Getting to the heart of persistent identity management challenges
I just came across this article over at eWeek -
ID Management Challenges Persist - which cites feedback from attendees at an event sponsored by user provisioning specialist
Courion. The results of the attendee survey are slanted towards provisioning but that's not why I am highlighting it here (not least because that's no great suprise given it's a vendor-sponsored event and thus survey).
What I find far more interesting is how the article points to what really lies at the heart of the identity management challenge. For example:
While many businesses have begun reinvesting in their authentication systems by bringing on-board new identity management and roles-provisioning applications, project management leaders say they face a wide range of issues in helping those efforts succeed.
This highlights the first significant challenge: that identity management technology is still very stovepiped, addressing discrete identity management requirements through discrete applications. What is required is a platform approach to identity management, with identity management capabilities - authentication, authorisation, federation etc - delivered as shared infrastructure services.
Then there's this:
A quick poll of the roughly 150 customers gathered for the meetings, dubbed Courion Converge, found that close to 70 percent were less than 25 percent finished with their ongoing ID management initiatives.
In part a consequence of the first challenge: too many identity management initiatives are treated as independent projects, compounding the stovepipes and leading to fragmented identity deployments which do not interoperate. It's hardly surprising that attendees identified
the data aggregation necessary to bring disparate password systems
as a significant challenge, and one which will persist unless vendors and organisations approach identity management from an architectural perspective.
Also, this quote from the Chief Information Security Officer at Children's Hospital Boston
"As an IT organization, our focus is on letting our doctors and nurses do their jobs, not inhibiting their work over issues of access," Scheib said. "At what point do you want to interrupt people's ability to provide patient care in the name of complying with a business policy? There's definitely a significant challenge in weighing risks and potential benefits."
highlights a couple of other things. First, that identity management initiatives must start with a consideration of business risk. Second, that a consistent policy-based approach to the definition and enforcement of authentication, authorisation and auditing requirements is the only way to grapple with the inherent complexity of distributed, heterogeneous resources, ever-changing business policies and processes and evolving regulatory requirements. These issues are also highlighted in this extract:
Tim Callahan, manager of access control and support services at Atlanta-based SunTrust Banks, said that a full one-third of his company's 33,000 employees either leave or change jobs every year, further complicating ID management efforts. In addition to making sure that departed employees are deleted from the company's systems, the process of allowing workers to maintain appropriate access as they transfer among jobs poses yet another challenge, he said.
The article concludes with some advice from a fellow analyst:
while compliance regulations are driving the convergence of roles policy, password and account auditing, and user provisioning, those processes should be part of any company's security operations. Moving beyond simple password management to more specific user provisioning helps enterprises get closer to a practical enforcement model for compliance, said Roberta Witty, analyst with Stamford, Conn.-based Gartner.
I certainly agree that identity management needs to be considered as part of security. However, I think Ms Witty doesn't go far enough. Effective compliance needs to go way beyond user provisioning: it requires a common audit and reporting platform, delivered as a shared infrastructure service, which permeates all phases of the identity management lifecycle and is governed by policy.
Where I do find myself agreeing with her is when she says:
"Companies need to figure out how important ID management is to their business and how it plays out in the larger picture; they need to figure out how it drives their business and what it means to their future."
Absolutely. This was my starting point in
Identity management: an architectural approach for business value and which leads to many of the conclusions above.
