A user identity is a collection of data about a person, used
to determine what access they have to a organization’s systems. The
proliferation of systems, each with its own means of storing user identities,
creates problems of compliance, cost, and risk. Identity Management is a
rapidly growing software category designed to address these issues.

When most commerce was done face to face, the question of
identity was a simple one. Our brains, hardwired to process the evidence of our
senses, made the judgment. Appearance, voice, the way we shake hands, even the
way we smell all served to identify us to others. Identity was a combination of our characteristics
— our “attributes”. Computer systems don’t have our senses, but our
attributes still define us. A user identity is a collection of data that
describes us to the systems we use every day: attributes such as names,
addresses, employee ID numbers, and social security numbers.

However, as the number of servers, databases, and
applications (“services”) multiply in a company, the problem is not
whether we have an identity: it’s that we have too many of them. In this
article, we’ll take a look at the problems multiple user identities are creating
in organizations, and how a rapidly growing category of software–Identity
Management, or IdM–is designed to solve them.

Defining identity

It’s been estimated that a typical large company has an
average of 60 different places in which user identities are stored, and a
typical employee is registered in at least 10 of them at any time. For example,
the user may have a Windows domain login for file and print services, but a
separate login for an Oracle Financials application running on a UNIX server.

Some of the places that user identities may be stored are:

  • Network operating systems, such as Windows or
    Novell
  • Operating systems on individual servers, such as
    UNIX or Linux
  • Electronic mail systems
  • The company’s Human Resources department web
    portal
  • Outsourced Human Resources functions, such as
    401(k) management companies and healthcare providers
  • Line of business applications such as SAP,
    Siebel, PeopleSoft
  • Self-service purchasing accounts at vendors
    (office supplies, travel agencies)
  • Databases within the company (each individual
    database typically keeps its own list of authorized users)
  • Company-issued credit card providers

Some of these functions can share a single user identity.
For example, an email system or database may be configured to trust the operating
system login to validate its users. But in general, each server, web portal,
application and database maintains its own list of users (an “identity
store”) to use in authenticating who may use it. And each also has
separate access policies that govern what users may do once connected.

The business issues that arise from this multiplication of
user identities include compliance with laws such as Sarbanes-Oxley; reducing
the administrative cost of creating, changing, and disabling user identities;
and managing the risk of improper access.

Compliance issues

Some regulatory legislation, such as Sarbanes-Oxley, aims to
prevent accounting abuses by requiring publicly traded companies to demonstrate
the use of effective accounting controls. Others, such as the Health Insurance
Portability and Accountability Act (HIPPA), require strict privacy protection
for consumer data. Most such laws have an auditing or reporting requirement.

Collecting such data manually is costly. Some firms are at
risk of not being able to comply at all, because they don’t have a consolidated
picture of all the identity stores in the company. Identity management software
automates this manual process by providing centralized user identity storage in
a meta-directory, and synchronizing that directory with the individual systems.
Reporting can then be done from the meta-directory.

Proving separation of business function can be automated by
Identity Management software. The use of roles and policies is a feature of
such packages. Employees responsible for selecting and approving vendors, for
example, can be shown to have no permissions to pay invoices. Likewise, showing
that only authorized employee roles can access confidential patient or consumer
data is made easier by reports from the identity management software.

The cost of multiple identity stores

The typical lifecycle of a digital identity has four phases:

  • Setup,
    or “Provisioning” –     The user identity is created on each of
    the services the employee will use. Initial access rules, or permissions,
    are set up for each service.
  • Management
     The user’s profile information may change over time, such as when
    they move, change telephone number, or get married or divorced. Their job
    position within the company may change, requiring them to be added to new
    services, or their permissions altered. If they forget their password,
    enter it incorrectly too many times, or don’t change it on schedule, the
    password will need to be reset.
  • Termination, or “De-provisioning” – When a user is no longer a part of the
    company, all access to services must be terminated.
  • Archival
     For reporting purposes, the employee’s records are seldom deleted.
    Instead, records of when they were added and removed must be maintained in
    a secure, read-only manner (to prevent tampering) for compliance
    reporting.

When many systems maintain identity information, the company
incurs costs in each of these phases.

  • Lost
    productivity during provisioning –     A new employee can be unable to
    perform their job effectively until accounts are created in all the
    systems they will be using on the job. Delays from days to weeks are
    common in manually maintained systems. If different groups within the
    company are responsible for administration, multiple persons’ time will be
    spent on provisioning.
  • Help
    desk calls –     Resetting lost, expired, or locked passwords accounts for
    20-25% of a typical help desk case volume. At $20, $30, or more for each
    call, a user base of thousands of users can be very expensive.
  • Manual
    termination and archiving –     Because it’s often not known which 10
    systems an average user has an identity in, all 60 must be searched to
    make sure the user is properly removed and a record made that access was
    removed.

Identity Management software covers the entire user identity
lifecycle. Provisioning a new employee can be done centrally, so that one entry
creates user accounts on many systems. For those systems that require manual
approval, a workflow process automatically sends a request for such approval,
and upon an emailed reply, sets up the account. Self-service password-reset
reduces help desk calls and administrator time, and password synchronization
removes many password reset problems altogether.

Managing identity risks

Having multiple identity stores not only costs more, but it
exposes the organization to more risk. Terminating an employee requires
terminating access in all systems for that employee — a difficult task to do
if you must check many systems individually to see whether or not they have an
account on that system.

Also, when employees change job description, they are
provisioned with new access privileges for their new role. But too often, the
access they had because of their prior role is not removed. As a result, access
creep occurs: the user gains more and more privileges over time. They may make
changes to data that their job role no longer authorizes.

Terminated employees whose access is not completely removed
can copy sensitive data. In one case, a company was having trouble hiring sales
reps. Candidates would interview, only to be lured away by a competitor at the
last minute. It was discovered that an ex-employee now working for the
competitor was regularly reading the offers made to the prospective reps. It
was easy for the competitor to offer just the right amount to top the original
offer.

Another risk is that it is hard for employees to manage a
large number of different passwords. They will either write them down at their
desk somewhere, or use the same password on all systems they access. These
practices increase the risk that others will learn their password, and then be
able to use that password in multiple places.

The bottom line

An integrated system for managing digital identity within an
organization can reduce the cost of ensuring controlled access to computer
services and the cost of compliance reporting as well. It helps users be more
productive from the start, and with fewer passwords to remember, safer users of
the company’s systems.