RFP Toolkit: Stand out in the crowd

By Dan Tynan

By Dan Tynan

|

Identity management systems can help agencies meet security mandates

When Utah rolled out an identity management system five years ago, it did so for a simple reason: The governor wanted a new e-mail address.

RFP CHECKLIST: ID management

The General Services Administration has listed identity management systems as a core component of a Homeland Security Presidential Directive 12-compliant Personal Identity Verification II architecture. Although IDMS solutions have yet to undergo compliance testing for use in PIV II systems, it is likely that agencies will have several approved solutions from which to choose. When agencies come looking for a compliant IDMS, be prepared to answer these questions:


  • What server operating systems does the IDMS support? What database and e-mail servers does it support?


  • What operating systems do its management consoles require? Can they be Web based?


  • Is it compatible with the Lightweight Directory Access Protocol, Microsoft Active Directory, Novell eDirectory and other common directory protocols?


  • Does it let you set policies for password difficulty and expiration? Can you specify minimum character ranges for passwords?


  • Does it count failed logins and let you lock out users after a specified number of failures?


  • Does it support password encryption? Are passwords encrypted during transmission and storage? What forms of encryption does the software support?


  • Does it have a self-provisioning module? Does it allow for automated retrieval of lost passwords?


  • Does it provide different degrees of vetting for ID authentication based on security clearance? Does it easily support use tokens, smart cards or other types of physical or biometric authentication?


  • Will it support central caching of keys? Can it require different authentication criteria based on different trust levels?


  • Can it be expanded to include new forms of identity verification and assertion should they arise?


  • Will it require users to periodically recertify their identities? Will it automatically propagate authorized changes across all system resources?


  • Can it automatically locate and retire orphan accounts?


  • How granular is the provisioning module? How many roles does it let you create? How customizable are rules for each role?


  • Does it provide pre-built interfaces into core enterprise applications? Does it offer tools for customizing pre-built interfaces or building new ones from scratch? Can the vendor furnish such services?


  • What kind of audit trail and reporting capabilities does it provide? Are audit trails stored in a separate, encrypted database?


  • Can users create custom audit reports? Does the IDMS support third-party audit tools?


  • Does it allow for secure, offsite backup and restoration of identity data stores?


  • Does the vendor have a federated solution? Is it compatible with the Liberty Alliance, Web Services or Security Assertion Markup Language standards?


  • What kind of service-level agreements does the vendor provide? Does it offer 24/7 support or guaranteed minimum response times if its products fail?



"He was tired of spelling out Michael dot Leavitt at state dot UT dot US," said Phillip Windley, then CIO for the state, now a computer science professor at the University of Utah. "We owned the domain Utah.gov, so we decided to give him and every other state employee a Utah.gov address."

However, making the change was anything but simple. Utah had to upgrade network directories at nearly every agency and create a metadirectory to synchronize their data. It also had to get consensus on a naming schema (i.e., first name, last name, etc).

"Getting everyone in a decentralized organization to agree on anything can be a challenge," Windley said.

Today, when government agencies implement identity management systems, security is more likely their primary concern. Homeland Security Presidential Directive-12 of August 2004 requires the federal government to adopt standard ways of securing physical access to buildings and logical access to information systems. Although not bound by HSPD-12, many state and local governments also are implementing an IDMS for added security and efficiencies.

"Our first reason for adopting identity management was to tighten up security," said Norman Jacknis, CIO for New York's Westchester County, which is rolling out IBM Tivoli's identity management suite to more than 6,000 county employees. "We also realized we're wasting enormous resources by having every software developer build their own ID structure."

An IDMS can reduce the number of passwords an employee must remember, and automate password recovery, slashing help-desk costs. It also can simplify provisioning for new hires or terminations, letting IT or human resources departments control access to network resources with a few keystrokes.


Rules First

Before rolling out an IDMS, you must define roles and set policies for every contractor and employee in an agency. This lets people access some systems but not others, depending on their roles.

Some IDMS are more flexible than others, said Ellen Libenson, vice president of product management for Symark, an enterprise IDMS vendor in Agoura Hills, Calif. Ensure that an IDMS lets the agency define roles based on factors such as an employee's title, department and security clearance, and manage resources at a level granular enough to, for example, deny access to certain databases after normal working hours.

The ability to manage many roles is also important for large agencies. The United Kingdom's Ministry of Defence has 400,000 employees but more than 600,000 roles, said Torgeir Pedersen, senior architect for Trondheim, Norway-based MaXware.

A basic IDMS authenticates users, manages access to resources and helps users better manage password security. A better IDMS provides a "three-strikes" capability, locking users out after a specified number of failed login attempts, Symark's Libenson said. It also would capture users' keystrokes during login to help spot potential break-ins.

Another key driver for this IDMS capability is the Sarbanes-Oxley Act, which requires some agencies to maintain audit trails of employee access to information systems. But most identity management solutions stop logging the moment you gain access, said Toby Weir-Jones, director of product management for Counterpane Internet Security in Chantilly, Va.

"The system will know when and where you logged in and that you logged out seven minutes later, but it won't know what you did in between," he said. Because most identity management systems aren't designed to track user activity inside applications, they should be able to integrate with third-party tools that do, Weir-Jones said.

For sensitive data and strong authentication, Libenson said, "you'll need a system that integrates easily with tokens, smart cards or biometrics."

