Identity management implementation: One reader’s cautionary tale

Today, I have for you a true and cautionary identity-management implementation tale. But first some housekeeping details.

I’d be remiss if I didn’t mention that Netpro’s Directory Experts Conference was coming up soon – March 26-29 in Las Vegas. See the conference Web site for all the details, but if your areas of responsibility include Active Directory then this is an event you should attend.

In other news, Eurekify has now released the full report of its survey on Role-Based Access Control (RBAC). Venture over to Eurekify’s Web site and request a copy for yourself. I wrote about the preliminary findings in a February newsletter.

Speaking of RBAC, when I mentioned it in the February newsletter, the subject riled reader Tom Cooper so much he was moved to shoot off a rocket towards my inbox:

“RBAC is the key? No, RBAC is the answer, because the only tools that exist require RBAC. Since that is what is provided, customers are convinced by a company that specializes in RBAC that RBAC is THE answer….

“If this is not a plot from a Joseph Heller novel, I don’t know what is. Our large Fortune 500 company worked for YEARS to cram an RBAC solution into our ID management problem, and we could not make it go. The answer was NOT RBAC. We selected a number of tools and built a pretty darn good ID management tool kit which handles provisioning, deprovisioning, single sign on, ad hoc adjustments, and more. We have a ways to go yet, because what we have built doesn’t fit every need, but it’s FAR better than the square packaged approach that the vendor tried to pound into the round ID management problem we had.

“Just because someone who has a vested interest claims that they have the silver bullet, doesn’t make it so.”

After I got Cooper to calm down a bit, we agreed that it was the company and tool he was using – not RBAC itself – that was the problem. The solution he had been forced to use was billed as a “turnkey solution,” but what that really means is it was an attempt at “one size fits all.” Cooper found that once they abandoned that tool and went with a base of broad-based roles things went much more smoothly.

He says: “We’ve got some work to do, but our ‘build it from available tools’ system far exceeds what was promised by the vendor with whom we wrestled for so long. We invested millions in licenses and labor and ended up with a death march project which was eventually cancelled. Within six months we had completed our first phase of the new effort and were getting value from the new system. It’s now been just over a year since we cancelled the previous project and we’re in our third or fourth phase. We’re making improvements daily, and are lowering our labor costs through automation.”

As with all identity management projects, Cooper’s experience shows the benefit of a step-by-step approach, which starts small with well-defined, fairly easily reached goals and builds more ambitious services on top of that base.

The moral to be learned here is that there really isn’t a “one size fits all” solution, and off-the-shelf identity management needs as much tweaking and modifying as a custom solution. Do your homework and be an informed buyer.