Identity Management

Every corporation, small enterprise, agency, university or almost any kind of organization needs some kind of order and security to operate efficiently. Also the primary concern of every organization is deadling with people: employees, contractors, partners, customers, and so on. Identity Management is a field of information technology where these two critical concerns combine: Identity management is about order and security with respect to managing people. Identity management technologies deal with the processes of hiring people, organization structure changes, lay-offs, partner enrolment and customer management. Identity management technologies try to automate many aspects of these processes starting with password management to automation of security reviews, audits and risk management assessments.

Simple Start

Before a company becomes a big enterprise it usually starts small and simple. It has tens of hundreds of employees, a couple of partners and just a handful of information systems. Even such a small company needs some kind of order and security. Therefore it needs processes how to manage identities. But these processes are very simple when a company is small. In fact a single spreadsheet is usually the right tool for this job:

The principle is straightforward: security personnel and/or system administrators maintain a spreadsheet that defines access rights that each individual employee should have. This is a simple and very efficient way how to manage identities in a small organization. It also easily understandable. It is in fact so simple that most small companies do not maintain this spreadsheet at all and only rely on the actual information from each individual information system. Which is a very easy, efficient and cost-effective way if the information systems are simple and their number is small.

First Obstacles

However organizations have natural tendency to grow. As the organization grows then also the number of identities increases. But what is more important is that also the number of information systems get higher and they become very complex. It may take only a few months and the spreadsheet starts to look a bit scary:

There are many reasons for this unexpected complication:

The hard fact is this cannot be really changed. Not in any substantial ways. This dynamic and fluid approach to managing people is given by business practice. The organization needs to do this to bring new products to market quickly, to keep the cost down and to stay competitive. Business first. The identity management processes must adapt the business reality. There is no other way around this. And this just cannot be done manually any more.

Policy Versus Reality

Even if there would be a possibility how to maintain the "spreadsheet of identity management" it is still not enough. The spreadsheet represents the policy. In theory the policy should be perfectly reflected to the reality. But the practice is entirely different. The policy is not always reflected to reality perfects. There are also untracked manual changes that are not synchronized back to the policy. This means that the policy and reality diverge all the time.

That's the reason we need audits. Especially security audits. And this is a good reason. The problem is that the audits are expensive. Very expensive. The audit needs to retrieve data from all information system, process them into a common format, correlate the identities and evaluate whether the identities are in accord with the policy. This is extremely expensive to do manually.

Audits are not just good idea. Activities related to security and identity audits are mandated by the number of regulations such as Sarbanes–Oxley Act (SOX), Basel II, HIPAA and so on. Therefore almost any major corporation or agency needs to conduct a security and identity audits in regular intervals. Therefore the cost of the audits come back every year.

Overall Cost of Manual Processes

The overall cost of manual identity management is huge. And even worse aspect of the problem is that any attempt to enumerate the cost will reveal only a part of the entire cost. The reason is that the cost of the slow and unreliable processes is spread across many areas and very large parts of the cost are hidden. Following list provides a partial lists of the costs:

This list is inherently incomplete. Identity management goes deep inside the very fabric of each organization. Therefore the cost is widely spread. It may not be possible to exactly compute the overall cost but it is very clear that this cost is substantial. Which means there is enormous potential for savings and improvements.

The Solution

The solution is both simple and complex. But the essence of the solution can be described by a single word: automation. This principle can be easily explained by looking at two simple diagrams. The following diagram illustrates the current state of identity management in many organizations:

The processes are governed by people. The people are sending each other e-mail messages, giving each other action items on meetings, reassigning trouble tickets and so on. This process is rarely formalized and it is somehow "guiding itself". It means that the execution of this manual identity management often ends up in a dead end, travels in cycles and goes back and forth until it luckily reaches its end. Which means this process is quite slow, very unreliable and almost unpredictable. This is the primary cause of problems.

