Adequate management of access and identities across a myriad of systems and platforms gets more and more important every day. Besides the obvious security benefits to implementing a structured identity management program, there are efficiency gains to be had. Scott Lowe explains his identity management scenario at Westminster College.
Westminster College has an identity crisis. Ok, it's not so much a crisis as it is a hassle. Like many small organizations, we manage access to various accounts in a sort of ad-hoc way. Some of our processes are automated, such as creating accounts for our students in various systems, while some are not, including employee account creation. Even our automated process, however, has multiple points of failure which can lead to problems down the line. Our automation efforts currently end at the account creation stage. We do not currently automate the account deprovisioning process when, for example, an employee leaves the college. The removal of an account is handled manually. Although we make a best effort attempt to fully handle the identity lifecycle, our ad-hoc methods leave a lot to be desired.
To add fuel to the identity fire, we have another all-too-common problem: password reset issues. After students go away on a break or over the summer, or after a password change, our help desk gets inundated with password reset requests. Managing accounts in a more efficient and secure way has become one of our top priorities as a part of our overall business process improvement initiative. Overall, our goals are:
- Increased security. By getting a better handle on our overall identity management processes across all systems, we will be able to better secure our systems and data.
- Better user service. Self-service password resets and a consistent account provisioning process will go a long way toward satisfying end user needs.
- Improved business processes within IT. Our IT group is working on driving efficiencies across the organization. We need to look within our group for the same kinds of efficiency gains that we're expecting from other departments. Further, every "wasted" minute we free up is another minute that we can devote to institutional support.
Currently, we're at the very beginning stages of evaluating Microsoft's Identity Lifecycle Manager "2" product, which is currently at the release candidate stage and is expected to be finalized in early 2009. ILM 2 includes a number of items that are attractive, including:
- A low price tag. For higher education institutions, Microsoft products are very well priced on Campus Agreement contracts. Westminster College does participate in the Campus Agreement program. Because of this arrangement, Microsoft products generally get "first look" when it comes to product selection. We're also very heavily invested in the Microsoft world already.
- SharePoint integration. We're continuing to expand our use of SharePoint at the college after having launched our college web site using MOSS 2007 as the content management system. ILM 2 includes both administrative and end-user facing SharePoint integration components.
- Self-service. ILM 2 includes a number of self-service functions, including password management.
- Dynamic distribution lists. We currently have a semi-automated system in place to maintain a myriad of distribution lists used very widely on campus. Although the system works, it's far from perfect and creating new lists is a hassle. ILM 2 includes a number of distribution group management features.
- Ability to integrate with 3rd party systems. As is the case with most organizations, we have a number of non-Microsoft systems that we need to include in our provisioning project. ILM 2 includes capability necessary to handle this integration.
It's possible that we'll find ILM 2 wholly inadequate to solve our problems. However, based on our environment (Windows, Active Directory, Exchange, SQL Server), I doubt this will be the case.
I don't expect this undertaking to be simple as it will involve a number of people, processes and platforms. However, at the end, we'll be a better, more secure, more efficient organization.
I'll continue to report back on our ILM 2 efforts.