Identity Management - Security Gauntlet Consulting

Identity Management - Security Gauntlet Consulting

Identity Management

The business context of security: a white paper

Global Risk Management Solutions

Confidence to

become the

virtual enterprise.

The following white paper is a joint effort by PricewaterhouseCoopers and Gartner Consulting.

The challenge: evolving demands of e-business

As organizations rush to deploy their e-business strategies and leverage the pervasiveness of the

Internet, diverse new challenges arise. The “virtual enterprise” business model blurs the

boundaries so that “outsiders” become “insiders.“ As a result, there is heightened demand for

enterprises to provide ready access to a proliferation of new e-business applications and corporate

information assets for a much broader set of users than ever before. Competitive survival depends

on the enterprise’s ability to effectively engage, enable and transact business online directly with

business partners, suppliers, customers and employees.

Delving deeper into this (r)evolution, it becomes apparent that the shift to the Internet as a

primary medium for e-business has introduced a new set of security and management concerns.

Each set of relationships – between buyer and seller, between employees and their employers,

between specific departments, or applications within and outside the enterprise – has its own set

of information access and security requirements. As enterprises seek to achieve a greater

percentage of revenue from e-business channels, the degree of information security risk increases,

and the number of necessary security controls rises. Each new component of the technology

infrastructure – operating systems, networks, databases, web servers and applications – has

evolved its own set of security mechanisms. Each brings a new and different way to manage user

access privileges. Each adds a new database to store user attributes, access rights and

entitlements, often having different rule bases and primitive administrative interfaces. The result is

increased security exposure, increased staffing, drastically escalated operating costs and lost

productivity due to unwieldy and complicated administrative processes. A critical success factor

for enterprises conducting business on the Internet is the organization’s ability to authenticate,

authorize and provision user access rights in a unified, consistent and effective way.

The solution: Identity Management

The strategic solution to this business challenge is Identity Management (IM), a business strategy

affecting the entire organization.

Objectives and benefits

The primary objectives of IM are to seek the following benefits:

• Improve the security and protection of key corporate applications and information

assets through:

• Real-time permission and policy enforcement

• Continuous real-time auditing to detect and remove security risks

• The ability to easily and automatically remove terminated users and revoke their access rights

• Providing a centralized, authoritative source of user identities, privilege and access information



• Lower user administration and provisioning costs by:

• Automating manual or semi-manual tasks involved in changing access rights

or provisioning end users

• Eliminating duplicated tasks and reducing the risk of error

• Enabling staff to focus on core functions, easily servicing a rapidly increasing

number of users

• Ensure compliance with the policies of the enterprise and external governing bodies

Perceived barriers

Like all benefits, the ones listed above can only be achieved through investment. Many

organizations understand there are barriers to overcome before obtaining the rewards of IM, but

hesitate to tackle them lest they be too high.

Below are common perceived barriers that are, in fact, readily addressed through a properly

implemented IM strategy:


• Cost savings may be problematic to quantify – except at the highest levels of organizations –

due to administrative costs dispersed throughout many departments

• IM is a multiyear project; not all projects will achieve ROI in less than a year

Undervalued benefits

• The benefits of even dramatically improved security and administration processes relative

to costs may be misunderstood and undervalued, making costs difficult to justify


• Resources are limited and often allocated to other business priorities

• Current levels of system and user administration are viewed as “good enough”


• Understanding current workflows and data architecture for IM makes such a project

seem overwhelming

Achieving ROI

IM provides a significant return on investment in many organizations. A principal means of

achieving ROI comes from lowering costs and making investments readily justifiable by:

• Reducing time and resources required to administer user IDs and passwords

• Reducing time and resources required at the helpdesk for security access issues

• Minimizing the productivity time lag incurred when new employees are brought onboard

and must be provided with specific resources in order to perform their jobs



• Reducing time and resources required for user administration. In dynamic organizations –

characterized by numerous mergers, acquisitions, layoffs, organizational changes, etc. – major

transitions involving the integration or termination of employees, systems and applications are

sources of particular cost savings once IM is in place

• Eliminating or reducing the possibility of a major breach of security due to insufficient

user access controls

A thorough understanding of the organization’s workflows and data architecture will contribute to

the ROI for many information technology initiatives, IM included. Once the projected returns are

quantified, the allocation of resources to IM projects should fall in line with other top priorities in

the organization. With proper calculation and the demonstrable efficiencies listed above, most IM

deployments will achieve ROI within one to three years.

What is Identity Management?

IM is not a turnkey solution – it is a business strategy manifested in a comprehensive and evolving

solution deployment that must ultimately involve the entire enterprise. IM is a convergence of

technologies and business processes. There is no single approach to IM because the strategy must

reflect specific requirements within the business and technology context of each organization.

