Gaining perspective on digital identities

You can build it, you can buy it, but you can’t escape the need for identity management.

Steel manufacturer Nucor created its own intranet-based identity management system. T. Rowe Price brought identity management to customer Web sites using a Web-based access management tool. Syracuse University opted for a provisioning tool to deal with its twice-a-year onslaught of new students who need digital identities. Three user organizations with three business problems illustrate a single salient fact: More than one way exists to tackle identity management.

Identity management involves dealing with individuals in an online world. Ideally, it provides a single view of every individual across IT systems throughout the organization. Experts agree that the problem is the same whether those individuals are employees, customers or business partners. The goal is to “understand who you’re working with and what they need,” says Joe Duffy, global leader of PricewaterhouseCooper’s (PWC) Security and Privacy Practice.

What follows is a guide to help achieve that goal. Duffy describes the process: Evaluate your business objectives and the existing directory structure, including number of applications, users, attributes, roles and rules. Next, devise an architecture and project plan to meet the objectives, choosing among technologies such as authentication, authorization, provisioning and Web access management tools. (If the problem is differentiating your “gold” customers from the rest, for example, a Web access management tool might be the right choice.) Then, determine the order to tie the various applications into the new structure, stage each application, test it and launch it. Ideally, you’ll accomplish all that and be demonstrating significant ROI within a year.

Identify the problem

This road map wasn’t as straightforward when T. Rowe Price first thought about identity management in 1998, says Kirk Kness, vice president with the firm’s Investment Technologies group in Baltimore. Back then, there weren’t many tools to help with the problem, and those that did exist were in their nascent stages.

The business problem, however, was clear. T. Rowe Price had a number of financial tools – report generators, calculators and the like – that it wanted to provide online to its institutional investment clients. “If we made them log on five different times to do what they wanted, it wasn’t going to go over well,” he says.

Other companies have to delve deeper to pinpoint their identity issues, says Roberta Witty, research director for information security strategies at Gartner. Is it an external or internal security problem? Is there an administrative issue, such as too many help desk calls for password problems? Are you looking to reduce total cost of ownership (TCO) for access control? Are federal regulations forcing you to examine your security infrastructure? All these questions will help determine the kind of solution you need, Witty says.

About two years ago, CUNA Mutual Group, which provides financial services to credit unions, was looking at how to bring more of its 300 products and services online. An analysis turned up 125 directories that held credentials and other data about internal employees, credit union employees and members who used CUNA Mutual’s systems. “Whenever you do any kind of IT analysis and find you have 125 of something, you’ve obviously got room for improvement,” says Steve Devoti, directory services manager for the company, in Madison, Wis. “You can’t have 125 directories and no plan.”

American Express encountered an identity management problem as it rolled out Web services with business partners, says Michael Barrett, vice president for Internet technology strategy for the Phoenix company. “From a business perspective, the Web service was stable, but the implementation was radically different each time,” he says.

The problem was that each partner company had a different way of handling security, including authentication and authorization. “We looked around for standards and there weren’t any,” he says, a fact that became an impetus for the company’s involvement in the Liberty Alliance, an industry group devising a strategy for federated identity management that Barrett heads.

Devising a directory strategy

Most identity management strategies start with some form of directory services integration, says Kevin Kampman, senior consultant with Burton Group. The idea is to have a single “authoritative source” for each piece of data. Multiple authoritative sources might be associated with the same individual, depending on the data in question. For example, the human resources application would be the authoritative source for fiduciary employee records, while Active Directory holds e-mail addresses.

One option is a metadirectory, which brings a consolidated view of data in various directories in the corporation. Largely homogeneous organizations might implement an all-encompassing enterprise directory, but it’s unlikely you’ll ever get down to just one.

“In theory, you can make one authoritative source, but in practice you can’t. Applications such as PeopleSoft and SAP are still going to have their database,” PWC’s Duffy says. “The idea of this mongo directory in the sky just defies how business works.”

That’s the conclusion Syracuse University came to after embarking on its identity management quest in the fall of 2001, says Gary McGinnis, director of client services for the upstate New York school’s computing and media unit. The university determined that it never would have a single, monolithic network operating system so it decided to keep the directories linked to its three major operating systems: NetWare, Unix and Windows. Syracuse implemented Sun’s iPlanet Directory Server to create a master directory to authenticate users, but keep authorization data specific to various applications in the operating system directories. A provisioning tool from Business Layers detects changes in the master database, then pushes the changes to any other directories where that user exists.

