One of the very first deliverables in an IdM project is to establish the single view of an identity. Your IdM solution will integrate with all the authoritative sources for each identity attribute and bring them together in a central location to provide a single view of all the identities within your organization.

With the single view established your IdM solution will ensure that it remains consistent across the organization by syncing all relevant changes to all the interested systems. Once the single view of an identity becomes consistent across the organization the entire identity life cycle becomes extremely efficient.

New users are only captured once in the system and all changes will be propagated automatically, or by using workflow processes where approval is required to ensure that the new user has everything they need (pc, desk, telephone, access rights, accounts, etc) to start working on the very first day they arrive for duty.

A good IdM solution will provide a user self-service facility, enabling the user to eliminate their interactions with support staff throughout the change phase of the life cycle. Statistics prove that roughly 40% of all help desk calls are password related, and a self service facility will enable the users to reset their passwords themselves in a secure, authenticated manner without involving the help desk staff – thereby greatly reducing the help desk load.

Once the user hands in their resignation (or gets fired) the IdM solution will ensure that all accounts are disabled and deleted where required, and can integrate with your asset management systems to ensure that all equipment used by the staff will be collected and taken back to the stores. Not only does this reduce the security risk of dormant accounts, but also enables greater asset management by ensuring that everybody stays in the loop.

Legislative requirements around auditing are increasing and most good IdM solutions will provide end-to-end auditing straight out the box, with a select few solutions providing the capability to audit the auditor, giving you complete visibility of the changes that effect the identities and their security profiles in the organization. This will enable you to have clear visibility of the triggers that caused a user to have the access rights and privileges they have, and how they came about it.

The above are some of the benefits almost every organization can realize from implementing an IdM solution. In my next article I will discuss some of the pitfalls and problems you should be aware of when going through an IdM project.

An identity consists of attributes describing a person — typically name, surname, ID number, email address, etc. IdM concerns itself with the management of these attributes of a person as it travels through a typical life cycle, in this example an employee in a company.

Consider the usual HR process when a person joins a new company. The person completes forms specifying his particulars, which will be captured into the HR system, which is typically not integrated with any other system. The form is then sent on to the PABX and Windows administrators to arrange the new employee’s phone, system account and email address — and so the process continues until the new employee can do their daily work activities.

This is the start of the identity life cycle, inevitably followed by change. People’s details change (e.g. surname changes) and typically employees are firstly oblivious of these multiple systems in which they exist, and secondly exactly which one of the weird IT guys to speak with to have their details updated. Given that these systems aren’t integrated, they have to repeat this process until they have finally updated all the systems.

In a company, most systems attach digital and physical access privileges to a person’s position and place in the company’s organisational structure. As people move around within a company and change position, there is an even bigger requirement to manage their access privileges – firstly by avoiding any security risks by removing the previous set of privileges that they no longer need, and secondly to assign their new access rights so that they experience no breaks in productivity.

Scaling up the above scenario to a company with thousands of employees and numerous stand–alone systems breeds a management and security nightmare with a complete lack of end–to–end traceability of the changes made to a person’s identity and security profile over time.

The end of this identity life cycle is when the employee resigns. All accounts, rights and privileges must be revoked immediately so as not to leave any dormant accounts in the systems which could potentially be used in a security breach. Data breaches are becoming more and more common and countries like the USA are moving to get legislation in place to hold the company accountable for these breaches.

The above example illustrates a very real scenario in most organisations today. IdM has never received the attention it requires to ensure the automated end–to–end management of these identities while providing full auditing and traceability required for numerous regulatory requirements, which is becoming a reality for almost all companies maintaining customer data.

In this article I’ve detailed a typical scenario that requires proper IdM focus. In my next article I will illustrate how IdM tools and technologies can address and successfully manage these everyday problems.

• US laws being introduced that assigns responsibility to companies in the event of data theft. One of the trends stemming from this would be keeping a reduced identity footprint.
• RBAC is becoming quite the trend. This is clearly an abstraction layer aimed at providing greater agility in an Identity and access management system. To me this loosely translates to entitlements in Novell speak – something I’ve built in from day 1.

One topic I was ‘introduced’ to today that has been lingering in my mind for the last while and which was perfectly brought to life today was the concept of end-to-end architecture. My primary interest being using security events from your authentication systems (a user swiping their access card at the building entrance) and using these as triggers to disable the specific user’s accounts until that user enters the building again.

This is very fine grained access control utilizing the IDM infrastructure but delivering very concrete benefits. Combining physical access control with your digital access control systems provides the complete end-to-end solution which eliminates the majority of potential security breaches (e.g. hijacking an unlocked PC when the user leaves their desk)

Another very interesting discussion today was using the IDM synchronization engine to administer business specific attributes which you won’t traditionally find in the classic IDM attribute set. Personally I’ve refused this practice as users are very quick to request something like this once they realize the efficiencies of a successful IDM implementation. I believe you’ll have to decide for yourself how far you want to go given your existing business application solution, but once your security events become input and triggers for business events then the line becomes very gray indeed.

There were quite a few delegates from Africa at the conference, and it was extremely interesting to hear the challenges faced by these private companies and government IT departments. Of particular interest was a discussion of the Botswana government, who also doubles as an ISP for all government institutions (schools included). You can only imagine how complicated the solution becomes with implementing identity and access management across such a distributed model.

It was obvious from today that a lot of people and companies are talking about doing IDM, but there are very few instances where a company has walked a 2 -3 year path with IDM and are willing to share the lessons learned. I had a few discussions with people who are investigating IDM and it’s clearly a chaotic landscape of new jargon and massive infrastructure which very few newcomers have managed to get their heads around. I’d guess that there are probably only just over a handful proper IDM solutions in South Africa at this point in time, but it’s growing and people are waking up to the need they all have but just didn’t quite know – yet…