- Nokia's new N97 vs. the iPhone
- 10 Microsoft research projects
- Hard to get justice in MySpace case
- Smartphone smackdown: Storm vs. iPhone
- Apple removes antivirus support page
Dave Kearns provides the information you need to evaluate, install and maintain your corporate identity management system.
The messiest part of any job is usually the cleanup. Think about what your kitchen looks like after a festive holiday meal. Or Main Street after the horse brigade marches in the annual parade. But in the field of identity management, often the messiest part of the job comes at the very beginning.
I say the beginning, because before embarking on a major identity management project you would be well-advised to first clean up your user records. In a paper sent to banking officers, Deloitte Canada said: "If you are like other financial institutions of your size, you have about 100,000 active login credentials that you cannot match to a person."
Eurekify Founder Ron Rymon shared with me the results of a survey at one enterprise, which found that there were more than 450,000 user accounts (including system accounts and "generic" accounts) of which almost 114,000 were no longer needed or required major changes in access rights. That's roughly 25% of all accounts! Most troubling to me was that 73% of remote access accounts fell into the "problem" category.
It was just over three years ago (see "E-provisioning's dirty little secret") that I first mentioned this problem and it saddens me to see that it still is a problem. And, unfortunately, it's still a messy job.
Eurekify's Sage is one tool that can help with the cleanup effort (which is probably why Rymon wanted to point out those numbers to me!). There are others, and your provisioning vendor (Sun, Courion, Oracle, Novell, M-tech and more) should be able to either provide a tool or connect you to a vendor with a tool that can aid in the account cleanup.
But cleaning up accounts - that is, matching the account name "jdoe" with "jane.doe" and "janed" - is only part of the solution.
You also need to clean up the authorizations and privileges, especially those that have "accreted": gradually built up over time, but never removed. Sage and other role-mining or privilege-mining tools can also help with this process. It goes beyond finding the related accounts and builds up a privilege profile of the accounts over all resources on the network.
Without this messy, but essential, cleanup operation your identity management project is at least slated to have a lengthy, oft-delayed rollout and could very well be doomed to ultimate failure because of the frequent system breakdowns to accommodate manual manipulation of accounts and privileges.
Dave Kearns is a consultant and editor of IdM, the Journal of Identity Management.
Partner Content
Brilliantly simple security and control solutions for email, web and endpoint
www.sophos.com
Stopping data leakage
Learn how to exploit your current security investment to control the information that flows into, through and out of your network.
Download the white paper.
Why detection rates aren't enough
Evaluating endpoint security products is a time-consuming and daunting task. Learn the six critical questions you need to ask prospective vendors to get the right endpoint solution.
Download the white paper.
Applications: taking back control
Employees installing unauthorized applications is a growing threat to business security and productivity. Cost-effectively reduce this threat by integrating control into your malware protection.
Learn more today.
Comments (1)
The messiest part of identity managementBy phume on January 15, 2007, 4:56 pmI wholeheartedly agree with Dave's efforts to bring attention the problem of identity data quality. He has been a leader in this regard. However, it is not true...
Reply | Read entire comment
View all comments