RFP Toolkit: Stand out in the crowd
When Utah rolled out an identity management system five years ago, it did so for a simple reason: The governor wanted a new e-mail address.
"He was tired of spelling out Michael dot Leavitt at state dot UT dot US," said Phillip Windley, then CIO for the state, now a computer science professor at the University of Utah. "We owned the domain Utah.gov, so we decided to give him and every other state employee a Utah.gov address."
However, making the change was anything but simple. Utah had to upgrade network directories at nearly every agency and create a metadirectory to synchronize their data. It also had to get consensus on a naming schema (i.e., first name, last name, etc).
"Getting everyone in a decentralized organization to agree on anything can be a challenge," Windley said.
Today, when government agencies implement identity management systems, security is more likely their primary concern. Homeland Security Presidential Directive-12 of August 2004 requires the federal government to adopt standard ways of securing physical access to buildings and logical access to information systems. Although not bound by HSPD-12, many state and local governments also are implementing an IDMS for added security and efficiencies.
"Our first reason for adopting identity management was to tighten up security," said Norman Jacknis, CIO for New York's Westchester County, which is rolling out IBM Tivoli's identity management suite to more than 6,000 county employees. "We also realized we're wasting enormous resources by having every software developer build their own ID structure."
An IDMS can reduce the number of passwords an employee must remember, and automate password recovery, slashing help-desk costs. It also can simplify provisioning for new hires or terminations, letting IT or human resources departments control access to network resources with a few keystrokes.
Before rolling out an IDMS, you must define roles and set policies for every contractor and employee in an agency. This lets people access some systems but not others, depending on their roles.
Some IDMS are more flexible than others, said Ellen Libenson, vice president of product management for Symark, an enterprise IDMS vendor in Agoura Hills, Calif. Ensure that an IDMS lets the agency define roles based on factors such as an employee's title, department and security clearance, and manage resources at a level granular enough to, for example, deny access to certain databases after normal working hours.
The ability to manage many roles is also important for large agencies. The United Kingdom's Ministry of Defence has 400,000 employees but more than 600,000 roles, said Torgeir Pedersen, senior architect for Trondheim, Norway-based MaXware.
A basic IDMS authenticates users, manages access to resources and helps users better manage password security. A better IDMS provides a "three-strikes" capability, locking users out after a specified number of failed login attempts, Symark's Libenson said. It also would capture users' keystrokes during login to help spot potential break-ins.
Another key driver for this IDMS capability is the Sarbanes-Oxley Act, which requires some agencies to maintain audit trails of employee access to information systems. But most identity management solutions stop logging the moment you gain access, said Toby Weir-Jones, director of product management for Counterpane Internet Security in Chantilly, Va.
"The system will know when and where you logged in and that you logged out seven minutes later, but it won't know what you did in between," he said. Because most identity management systems aren't designed to track user activity inside applications, they should be able to integrate with third-party tools that do, Weir-Jones said.
For sensitive data and strong authentication, Libenson said, "you'll need a system that integrates easily with tokens, smart cards or biometrics."
For federal agencies, an IDMS must integrate with smart cards based on Federal Information Processing Standard 201 for personal identity verification. FIPS-201-compliant cards store digital fingerprint data and support public-key infrastructure credentials for user authentication.
Because IDMS touch every major system in an organization, they are a challenging integration project. It may take months, even years, to roll out an IDMS at large agencies with diverse platforms.
Nearly all core enterprise applications, from e-mail to human resources to accounting, have their own user directories. An enterprisewide IDMS must be able to communicate with directories in each application and synchronize the data, even if the account is listed as "George W. Bush" in the accounting application, "Bush, George W" in human resources, and "potus@white
house.gov" in e-mail.
"A key requirement of any identity management system is how effectively it can connect to and use data held by multiple systems," said Chris Zannetos, CEO of Framingham, Mass.-based Courion Corp.
It's necessary to inventory all systems that hold identity data to evaluate whether an IDMS gives an interface to each one, Counterpane's Weir-Jones said. "If they don't, you'll have to build them yourself, which can be expensive. And when the tool changes, you have to upgrade the interface," he said.
Some IDMS packages offer tools to build connectors between applications, but they may need tweaking to work with some apps.
"One of the biggest stumbling blocks is interoperability with other agencies," Weir-Jones said. A "federated" identity management scheme lets employees use the same log in and password on any federal network. But as federation standards are still in flux, an IDMS must support multiple standards from the Liberty Alliance, IBM and Microsoft's Web Services architecture, and the open-source Security Assertion Markup Language 2.0.
Chart the processes
The biggest challenges to building an IDMS may not be technological.
"This isn't a solution you're going to buy from someone as much as it is a cultural change in your organization," said the University of Utah's Windley. "How do you assess risk for the various components of your information infrastructure? What authentication guarantees can you pass on to the underlying system? The risk assessment has to be driven by business leaders, not IT security professionals."
Look at the problem from a business or organizational point of view, said Jon Wall, principal technology specialist for Microsoft Federal.
"Figure out what triggers what," he said. "Walk through two scenarios from beginning to end: hiring an employee and terminating one. Chart every system that process will touch and in what order, and do it from an internal agency perspective, not a technology perspective. We can bend software to do a lot of stuff for you, but identity management is really driven by business practices."
Successfully implementing an IDMS requires a slow, steady rollout and lots of patience, Westchester County's Jacknis said.
"We've had so many surprises with identity management products," he said, "I can only say that I hope to be done [with our rollout] by the end of 2006."
Identity Management Systems
|eTrust Identity and Access|
|This suite of five products offers soup-to-nuts protection across several flavors of Unix, Linux and Windows.|
|Enterprise Provisioning Suite||IDM specialists offer a full suite of password, provisioning and access modules; works with any directory, e-mail server or SQL relational database but may require a fair amount of programming expertise.|
Palo Alto, Calif.
|HP offers sophisticated IDM tools as part of its OpenView management platform, adding to its suite of federation products with the acquisition of Trustgenix last November.|
|Full suite of identity, directory, access and federation products works with directories based on Microsoft Active Directory, Sun ONE and its own LDAP-based Tivoli Directory Server. |
|MaXware Identity Center||This vendor boasts 280 clients in 30 countries, with strong ties to military and governmental agencies.|
Integration Server 2003, Enterprise
|MIIS 2003 works with a number of non-Microsoft directories (including LDAP, Novell eDirectory, IBM and Sun/iPlanet) and e-mail servers, provided they run on a Windows platform|
|Built around its widely used eDirectory structure, Novell's suite supports a wide range of operating systems and offers some good (though optional) tools for designing identity management schemes and running what-if scenarios. |
Redwood Shores, Calif.
|Recent acquisitions of top-tier IDM vendor Thor Technologies and OctetString strengthen Oracle's offerings, which include a full range of application-centric middleware products. |
|Sun Microsystems Inc.|
Santa Clara, Calif.
|One of the oldest players in IDM software offers a full suite of access, auditing and federation products across diverse operating systems (AIX, HP OpenVMS, Solaris, Windows) using a Web-based management console. |
|Symark Software Inc.|
Agoura Hills, Calif.
PowerPassword User Management Edition,
|Longtime Unix/Linux enterprise software vendor added support for Windows last year with its PowerKeeper identity management appliance.|
Technology journalist Dan Tynan is author of "Computer Privacy Annoyances" (O'Reilly Media, 2005).