My next entry in my Brochure Buzzwords series. I have thought about this topic for a long time and decided to tackle it even though it’s one of the biggest, if not the biggest Brochure Buzzword topic out there in the industry today. I think the reason is that Identity Management, or at least the buzzword portion of what people think they know can be comprehended by anyone with a user id and password.
Like all the topics that can fall into the Brochure Buzzword area, Identity Management can spin out of control into something that it’s not very quickly. Generally the problem around Identity Management or IdM for short, is that corporations that have the biggest problem with it are the ones that have no control over their own department’s bureaucracy for ownership. Everyone thinks that since they understand a few buzzwords they should own the project. In reality, they know the easiest and simplest technical aspect of IdM which is provisioning.
Let’s take a peek at the definition of User Provisioning – “User provisioning refers to the creation, maintenance and deactivation of user objects and user attributes, as they exist in one or more systems, directories or applications, in response to automated or interactive business processes.”
If you are technical person, you understand that this is maybe 10-20% of IdM, if you are outside of IT in HR, Accounting, on a Business Development team, you see this as automatic user creation and that’s it! So you rush out and buy millions of a IdM system, implement it, fight for months or more over automatically creating accounts and stop. You know what, give me the $2 million and I will give you something that created user’s automatically. Here it is –
Option Explicit Dim strUser Dim objRootLDAP, objContainer, objNewUser strUser = “DomGuy2”
‘ Bind to Active Directory, Users container. Set objRootLDAP = GetObject(“LDAP://rootDSE”) Set objContainer = GetObject(“LDAP://cn=Users,” & _ objRootLDAP.Get(“defaultNamingContext”))
‘ Build the actual User. Set objNewUser = objContainer.Create(“User”, “cn=” & strUser) objNewUser.Put “sAMAccountName”, strUser objNewUser.SetInfo
I’ll schedule it, maybe a $500,000 modification to have it read from a text file, and there you have a provisioning system as most of the company sees it for IdM. Hey, I work cheap, comparatively speaking.
Provisioning is NOT Identity Lifecycle Management!!! If you spend more than 2 months on provisioning you should be creating accounts in 100 directories and servers. This is where the Buzzword assumptions kill true progress to get to where everyone wants to be but think provisioning alone will get them there.
Identity Lifecycle Management is taking your business’ manual processes, policies, approval workflows, escalation processes, notifications, and automating those in addition of the act of account creation. The same goes for the reverse, how to we get people out of the systems or disabled? In most cases the de-provisioning process is far more critical when it comes to turn around time to completion. But that’s not all, your Identity Management system is the corner stone for your access security as well! If you are creating accounts all over the place, what is determining where those accounts go and what attributes they receive? How do you know Bob goes in this group and Jane goes over there? Your security systems do! Your security systems are built with a security access model, which should be fairly static in nature, and the IdM provisioning processes makes sure the accounts get where the need to be based on those security models.
IdM is about the end to end, complete lifecycle of a person and their credentials around the enterprise.
What happens during the lifecycle of a set of accounts or the profile of a real live person? How do they manage their accounts? How is access granted or requested? How can I make sure that Accounts Receivable do not get Accounts Payable access at the same time? How do the user’s manage their passwords? What happens when they forget? How do I know what systems Bob the person has an account in right now? How do I ensure that every account on every system has an accountable owner? How do I manage system accounts?
It’s not about how good a product can provision or to how many different systems they can create an account in. The important and always overlooked aspect of any IdM system is HOW they provision. How well can they adopt and integrate the way your business works? Can I make the tool bend to fit me or do I need to bend the business to fit a tool? For an Identity Management System to be truly effective and get passed 10% project completion it’s the business that needs to work together to make it happen.
The hardest part of IdM is not the technology, it’s coordinating the effort. You just need to get a person or group on the lead that can say ‘No’.
Binary Blogger has spent 20 years in the Information Security space currently providing security solutions and evangelism to clients. From early web application programming, system administration, senior management to enterprise consulting I provide practical security analysis and solutions to help companies and individuals figure out HOW to be secure every day.