The interesting fact is that vast majority of steps in this process are just a routine. The people do the same thing over and over. This can be easily automated. Computers can do quickly and reliably what people do slowly and chaotically. Identity provisioning systems are designed just for that purpose. This is illustrated in the following diagram:

Identity provisioning system automates the routine parts of the process. There is a number of methods that can be utilized to do the automation efficiently. Role-Based Access Control (RBAC) and Attribute-Based Access Control (ABAC) are well-known security models that can significantly help to carve order out of the seemingly chaotic access right structures. Business Process Management Notation (BPMN) is a specification for business process automation. If these methods are applied to the identity management and coupled with a great deal of domain expertise the result is quite sophisticated and very useful system. A system that can be configured to speed up the processes, simplify them and make them more manageable.

It works like this:

  1. A new employee is hired. The human resource (HR) staff enters the data of the new employee into the HR system. These are basic data such as employee given name, surname, work position, hiring date and so on.
  2. Identity provisioning system pick up the record from the HR system. Provisioning system runs a set of rules to determine what to do with the new identity. E.g. it may use the HR value of work position to determine that the new employee is a junior assistant. Therefore the provisioning system assigns a "Junior Assistant" role to the new employee.
  3. The definition of the "Junior Assistant" role says that holder of this role should have access to the AD, ERP, DMS and MIS systems. Provisioning system computes how these systems should look like.
  4. Provisioning system uses connectors to automatically create the accounts in each of the individual systems.
  5. The employee is now "provisioned". All the accounts are prepared, all necessary access rights are assigned. Everything is prepared to work.

In practice majority of the provisioning steps can be automated. However there are usually steps that require human decision. Provisioning systems are well prepared to handle such processes. Approval steps can be configured as necessary. People cannot be taken entirely out of the process. But their work can be made more efficient. Much more efficient.

The provisioning connectors are usually bi-directional. They can read information as well as they can write it. It means that the data in the provisioning system can always be up-to-date. Provisioning system can provide data for much more efficient automated audits. Provisioning system can also produce efficient reports about various aspects of identity data.

Provisioning system usually also provide self-service to users. Users are able to reset their passwords, review access rights, request new rights and so on.

There are more benefits than just automation of existing processes. As provisioning systems are very fast and efficient they enable many new possibilities. Provisioning system can efficiently manage ad-hoc groups and other dynamic organizational structures. Teams and workgroups can be set up and deleted with almost no overhead. Provisioning system can tear down many barriers to creativity and progress and therefore allow new business opportunities.

The Effect

There are many benefits of identity provisioning. Some of them are obvious and measurable others are more subtle. There are two major measurable benefits: cost saving and security. And there is large number of less obvious but very important benefits.

Provisioning system reduces cost in many areas:

Following data are based on several provisioning system deployments. The data illustrate the substance of savings that provisioning systems provide:

MetricBeforeAfter
Time to get new access for an employee3 weeks1 day
Time to reset a password4 hours10 minutes
Call centre load reduction-10-50%

Provisioning system deployments provide a very good return of investment (ROI) assumed that a correct product is used and it is deployed properly. Practice shows that the feasibility of provisioning system deployment roughly correlates with the number of employees of the organization:

Number of identitiesFeasibility of commercial provisioning systemFeasibility of open source provisioning system
5000+Provisioning system deployment is feasible and provides substantial benefits. Even complex deployment project are feasible.Provisioning system deployment is feasible and provides substantial benefits. Even complex deployment project are feasible.
1000-5000Feasibility boundary. Commercial provisioning systems may still be feasible albeit with a simplified configuration.Provisioning system deployment is feasible and provides substantial benefits. Even complex deployment project are feasible.
200-1000Usually infeasible. Deployment of commercial provisioning system is too costly. It is seldom feasible unless it is justified by non-economic reasons (e.g. security requirements).Feasibility boundary. Open source provisioning systems may still be feasible albeit with a simplified configuration. Phased approach is strongly recommended.
0-200Infeasible. Deployment of commercial provisioning system is too costly even if it is justified by non-economic reasons (e.g. security requirements).Commercially infeasible. Open source provisioning support with a commercial support is usually infeasible in this region. However the deployment of open source provisioning system with free community support is still feasible and provides benefits.

Market Synopsis

First generation of Identity provisioning technology was popularized in early 2000s. Second generation of provisioning systems was born several years ago. Therefore there are many products to choose from. The products can be sorted into three broad categories:

See Also

External links