IAM in Practice: What Works
Author: Kevin Murphy
November 2007
My position in CA Services’ Global Security Practice gives me insight into Identity and Access Management (IAM) initiatives around the world. IAM as a discipline has been with us for at least five years: while it has matured in some areas, it is still rapidly developing in others. In my opinion, the following mature IAM capabilities offer a high probability of implementation success, provided you do the up-front process and requirements analysis:
Password Reset: If your organization doesn’t have a web-enabled interface by now, you’re in the minority. The “saved helpdesk calls” ROI justification doesn’t hold as much water as it used to, but implementation is pretty straightforward, and a win is a sure thing.
Basic-User Provisioning: I haven’t seen anybody at the nirvana state where a user instantly gets fine-grained access to every system in the enterprise. Lots of organizations are creating basic accounts and setting up four or five base roles (e.g., employee, manager, contractor) across the key IT systems. Chunked into small implementation phases, basic-user provisioning implementations are very successful.
Immediate Access Revocation: Even if you don’t do user provisioning, you can correlate user accounts across systems and trigger an immediate revocation of access (disable or delete). This is a primary objective of compliance and risk management initiatives. Just about every IAM implementation includes this capability.
Web Single Sign-On: One of the oldest IAM capabilities, web single sign-on is mature, robust and deployed in thousands of enterprises.
Federated Web Single Sign-On: Once SAML 2.0 and ADFS were released, demand for federation increased rapidly. Today most federation initiatives are done internally, between divisions or departments. The federal government, and to a lesser extent state and local governments, are also pursuing federation with vigor. Business-to-business federation is catching on at a slower rate, especially when it is difficult to identify business value as more than “user convenience.” A cautionary note: Federated identity management (creating, updating, and deleting user account information in partners) is still in the planning stages, and federated identity management issues can cause stumbling blocks for federated web single sign-on initiatives.
Delegated Identity Administration and Self Service: Large enterprises and organizations serving external customers have successfully delegated the administration of identities to thousands of managers and customer personnel. However, numerous initiatives have faltered because business rules were not defined before security systems were configured. With well-defined business rules and processes, delegation initiatives usually yield big customer satisfaction wins.
Virtual Directories: While virtual directory implementations aren’t commonplace, they have been used to solve some difficult problems in very complex environments.
Other IAM areas that are rapidly maturing are IAM as a foundation for an SOA, fine-grained entitlements management, federated identity management, user-centric identities and complete provisioning and identity control across all enterprise systems. If these areas are in scope for your IAM initiative, be warned that you are near the leading edge. Tread cautiously.
Kevin Murphy is a member of the Dayton ISSA chapter and an architect in CA’s Global Security Practice.