The framework of an IM solution comprises several key components:

• Enterprise information architecture

• Permission and policy management

• Enterprise directory services

• User authentication

• User provisioning

• Workflow

Enterprise information architecture

The first and most important step to developing and deploying an IM strategy is to understand the

business requirements – the enterprise information architecture. Organizations embarking on

significant e-business efforts need first to understand their key business processes and to determine

the critical applications, information assets and transactions that are necessary to meet their

e-business objectives. As a part of this assessment the organization must define which users need

access to which resources and at what level of security. Administrators can then establish appropriate

permission and security policies.

In many organizations, the analysis just described can be a very challenging process. Oftentimes

there are sensitive political issues that need to be addressed. Ideally, this analysis should be

performed from an enterprise, rather than departmental basis, therefore requiring an organization

to break down its “stovepipe mentality.”



Permission and policy management

Establishing a set of well-understood permission and security policies, and ensuring the real-time

enforcement of these policies, is at the core of any IM strategy. An organization must define the

following permission and policy criteria:

• Who is accessing our systems and applications?

• Where are they allowed to go?

• What are they allowed to do?

• How do we provision to allow access or reverse provision to revoke access?

• Who owns the identity and access information?

• Who should manage this information?

• What are the considerations for privacy?

Many organizations have found that in order to ensure effective management of user authorization,

access rights should be assigned to users according to the role they play within or outside of the

organization. Thus, role-based policy management allows the organization to define a consistent set

of access rights necessary for an individual to carry out the responsibilities of their role, whether they

are an employee, a customer, a supplier or a business partner.

Case Study – Identity Management Integration

Business Problem

A large retail company experiencing high costs of manual processing of identity

management due to significant employee turnover (>150%).


Implement software, policies, processes and procedures for centralized directory management:

• Established automated solution with secure administration handled from HR feed to eliminate

manual intervention

• Implement BMC Control SA


• Cost avoidance of $1.5M per year (15 new hires per year)

• Automated identity distribution to new users; dramatically reduced user calls to the helpdesk

for password reset; automated password synchronization for a variety of applications

• Achieved functionality required, in target timeframe, at target cost

Identity Management Executive Interview Findings Engagement: 220130370-3 October 2001 Entire contents © 2001 Gartner, Inc. All rights reserved.



Enterprise directory services

Enterprise directory services are emerging as the cornerstone for IM. The enterprise directory

serves as a centralized repository for storing and managing user identities and access privileges,

as well as applications, information and network resources. This is complemented by a common

lookup method – Lightweight Directory Access Protocol (LDAP) – used by applications to retrieve

the data in a standard way. Setting up an enterprise directory requires a great deal of analysis,

planning and integration. Larger enterprises may typically have a few hundred mini-directories

and data repositories scattered around the enterprise, with email, network operating systems and

applications all housing user information. The enterprise directory typically pushes and pulls

information from the secondary directories.

At a basic level, the directory stores valid user names and perhaps other user credentials, including

certificates and keys, which can be accessed for authentication and authorization purposes. Alternatively,

the directory can have a more sophisticated role, wherein it arbitrates the authenticity of a user, and then

provides granular run-time access control according to the user’s privilege attributes inside the directory.

User authentication

Authentication is a key component of any IM strategy. Authentication is the process that verifies

the identity of a user so that access to protected resources can be correctly granted or denied.

Authentication techniques range from a simple login based on user IDs and passwords, to more

powerful mechanisms like token, public-key certificates and biometrics.

In an e-business environment, users may access multiple applications spanning many web servers

within a single site and even across multiple sites. Effective IM strategies will deploy single sign-on

(SSO). SSO allows users to access multiple resources while only having to authenticate once. SSO

provides a seamless access for users and minimizes the administrative burden in more than one way.

End users have only one user ID and password (or other authentication mechanism) to remember and,

therefore, there are fewer calls to the helpdesk inquiring about forgotten or lost IDs and passwords.

Additionally, user administration need manage only one ID and password for each user.

Figure 1: The enterprise directory serving as a centralized repository.



User provisioning and workflow

User provisioning is the process of deploying access rights based on business policies for

employees, customers and business partners. In an effective IM strategy, there is a centralized or

single point of administration for the assignment and subsequent retraction of these access rights.

User provisioning can extend beyond applications and data, and can include other required

business resources like credit cards, phone cards, PCs, parking, phones/phone numbers, desks and

offices – likely resources that would be issued to a new employee, for example. The robustness of

user provisioning within an enterprise’s IM strategy will depend on the business need, potential

ROI and maturity of the IM deployment process.

Workflow is the automated process that enables and supports user provisioning. As an administrator is

assigning users their access rights, the workflow provisioning process triggers appropriate notifications

and updates to applications and individuals required to complete the provisioning process (e.g., the

IT department would receive a notification to issue a PC to a new employee; Facilities would receive

a notification to issue a desk, office space and parking location).

