarding a new software system that I had worked with several of its divisions to design. The presentation was intended to convince them to invest in the development of the system. Although I can’t remember if we won the business, I’ll never forget the sticky notes attached to the monitor of an assistant for one of the senior executives. On each note, the assistant had written the name of one of their software systems, her user ID, and her password. When I joked with her about the number of systems she had to be able to access, she told me that she had put in an equipment request for a bigger monitor so that she could put up some of her boss’s information as well.
Bigger monitors aren’t the solution
Although I’m sure she probably has a bigger monitor now with plenty of space for sticky notes (that is, if the corporate security team hasn’t shut down her operation), clearly, there are better ways to address these issues. And the issue isn’t just that most employees can’t remember all the credentials they need to access corporate systems. The bigger issue is whether the corporation can manage them. A company with 1,000 employees and seven core systems that require password changes every 90 days has 630,000 password-change incidents each year. If just 1 percent of those password changes generate a five-minute help desk call, the 6,300 calls would require 525 person hours (or four full-time people) per month. So how do most companies respond? They don’t require regular password changes, making their systems more vulnerable.
Not being able to track credentials also leads to potential security breaches from former employees. Ideally, the day an employee starts, he or she has been assigned all of the necessary credentials for system access. More importantly, the day they are terminated, employees’ access to those same systems has been suspended. I’ve worked with companies whose ex-employees had system administrator-level access to some of their systems 90 days after they left. And the companies weren't even aware of that. Let’s look at some of the ways you can reduce your liability by managing identities more effectively.
Buy systems that support your standards
One of the first things you have to do to solve this problem is identify its source. And one of the major sources of credential growth is vendor systems. Most companies look to buy vs. build major elements of their software infrastructure. But one of the key criteria—if not the key—should be whether the vendor’s solution fits into your identity management standards. For example, if you’ve decided that LDAP will be your corporate identity store, make it a requirement that a vendor presenting a proposal for a system either use LDAP as its credential store or provide a way to synchronize with LDAP as part of the total price for its system. Given that systems turn over every seven to 10 years, this standard alone will get you to a single credential store within the decade.
Application developers write to a single directory
The vendor solution won’t solve the problem of standard credentials for internally developed applications. In this case, you’ll have to work with your application development teams to define a standard for credential storage and management. Don’t approve funding for any development initiative that doesn’t include the use of your directory services standard as part of its design. This is also an area where an immediate investment will give you a measurable long-term payback.
Make an investment in developing a standard set of software tools that any of your development teams can use to quickly and easily support your directory standards. Spend the money now to rewrite existing applications to replace their individual and proprietary database-driven authentication and authorization schemes with mechanisms based on your current directory standards. And don’t discount the difficulty of this task. If you have developers working on EJB applications in one group, VB6/Win2K applications in another, Oracle Forms applications in a third, and a group of new .NET developers working on other systems, you have a significant challenge in deciding on and implementing a single credential standard.
Directory integration systems
There is another alternative to consider. You are most likely still using legacy systems which you don’t have the time, money, or source code to rewrite. You may also want to leave system credentials in the directory store that’s native to a given platform, for example, LDAP for UNIX applications, RACF for the mainframe, and Active Directory for Windows and .NET applications. You can manage these credentials across the different platforms using a metadirectory service. Sun, IBM, and Novell have been shipping products based on LDAP as the core store, and Microsoft recently entered the identity management business with its Microsoft Identity Integration Server (MIIS). These tools give system administrators a single view of user accounts across the enterprise and allow them to enable single sign-on by automatically updating passwords on the different systems whenever users change their passwords.
Although these systems are pretty expensive, they solve many of these credential management problems without requiring significant investments in rewriting or replacing systems. By combining one of these products with an effective internal set of core directory standards and practices, you can cut the time to integrate your security systems from seven years to six months—and save a significant amount of money on monitor upgrades and sticky notes.