Identity management (IDM), as explained in ITWeb's November 2006 feature, is not about the technology. Instead, it is a framework, a methodology within which various technology solutions exist to drive roles and functions, processes and procedures, security and access management solutions, and databases.
As Magix Integration director Amir Lubashevsky notes: "IDM doesn't stand on its own. It is not a point solution. If you look at it as a solution to all problems, for example relying on SSO [single sign-on] to stop identity theft, you are not looking at it from an integrated point of view."
Says Novell SA MD Stafford Masie: "The problem we have in SA is that too many people are trying to take suites of technology and throw them at IDM. They talk about IDM like it is a product. It's not. It's a framework, a methodology, a mindset. You don't install IDM," he says.
"The way you deal with IDM is from a business perspective, and when you're talking about identity, you talk about the business challenges associated with what identity is in a business. Identity defines a role and function at the core [of the business and its systems].
"Just outside that will be the associated processes, then the interdependencies of the processes associated with those functions and roles. At the outer layer are the business policies associated with a function and role.
"The problem is that most businesses have no clear view of function, roles, processes and policies."
Back to basics
The starting point for any IDM implementation is to clean up the data (including removing 'orphan' accounts, namely those that belong to people no longer associated with the organisation), define roles and functions, and then map processes and procedures accordingly, tweaking as necessary.
Identity and access management must be driven by the business; it is not an IT problem.
Kelvin Adams, global security solutions country manager, CSC SA
Says Cornastone enterprise security practice leader Patrick Devine: "You need to get your own house in order first. Clean up and order your existing environment, define roles and role segregation, connect people to roles and roles to resources, rather than having a spaghetti of people connected to resources."
Most CIOs, Devine adds, have no idea of the extent of the clean-up needed. "The only ones who do [have an idea] are those who work for companies that deal with the SEC and are thus required to comply with Sarbanes-Oxley," he states.
"Identity and access management must be driven by the business; it is not an IT problem," says Kelvin Adams, CSC SA global security solutions country manager.
"The business needs to assign owners to data, classify data, assign custodianship of data over to IT and actively review who has access to that data."
Driving it down
On the other end of the scale, once an IDM framework is in place, policies need to be driven down through the organisation and enforced, or the entire operation will be rendered meaningless.
Sun Microsystems SA software consultant Sean O'Hare concurs: "This the most important part of an IDM implementation. The organisation must live and breathe identity management as it is interwoven into every aspect of the business, from the bottom to the top.
"An organisation must encourage all of its staff, partners, customers, systems and any other touch point to comply. Highlighting the risks and handing out accountability for non-compliant areas usually stirs people into action," he notes.
"More often than not, the people responsible for different organisational entities are not the same as the people that are accountable for them.
"For example, legislation is driving more and more organisations to be compliant in one thing or another. And a lot of it has to do with how legislation handles the identities and privacy of the information that belongs to its users and clients.
"If, for some reason, there is non-compliance in some area, it is the people at the top who could potentially face prosecution, and not the administrators or line managers. This is, of course, an extreme example."
Nothing single about it
Get your house in order first... rather than having a spaghetti of people connected to resources.
Patrick Devine, enterprise security practice leader, Cornastone
Heralded as the great solution to the multiple-password challenge, single sign-on (SSO) has mutated into reduced sign-on as the realities of managing risk and security have taken hold.
Says Adams: "Single sign-on was never a good idea because it compromises security. If you compromise that single sign-on, you have access to the entire portfolio of that account.
"On the other hand, if you put in controls on the system that force password complexity, the user just writes it down. If you have no controls, the user sets an easy password.
"An age-old problem that also affects SSO is that it doesn't give you better control of your user community. In fact, it makes matters worse because users are often modelled on other users with the same privileges [instead of] the model in the system.
"Once a profile is modified, that modification is repeated and the profile corrupted as a result. SSO also doesn't fix the issue of ensuring all users are current and legitimate, and doesn't solve the problem of ensuring the appropriateness of the access that an individual receives."
The bottom line
In the end, there are no easy wins, but the wins that are to be had are significant.
"We've found that by just changing the interdependencies of the processes and policies, and tweaking a single business process, we could shut down eight unnecessary security systems," says Novell's Masie.
Moreover, IDM or IAM, if you will, must be seen within the broader context of today's business environment.
"We're seeing clients that really get IDM, re-architecting their entire IT strategies as a result," says Masie.
"IDM becomes the nucleus for that strategy moving forward. Identity is becoming the number one issue in terms of customer service, service management, security and risk management."
Dimension Data Africa CTO Alpheus Mangale says unified communications should be borne in mind.
"You've got users and customers needing to access the corporate environment through any device, from any location to whatever application or service they need, depending on their role. And if users and customers want to connect, what becomes important is their identity and ensuring identity is correctly mapped in terms of what can be accessed so that the company is not compromised. IDM is key here."
The end game
The next step up from managing employee and customer identities anywhere, anytime, anyhow and through any device, is federating these identities across associated businesses.
In other words, explains CA business technologist Karel Rode: "If I log on to Discovery's Web site and want to take advantage of an offer from one of its rewards partners like Kulula, I can click through to the Kulula site and have Discovery securely pass my identity on to Kulula."
This saves the user re-entering identity information and ensures said identity and banking details, for example, reside on significantly fewer databases.
"Federating identities is at the highest level of maturity on the CMMI [capability maturity model integration]," he adds.
We're seeing clients that really get IDM, re-architecting their entire IT strategies as a result.
Stafford Masie, MD, Novell SA
Not many companies locally have even managed a successful IDM implementation, let alone reached a level of maturity where federation would be viable. There is also the trust issue. No company is going to open its systems to another without ensuring that company's systems are completely secure and that a connection between the two poses the least possible risk to its own operations. Then there are the logistical issues.
Says Rode: "The artefacts that get passed from federating partner to federating partner need to get passed in a certain way. You need to ensure there is good encryption, detail how the information is communicated and what information is communicated. Kulula, for example, would not need to know my income bracket, but it does need my name, surname and identity number."
That said, federation is starting to take shape in Europe and will no doubt become a reality in SA soon as an increasing number of organisations, including the likes of Discovery, Standard Bank, Vodacom, Absa, UCT and Liberty Life, to name a few, progress with their own IDM initiatives.
In this arena, as in so many others, the local market is keeping pace with its more developed counterparts. Local corporates and consumers can expect to reap the benefits soon.
Share