For federal agencies, an IDMS must integrate with smart cards based on Federal Information Processing Standard 201 for personal identity verification. FIPS-201-compliant cards store digital fingerprint data and support public-key infrastructure credentials for user authentication.


Integration Challenges

Because IDMS touch every major system in an organization, they are a challenging integration project. It may take months, even years, to roll out an IDMS at large agencies with diverse platforms.

Nearly all core enterprise applications, from e-mail to human resources to accounting, have their own user directories. An enterprisewide IDMS must be able to communicate with directories in each application and synchronize the data, even if the account is listed as "George W. Bush" in the accounting application, "Bush, George W" in human resources, and "potus@white
house.gov" in e-mail.

"A key requirement of any identity management system is how effectively it can connect to and use data held by multiple systems," said Chris Zannetos, CEO of Framingham, Mass.-based Courion Corp.

It's necessary to inventory all systems that hold identity data to evaluate whether an IDMS gives an interface to each one, Counterpane's Weir-Jones said. "If they don't, you'll have to build them yourself, which can be expensive. And when the tool changes, you have to upgrade the interface," he said.

Some IDMS packages offer tools to build connectors between applications, but they may need tweaking to work with some apps.

"One of the biggest stumbling blocks is interoperability with other agencies," Weir-Jones said. A "federated" identity management scheme lets employees use the same log in and password on any federal network. But as federation standards are still in flux, an IDMS must support multiple standards from the Liberty Alliance, IBM and Microsoft's Web Services architecture, and the open-source Security Assertion Markup Language 2.0.


Chart the processes

The biggest challenges to building an IDMS may not be technological.

"This isn't a solution you're going to buy from someone as much as it is a cultural change in your organization," said the University of Utah's Windley. "How do you assess risk for the various components of your information infrastructure? What authentication guarantees can you pass on to the underlying system? The risk assessment has to be driven by business leaders, not IT security professionals."

Look at the problem from a business or organizational point of view, said Jon Wall, principal technology specialist for Microsoft Federal.

"Figure out what triggers what," he said. "Walk through two scenarios from beginning to end: hiring an employee and terminating one. Chart every system that process will touch and in what order, and do it from an internal agency perspective, not a technology perspective. We can bend software to do a lot of stuff for you, but identity management is really driven by business practices."

Successfully implementing an IDMS requires a slow, steady rollout and lots of patience, Westchester County's Jacknis said.

"We've had so many surprises with identity management products," he said, "I can only say that I hope to be done [with our rollout] by the end of 2006."



Identity Management Systems



Vendor
Product(s)
Notes



CA Inc.
Islandia, N.Y.
(800) 225-5224
www.ca.com
eTrust Identity and Access
Management Suite
This suite of five products offers soup-to-nuts protection across several flavors of Unix, Linux and Windows.



Courion Corp.
Framingham, Mass.
(866) 268-7466
www.courion.com
Enterprise Provisioning Suite
IDM specialists offer a full suite of password, provisioning and access modules; works with any directory, e-mail server or SQL relational database but may require a fair amount of programming expertise.


Hewlett-Packard Co.
Palo Alto, Calif.
(650) 857-1501
www.hp.com
HP OpenView
Identity
Management(s)
HP offers sophisticated IDM tools as part of its OpenView management platform, adding to its suite of federation products with the acquisition of Trustgenix last November.


IBM Corp.
Armonk, N.Y.
(800) 426-4968
www.ibm.com
Tivoli Identity
Manager, Tivoli
Access Manager
Full suite of identity, directory, access and federation products works with directories based on Microsoft Active Directory, Sun ONE and its own LDAP-based Tivoli Directory Server.


MaXware AS
Trondheim, Norway
(732) 409-5000
www.maxware.com
MaXware Identity Center
This vendor boasts 280 clients in 30 countries, with strong ties to military and governmental agencies.


Microsoft Corp.
Redmond, Wash.
(425) 882-8080
www.microsoft.com
Microsoft Identity
Integration Server 2003, Enterprise
Edition
MIIS 2003 works with a number of non-Microsoft directories (including LDAP, Novell eDirectory, IBM and Sun/iPlanet) and e-mail servers, provided they run on a Windows platform


Novell Inc.
Waltham, Mass.
(800) 529-3400
www.novell.com
Novell Identity
Manager 2
Built around its widely used eDirectory structure, Novell's suite supports a wide range of operating systems and offers some good (though optional) tools for designing identity management schemes and running what-if scenarios.


Oracle Corp.
Redwood Shores, Calif.
(650) 506-7000
www.oracle.com
Oracle Identity
Management
Recent acquisitions of top-tier IDM vendor Thor Technologies and OctetString strengthen Oracle's offerings, which include a full range of application-centric middleware products.


Sun Microsystems Inc.
Santa Clara, Calif.
(800) 232-4671
www.sun.com
Java System
Identity Manager
One of the oldest players in IDM software offers a full suite of access, auditing and federation products across diverse operating systems (AIX, HP OpenVMS, Solaris, Windows) using a Web-based management console.


Symark Software Inc.
Agoura Hills, Calif.
(800) 234-9072
www.symark.com
PowerBroker,
PowerPassword User Management Edition,
PowerKeeper
Longtime Unix/Linux enterprise software vendor added support for Windows last year with its PowerKeeper identity management appliance.




Technology journalist Dan Tynan is author of "Computer Privacy Annoyances" (O'Reilly Media, 2005).


NEXT STORY: Army re-ups L-3 division for tactical trainers