Figure 2: A single point of administration for user provisioning.



Deploying an Identity Management strategy

The business context for IM

The triumph of IM doesn’t just rest in the hands of technologists. The success of this strategic

e-business solution depends on the support of the entire enterprise.

Case Study – Identity Management Integration

Business Problem

A large financial services institution was dedicating too many resources for user identity management,

and customer satisfaction over identity maintenance was declining.


Implement a centralized identity management system with common services/components and

enterprise directory infrastructure for employees, agents and vendor partners:

• Migrated homegrown flat file to industry standard directory with universal ID for employees

and business affiliates

• Solved centralized administration, consolidated single sign-on (SSO), tied together disparate

platforms and automated a push strategy, enforcing data integrity

• Implemented critical path


• Achieved ROI of 40% in less than one year

• Reduced nightly processing from 2,200 changes (A/D/Ms)

• Reduced 12,000 applications, email directories to centralized directory with linkages

• Reduced the requirement to add administrators with each new system – previously added average of

10 administrators for each new system to manage identities (password creation/management)

Identity Management Executive Interview Findings Engagement: 220130370-3 October 2001 Entire contents © 2001 Gartner, Inc. All rights reserved.

Management commitment

With the growth of e-business, information security affects all areas of an enterprise and is becoming

recognized as an enabler of the new business model. Information security decision-making, which

traditionally has been primarily left up to the IT department, is moving to the business units and

the enterprise at large. Senior enterprise management support, not just IT management support, is

essential for an effective IM strategy deployment. The success of e-business initiatives rests with

complex management of access to information assets. When done incorrectly, or not at all, it can

cost an enterprise its business.



Decisions about who and what access to give to key corporate applications and information

resources need to be made by those business units responsible for those business relationships.

Enterprises must identify all costs associated with protecting their information assets and put

in place a structured methodology to manage them. Organizations should consider initiating a

cross-business-unit team that would include the appropriate representative from HR, IT, Security

and all relevant line business units to guide the IM decision-making and deployment processes.

Case Study – Identity Management integration

Business Problem

A large high-tech service provider was applying a great number of resources to user and access

management and administration across highly distributed, multi-platform environment.


Implement centralized security management and control system across multiple platforms:

• Established centralized access administration and directory structure

• Implemented enterprise authorization infrastructure with ERP system

• Integrated security administration system to automate provisioning of secure credentials and

role-based permission


• Achieved productivity improvements in the area of $40M per year; reduced helpdesk inquiries by 80%

• Increased productivity and turnaround to grant all necessary access, authorization and privileges

to new employees from 10 days to minutes with new system suite

• Strengthened robustness of control environment with single sign-on (SSO) and standard

X.509 certificates

Identity Management Executive Interview Findings Engagement: 220130370-3 October 2001Entire contents © 2001 Gartner, Inc. All rights reserved.


New laws and regulations are imposing information security requirements, and often all enterprises

in a particular industry must comply with these regulations, regardless of the size of the enterprise.

Examples of these include the Health Insurance Portability and Accountability Act (HIPAA) in the

Healthcare industry and the Gramm-Leach-Bliley Act in the Financial Services industry. Increasingly,

enterprises are requiring their trading partners to live up to a certain level of security in order to

maintain their relationships. These types of requirements will be a major consideration in any IM

strategy development process.



The technology context for IM

An IM strategy will require the careful selection and integration of directory services, Privilege

Management Infrastructure (PMI) and user provisioning and workflow software products in order

to meet the unique requirements of a particular enterprise. It will also rely heavily on the IT

infrastructure and security foundation upon which it is deployed.

Many organizations will find they are overwhelmed by the technology choices and understaffed

or even deficient in the appropriate knowledge and experience to develop and deploy an effective

IM strategy. Organizations should seek consultative and professional service firms for assistance.

These firms can assist in the formulation of an effective, long-term strategy, and subsequently assist

in making the appropriate product evaluations and solution considerations.

Scoping and staging the deployment

For resource, cost or timing considerations, an IM solution may be deployed in stages or phases.

In spite of this, an organization should never lose sight of its end game – the total enterprise

perspective. Considerations for long-term enterprise requirements should be made at every step

of the deployment.

Several factors will influence the decisions as to how this staging occurs:

• A high-priority e-business deployment may force an organization to deploy the

initial stage of IM on an application basis.

• A new B2E (e-HR) application may cause a significant spike in the number of end users

who need to have access to key corporate systems. In this case, a provisioning solution

that creates a more efficient user administrative process may be deployed first.

• Industry compliance requirements may put pressure on an organization to tighten up

security measures. A PMI solution that introduces the use of Public Key Infrastructure (PKI)

may increase the strength of the authentication process to meet compliance requirements.

