You are in:
Controlling access
Digital identities are now an important part of the way we do business but the management of these is now becoming very costly, time consuming and critical.
In today’s digital world, identities and our trust in them are at the core of everything we do. Gartner estimates that the role of digital identity is set to grow by 400 per cent by 2009, meaning that this is an issue that every organisation is facing.
As individuals, employees and as organisations, knowing with whom we are dealing, and being sure of their identity and their authority before we transact is fundamental to protecting our assets and integrity. Layer on this drivers such as efficiency, compliance and new business streams and we have the challenge which is identity and access management (I&AM).
Identity and Access Management issues affect every organisation, be it large or small, in public and private sectors alike. Historically, information access control has been driven at an application or a departmental level. That has lead to inconsistencies of approach and proliferation of multiple identities which have been a challenge for the IT Department. With mergers and acquisitions rife across both sectors and the increased use of digital identities, I&AM is now presenting far greater challenges for the whole organisation.
An example in the public sector was the home office’s recent proposal for the restructuring of police forces in England and Wales. Although Police Forces did not choose to amalgamate there is still a driver for finding means of collaborating in certain areas therefore establishing trust of identity is still a challenge that must be faced. Whilst UPSA (Unified Police Security Architecture) is a potential medium to long term solution, the imperative for forces is more immediate at an operational level.
One issue that was flagged is that information intelligence needs to be better shared, not just within policing, but also more broadly within other agencies. But controlling identities within and between organisations, ensuring that data is seen only by the appropriate person or group and that processes are audited, needs to be very carefully managed.
The merger of Trusts within the NHS will have also encountered similar challenges. Indeed, these are the same as any merging organisation may encounter.
The newly merged organisation will assume a new identity but it is assumed that employees will still retain their original user identities for a period of time. One of the challenges that the new organisation will face will be to integrate their IT systems without incurring major costs and the associated disruption. A user will have their identity details stored in a number of repositories, and merging with other organisations will exponentially increase that number, posing greater workloads both on the end user and the IT department. Grasping the issue to managing identities will reduce the load on the IT department, enable the flexibility that the new organisation desires and make the user a part of the merged entity. As with any merger between organisations, in order to take control of disparate identities and facilitate change within the organisation, there are six key steps.
step one - assess what you have
Each user may have their identity stored in at least four different user stores for applications that the user is currently accessing. Over time, user permissions and application requirements will change. If these are not properly executed, or leavers are not removed, there is a risk of misuse (whether accidental or deliberate) and fraud. If we then factor in that in the new organisation there may be further applications that the user needs access to then the number of electronic identities increases.
step two – amalgamating directories
Each organisation should have an HR userstore, with valuable information that can be used to help the new organisation shape itself. Bringing all of the HR data together as if it were from a single system will provide greater information to the senior managers when making important decisions as they will have training, education, qualification and location information in one place. But how to do this simply? Using virtual directories, a new company can accommodate this in a short time period, without disturbing the existing applications. Not only will senior managers have a single view, but IT will also. Users will continue to be managed locally until an Identity Management strategy has been successfully implemented.
step three - more applications & passwords?
It is arduous enough for an employee to remember all of their usernames and passwords without this increasing overnight due to merging. Removing the password issue through the introduction of an Enterprise Single Sign-On solution saves time and improves auditability and provides compliance where appropriate. In addition security is improved but also IT help desk load is reduced as users can reset their own passwords. Organisations such as Staffordshire Police, Addenbrookes Hospital and British Energy are already reaping the benefits of such an approach.
step four - control access to applications
Controlling access to applications is vital in ensuring that users have the right information. Access control is not only about limiting who has access to what, but also concerns ensuring that users have the correct access. Inheriting disparate control mechanisms has the potential to create security loopholes as the same policy would need to be interpreted and entered into multiple applications. Bringing this together through a single interface reduces support costs, increases user satisfaction and ensures compliance with security policies.
step five - enable mobility/portability
Staff may need to be re-deployed following a merger and IT needs to be able to respond to this whilst utilising the infrastructure of the organisations involved. A user needs to remember a single set of credentials that can be used anywhere within the new geography of the organisation.
The easier this is to deliver for the user, the quicker that they feel part of the new organisation.
step six - joiner/mover/leaver
One of the biggest headaches in IT is managing the “joiner/mover/leaver” process. This is handling what applications a user will need access to when they join, when they change role and finally when they leave the organisation what happens to their accounts. This is a big enough problem in itself but with a merger comes a need to rationalise a vast array of user stores and the problem takes on a new proportion.
Utilising so called provisioning solutions in tandem with the previous five steps will allow the organisation to adopt its new shape, whilst enabling the infrastructure changes to take place unbeknown to the user.
conclusion
Although money is being made available to facilitate the mergers for example, by implementing IT solutions which provide positive ROI the extra cash can be put to other uses. Identity Management as an overall technology is able to generate positive and identifiable returns.
Taking a step by step approach to the issues of managing identities enables the organisation to quickly absorb the changes, generate cash to fund the next piece and not place an undue burden on the IT department.
Gaining control of the multitude of identities increases the confidence of the user base and eases the implementation of any new applications.
