Once upon a time, managing identities was a snap. Corporate IT infrastructure consisted of a single, hulking IBM mainframe with a relatively specialized group of back-office users who were either logged on or not. If line employees or managers had computers at all, they were used for word processing and spreadsheets, and people “networked” machines by handing floppy disks to one another.
Today even the janitor might carry a Blackberry—bringing a boon to productivity, yes, but also turning identity management into a terrific challenge for corporate executives who must assure regulators that only those who are properly authorized to access financial systems actually do.
The legitimacy of system users is inherent in Section 302 and Section 404 of Sarbanes-Oxley, which demand effective internal control over financial reporting. But you can’t have effective controls if a disgruntled former employee can log into the payroll department. Guarding against that might not sound particularly difficult—and in the IBM mainframe days, it wasn’t. Today, however, employees routinely tap into diverse servers in disparate geographies just to get through the business day.
John Clark, a partner in the enterprise risk services practice at Deloitte & Touche, says his clients’ principal interest in identity management systems is their ability to manage and audit exactly who has access to what systems. In addition, he says, clients want to ensure that when people leave the organization or are transferred elsewhere internally, their access is immediately revoked or updated.
“If you were to go to the vast majority of clients and ask what a particular individual has access to, there isn’t anyone who could tell you,” Clark says. “The identity management systems tie it all together.”
Phil Becker, editor of Digital Identity World, says identity management “wandered in the woods” for years because senior executives saw no real need for it. SOX changed that attitude dramatically.
“It solves so many problems, but it was hard to sell to management,” says Lori Rowland, an identity management analyst with the Burton Group. Now, the identity management pitch is that “we can control access and we can report on access, which can appeal to persons at a higher level.”
The result has been an identity management boom. Becker estimates that half of Global 2000 companies have installed identity management systems, with the rest expected to do so in the next two years. Compliance needs, he says, drive both the adoption by corporate customers and the rapid technology improvements making identity management more affordable.
How To Address Identity
Identity management systems tackle what are essentially data management problems, says Idan Shoham, chief technology officer of M-Tech, an identity management system software firm. The core challenge is how to make changes to tens or hundreds of systems as each employee is hired, transferred or dismissed—when companies can have tens of thousands of employees. “It has to do with everything from bad passwords to bad termination processes, unreliable allocation of privileges and weak change management, which is increasingly a problem,” Shoham says.
“It’s not just a tech answer. It’s something that must be implemented throughout the enterprise and, if it’s an automated system, it has to be easy to use. I think the process and organizational change-management hurdles are greater than the technology hurdles.”
— Andre Durand, chairman, Ping Identity Corp
Shoham divides identity management systems into two elements. First is an automation component, to create or remove IT rights automatically based on additions, transfers or deletions in a human-resource-management system.
Such automation does have limits, particularly when users have access needs more specific than an HR department would naturally know. That’s where the second element—workflow—comes into play, Shoham says. Ideally, workers should be able to request access changes via a self-service interface; workflow-management systems would then route the request to the correct manager for review and approval.
Clark at Deloitte says nailing such workflow processes on the front end of an identity management installation is essential in maximizing the system’s value.
Consolidation and delegation are also common features, Shoham adds. Consolidation allows managers or security personnel a unified view of a user’s access privileges to diverse IT systems; delegation allows certain people to approve specific access-related requests, but not necessarily others.
Now, says Rowland at the Burton Group, Sarbanes-Oxley’s strict requirements almost require some sort of comprehensive software solution, since relying on printed reports to reconcile access policies with ground-level reality can be risky.
“Many organizations are still printing reports. But if you’re in a larger enterprise, a manager may have 150 people reporting to them and they’ll just have no idea who should be accessing what,” she says. Such managers need an automated tool that flags employee access contrary to policy.
The chore of managing segregation-of-duties across multiple systems is getting increased attention, Rowland says. In general, today’s identity management systems can control user access to specific systems—but, she adds, they still stop short of saying what transactions users can do within those systems.
System access by business partners and customers as well as the increasing reliance on external, Web-based enterprise software systems such as Salesforce.com is also pushing identity management beyond the enterprise. Such broad-based “federated” identity management systems manage identity across organizations, enabling users to sign onto both internal and external systems using a single password.
Andre Durand, founder and chairman of Ping Identity Corp., describes the concept as: “You maintain your IDs, I’ll maintain mine. We have a trusted relationship and we’ll allow your trusted users in without reauthenticating them.”
The implications for Sarbanes-Oxley compliance using such a system aren’t fully clear. Durand says exposure to liability and risk can require modifications to existing agreements with partners, but federation also saves having to replicate information in multiple locations. It could ultimately cut down on the 12 login-password combinations which, Becker says, is what the average corporate warrior must remember.
Everyone from established giants such as Sun Microsystems, Oracle, Novell, Microsoft and IBM to dozens of startups are now in the identity management software game. Clark says technology is just one of several considerations leaving his clients with tough decisions.
“It’s not just a tech answer. It’s something that must be implemented throughout the enterprise and, if it’s an automated system, it has to be easy to use,” he says. “I think the process and organizational change-management hurdles are greater than the technology hurdles.”