Getting Johns Hopkins Bloomberg School of Public Health's 5000 students and faculty securely tied into central resources was once a monumental administrative task — but not anymore.
The Baltimore school has built a self-service Web portal from which users in multiple locations can log on, manage their passwords and view information accessible only by them. To get the users up-to-speed, the IT department distributed an e-mail detailing how to use the self-service site, which involved inputting a Lightweight Directory Access Protocol (LDAP) password once. From there, the rest was self-explanatory.
"If I can get my help desk calls down for silly stuff like password reset and provide just one password for Active Directory and LDAP, that's ROI enough for me," says Ross McKenzie, director of IS at the school.
McKenzie took advantage of the recent wave of products promising to ease identity management across corporate networks by automating the process. Vendors ranging from management giants such as Computer Associates International and IBM's Tivoli to security start-ups such as Netegrity and Thor Technologies brought identity management into their product portfolios. Hewlett-Packard's OpenView software division is expected to announce the company's foray into identity management at its annual users' conference next month.
For years, network managers manually maintained user identities across their networks. The process involves provisioning users, assigning resource access rights, managing passwords and, ultimately, deprovisioning users, among other tasks.
Today, identity management software promises to automate the process of time-intensive tasks such as setting up user groups, access rules and workflow rights by using myriad technologies including directories, single sign-on, authentication and certification.
The goal is to let network executives know who is logged on, regardless of the end user's location or type of client being used, and to ensure that only authorised users have access to specific resources. Typically, network managers must define roles for the specific users and groups of users, and also incorporate approval processes in the software. The software then uses tools such as XML to enable communications among platforms, and perform authorisation and authentication.
Network executives such as Bill Kannberg seem satisfied that the software can lessen their workload and increase operational efficiencies.
Kannberg, CTO and technology manager for Hillsborough County in Tampa, Florida, uses products from Novell's Nsure software suite to render "on the fly" customised Web portals for its more than 5000 end users. Hillsborough County users can log on to a Web site and see only the intranet, Internet and business application resources for which they have authorisation, he says.
Kannberg says he saved significantly (he declined to detail specifics) on infrastructure and staff costs by using Novell software. He didn't have to connect remote locations via fractional T-1s or purchase more switches, and he avoided hiring more help desk staff. While he says Novell could make the Nsure software easier to deploy and configure, he plans to roll out a government version of business-to-business applications using the security provided in identity management via the Web portals.
"We saw the future need to have our costs lowered by having a single place where we could store security and everything you need to know about a user," Kannberg says. "And we plan to use identity management in lots of other places, basically any application with a username and a database."
In addition to automating a frequently requested, redundant and time-consuming task such as password management, identity management also can help protect corporate networks from potential breaches.
By quickly deprovisioning users when they leave the company, corporate IT departments avoid situations in which former employees continue to use corporate resources, incur costs against the company or attempt the sabotage the network.
Rizwan Ahmed had exactly that in mind when he chose Computer Associates' eTrust software for single sign-on, access control, auditing and administration. The CIO of the Louisiana Office of Group Benefits in Baton Rouge also evaluated products from IBM Tivoli and Novell, but he says CA provided the cost, experience and availability of products he needed. Ahmed says he wanted to implement a zero-day provisioning/zero-day deprovisioning policy — or enable IT systems to assign user access rights and remove them in less than one working day.
"We wanted to be able to completely automate the process of hiring and terminating as such that a few strokes at the HR division would either set up a user . . . or suspend/terminate a user from all systems," Ahmed says.
He spent about $US150,000 in software and consulting services and deployed the software over the course of four months. While he says it's a little early to determine ROI, implementing eTrust allowed him to provide the zero-day policy to HR, reduce help desk calls for password reset to zero, and fully comply with the Health Insurance Portability and Accountability Act.
Ahmed says he'd like to see CA use a common directory structure within its eTrust identity-management products rather than the proprietary tools the company currently supports.
Roberta Witty, a research director at Gartner, says one of the underlying technology challenges for vendors is enabling their software to work across multiple vendor hardware and software. Customers deploy myriad directories, systems, platforms and now applications that all require end-user ID and password authentication, and vendors are faced with deploying software that can communicate with each layer in a corporate network.
"The variety and number of platforms to be included in this type of management grows exponentially and faster than people can track," Witty says.
Witty says the technology isn't the first hurdle network managers will encounter when looking to roll out identity management. She says determining business processes and defining user roles across multiple departments challenges IT departments more.
"Buying technology is not the first step in identity management," Witty says. "Users need to know how they want to manage this process, standardise that across multiple departments and then intelligently put their business rules into the software."
Earl Perkins, a senior program director at Meta Group, agrees. He says vendors have yet to work out the process and organisational aspects of identity management.
"Vendors still remain weak in providing 'best practices' for use and recommended roles, skills, positions to support. No one vendor seems to offer best-of-breed, end-to-end identity management," he says.
A recent example happened last week when Sun and Thor partnered to offer an integrated user-access rights provisioning product for Sun One. Thor's Xellerate user-identity and access-management software will work on Sun's One identity-management platform, which includes Sun's One Identity Server, Meta Directory and Portal Server.
"The biggest challenges clients seem to be facing with identity management right now are efficiency, productivity and security, in about that order," Perkins says.