Creating the master directory required four to six weeks of painstaking manual effort, considering the school’s largest directory holds records for more than 30,000 individuals. While computers easily could find identity discrepancies among existing directories, IT personnel had to resolve the discrepancies, which in some cases meant getting in touch with the users directly.

Bringing in the apps

With the directory in order, integrating applications can begin. Mark Ford, principal with Deloitte & Touche Security Services Group, says organizations that make a concerted effort to Web-enable their applications have a much easier go of it because they’ve got a standard interface to deal with: the browser. That enables organizations to implement a single, centralized authentication and authorization engine that any Web application can use.

“For folks like me, a former security officer, it’s almost the Holy Grail because you’re really getting back to that mainframe model where you have centralized access management,” Ford says.

Centralized access management can be implemented in a number of ways, but generally, when a user attempts to log on to a Web application, the logon request is routed to the access management engine. There the user is properly authenticated, with at least a username and password. Often some form of software-based security token that denotes the user’s credentials is then passed to the application. Should the user later want to access other applications, the token can be shuttled around as necessary behind the scenes, so the user doesn’t have to log on to each new application.

A number of vendors, including IBM, Netegrity and Oblix, sell Web access management products that provide authorization. T. Rowe Price uses IBM Tivoli Access Manager, and CUNA Mutual uses Oblix’s NetPoint.

While such systems easily can hook into Web-based applications, integration with client/server applications likely will require more time-consuming and costly custom integration work.

“You basically have to re-engineer client/server applications to take advantage of this model,” Ford says.

While some applications are worth that effort, many organizations choose to freeze development of “fat-client” applications and move to a Web-based model instead. On the other hand, he notes, mainframe applications are relatively easy to Web-enable and hook into the Web access management system.

Roll your own

It’s also possible to create your own Web access management engine, like Nucor did with some help from software developers at Extreme Logic. Nucor is a $4.5 billion company with 28 divisions, says Scott Messenger, corporate IT manager for the Charlotte, N.C., company. In early 2001, it was looking for a simple way to authorize employees to access intranet-based knowledge management, human resources, purchasing, inventory management and sales collaboration tools.

Given Nucor’s decentralized nature, “Our big issue was how to build something where we could distribute the administration,” Messenger says. Another caveat is that it could take no more than 60 minutes to train users how to grant permissions. The goal was to make it simple enough that, when administrators closed the screen, they’d be sure they granted only the intended permissions.

Nucor also was dealing with a largely homogeneous Microsoft environment, which made the implementation easier. The company used Active Directory as the foundation for its identity management engine, augmenting its base authorization function with homegrown software tokens that provide thousands of permissions. The permissions are grouped into packages, or profiles. A base package might provide a few hundred permissions, granting access to everyday human-resource applications and the like. Other packages define the permissions specific to different jobs, such as controllers and IT staff. Additional permissions can be granted to any individual as needed. Certain permissions kick off an audit event that shoots an e-mail to appropriate authorities to alert them that the permission was granted, just in case it shouldn’t have been.

Nucor developed the engine in just five man-months, Messenger says, at a cost of less than $50,000, including the fee paid to Extreme Logic.

The “buy vs. build” argument typically comes down to a combination of corporate philosophy and requirements to solve the problem at hand. For American Express, “Our strong preference is to buy rather than build,” Barrett says. With that in mind, the company has embarked on a metadirectory strategy with which it will decide what directory is the authoritative source for any piece of data, then replicate from there to other sources.

All sources feed a central Lightweight Directory Access Protocol directory to keep things in sync. The idea is to follow the federated approach that is at the core of the Liberty Alliance work, where distributed directories each own a piece of the pie. That setup has American Express ready to take advantage of Liberty-enabled tools as they become available, Barrett says.

The road map comes down to having an accurate sense of your current state and what your requirements are. From there, you can decide what the identity management system should accomplish, Burton Group’s Kampman says, “You don’t do identity management in a vacuum.”

Desmond, is a writer, editor and president of PDEdit, an editorial content company in Framingham, Mass. He can be reached at paul@pdedit.com.