• An organization may be deploying a major portal for one of its user constituencies and

require that this group of users gain access through the portal to any number of application

and information resources. In this scenario, a single sign-on (SSO) deployment may

take the lead.

In most all deployments, organizations will be required to address the enterprise directory strategy as part

of the initial phase, as directory services sit at the hub of any successful IM solution.

IM is usually deployed in conjunction with other technology or application deployments. In all

cases, seamless integration is key.



Integration with key enterprise applications

An IM solution, in essence, becomes not only a gatekeeper, but also an enabler of key enterprise

business applications, like ERP, supply chain, Customer Relationship Management (CRM), email,

financial systems, HR systems, user network accounts and others. With an IM solution in place,

integrated enterprise applications can efficiently, consistently and accurately identify users and

provide personalized capabilities and services.

Each application must be integrated into the IM solution. Most leading IM products provide

simple API-based integration capabilities. As an IM strategy is being deployed, all new

applications should be integrated immediately with these interfaces.

Organizations must evaluate the relative priority of integrating existing applications into the

strategy. Some legacy applications may contain their own custom-designed security mechanisms

that will need to be replaced with the chosen IM approach. Some applications may be left out of

the equation if the time and resources required exceed the benefit for inclusion in an enterprise’s

e-business and IM strategy.

The trusted IT infrastructure

The evolving demands of e-business will require acute agility in every enterprise. Competitively,

every organization will be required to create a seamless and trusted IT infrastructure that instills

confidence and loyalty in all of its user constituencies: customers, partners and employees. IM is

becoming an essential solution for progressive enterprises that are taking this strategic approach to

their e-business plans.




Ensuring that users and applications are appropriately identified before gaining access to

information assets.


Ensuring that a properly authenticated users or applications can access only those IT resources

to which the information owner has given approval.


Authentication mechanisms that involve the unique physical or behavioral traits of an individual,

such as fingerprints, iris patterns or voice.

Enterprise Access Management (EAM)

See Privilege Management Infrastructure (PMI).

Logging, Reporting and Auditing

Ensuring that all security violations and sensitive activities (security administration, sensitive

business activities performed through technology) are documented and can be easily retrieved for

investigation and management purposes.

Privilege Management Infrastructure (PMI)

Another term and acronym for products that provide a single, unified mechanism and interface

that embrace both user authentication (including single sign-on) and mechanisms for allowing

an organization to manage and enforce user access rights within the extranet. A synonym for

Enterprise Access Management (EAM).

Security Administration

Ensuring that a management process is in place to process user access requests in accordance

with the stated directions of the information owner.

Security Architecture

Ensuring that information security policies, standards, baseline controls, technology solutions

and management processes are defined to enable specific technology and business needs

of the enterprise.

Single Sign-On (SSO)

Technology that allows users to be securely authenticated once and then granted access

programmatically to all IT resources they need to perform their function.

X.509 Public Key Certificates (Public Key Infrastructure – PKI)

A digitally signed statement from a trusted third party that states a public key is valid.

PKI is the authentication mechanism that utilizes both private and public key certificates

to maintain security.

PricewaterhouseCoopers’ Security Integration Services

PricewaterhouseCoopers is a global leader in electronic security, with more highly trained

professionals in the field than any other organization. Consultants who comprise our worldwide

security integration team:

• Are dedicated exclusively to integrating

and implementing security solutions

• Have mastered a rigorous, hands-on training

curriculum, so clients get top performance

from the first day of the engagement to

project completion

• Work closely with the leading vendors in

the industry, acquiring product knowledge

that’s second to none

• Use tested, proprietary methodologies for

consistently excellent results

• Have the training and experience to identify

and address hidden security risks

• Have successful track records implementing

solutions for leading corporations worldwide

• Combine IT knowledge and security

expertise with business understanding

• Complement and enhance the security

skills found among in-house staff

• Are always there for our clients, ensuring

that their needs will continue to be met as

the information security industry and its

technologies evolve

PricewaterhouseCoopers Global Risk Management Solutions (GRMS)

Global Risk Management Solutions is devoted exclusively to the critical business issues of security,

privacy and compliance, operational effectiveness and management assurance. Through proven

methodologies, best-of-breed tools and best practice services, GRMS helps organizations assess,

design, implement and maintain a secure and high-performance business infrastructure. With

more than 6,000 professionals located around the globe, GRMS represents the world’s largest

risk management practice.

Major PricewaterhouseCoopers Contributors

Joe Duffy

Jim Barrett

Gary Loveland

Jerry Lewis

The information provided is not intended to address the specific circumstances of any individual entity. In specific circumstances, the

services of a professional should be sought.

Your worlds

Our people

© 2001 PricewaterhouseCoopers LLP. PricewaterhouseCoopers refers to the US firm of PricewaterhouseCoopers LLP and

other member firms of the worldwide PricewaterhouseCoopers organization.

More magazines by this user
Similar magazines