Identity management is a fairly ambiguous term used to describe a variety of technologies. Chris Pick, vice president of market strategy for NetIQ Corp., shed some light on identity management solutions and their implementation.
What are the components of identity management?
Chris Pick: There are many components, but I would say four of them are critical. These are the components people are looking for when they evaluate a solution: authentication, access control, administration and workflow. Authentication is proving who you are. Access control is proving what you have [a] privilege to see based on your role. Administration is the process of managing your account. Workflow is the process of who approves that decision process and who terminates that account as you go through the organization. These are predicated technical components that the seven areas of identity management are critical to address.
Can you describe the typical organization that would most benefit from an identity management solution?
Pick: Almost every organization can benefit from it. Within the seven market segments there are different buyers. For example, it makes sense for a huge organization that has thousands of employees to look at a provisioning solution, which automates several manual processes for managing users across the board. It makes sense for a middle market company who might have a single infrastructure investment to look at delegated user administration products because they're based on one technology, and it makes sense to unify and standardize the use of that technology across the organization. It makes sense for companies that are investing in heavy e-commerce infrastructures to buy proper extranet management products to facilitate Web single sign-on. So you have to break it down by the benefits and the advantages of each of the seven market areas. It's truly not a one-size-fits-all and truly not a one-vendor-provides-all at this stage of the game.
What are the benefits of implementing an identity management program?
Pick: The first benefit is, ultimately, cost savings. Cost savings is realized through automation, enhanced productivity and the elimination of redundant manual tasks. Looking at most of the areas within security today, identity management has one of the most quantifiable value propositions, as opposed to subjective propositions. When you look at things like intrusion detection or vulnerability assessment, it's very hard to measure the impact of what they will do specifically for the organization. But, when you look at solutions like password self service, it's very plain to see that you can begin to scale down your help desk, which results in man-hours, which can be equated to dollars, which ultimately can be equated to some degree of budget.
The second benefit is enhanced security and increased ability to have general controls within the environment. What I mean is, the ability to ensure that the proper people have access to the things that they should have access to –- and no more. Those are two things that are driven very clearly by an audit -– and every company goes through a general control review if they're public.
What are the challenges of implementing an identity management program?
Pick: There are several challenges. The first one is understanding the long-term strategy of implementing a solution. In other words, do I buy an identity management solution just to solve my local point of pain –- my Windows environment -- or do I realize that I might have similar problems in managing my Seibel users and my Unix users later down the road? That is, buying best-of-breed point products today instead of buying a long-term solution that helps me manage users across the organization. It's a balance of strategy.
That's difficult in organizations today because the ownership of the users is in various places within a company. Some users are owned by business units who, for example, in an investment bank might control access and authentication to trading systems. Within that same bank, Internet users might be controlled by the operations group. There's an organizational structure and political boundary challenge that is difficult to understand.
How do you recommend companies begin the process of deciding what technology would work best for them?
Pick: It starts with really having an understanding of their systems and security management strategy -- not just over one year but potentially over several years. If they have points of pain or groups within the organization who are interested in buying a specific product for identity management, it makes sense to ensure that that buying decision fits into the overarching strategy of what the company is trying to do. It makes sense for them to look at compatibility issues across the board and define them as part of a security and systems management strategy.
There's no point in investing in a solution that provides you Unix authentication and access control measures when down the road you cannot engineer and integrate that within your Active Directory user management solution. It's with that balance and with an appreciation of what the strategy is going to become in the long term that companies can decide to make better purchases tactically to integrate into the longer-term strategic goals. Not a lot of companies really consider their strategy longer term, and that really results in a lot of the duplication of duties.
