Preventing an identity crisis

Tim Dunn is the Director for the Identity Management Business Unit in EMEA at BMC Software. In this role he is responsible for maximising awareness of, and interest in, identity management among customers, partners and BMC employees. He is also responsible for managing the sales pipeline for BMC Software’s Identity Management product suite – a set of solutions that enable customers to centrally manage identities and access privileges to ensure that access to all distributed systems is in compliance with business policies and regulations.

Simon Perry is Vice President of Security Management for CA in Europe, Middle East, and Africa (EMEA). He is responsible for overseeing the strategic direction of CA’s security business in EMEA, which includes product direction, technology services and deployment architectures, and go-to market strategies. Simon has close to 20 years in the software industry.

CXO. ID management is nothing new, but has evolved significantly in recent years in line with the threat environment. What security advantages does a strong ID management solution offer? And in what ways has the changing nature of the threats driven the industry’s response?

TD. Organisations are realising that identity management is not just a security tool, but rather, a business enabler, contributing significantly to an organisation’s ability to do business more effectively and efficiently. That said, even in a security context, the complexity of doing business in a global market place has driven the evolution of identity management. It is more than just an IT term; it is a business consideration spanning all aspects of operations.

Consider the effect of mergers and acquisitions, regulatory requirements and new business services, all of which potentially involve new customers, suppliers, partners and business processes. In this changing environment, organisations must keep control over who has access to what information; who approved that access; what people are doing with that access once they have it; and whether the above can be proven, if necessary.

For many organisations, it’s not just a case of the changing nature of threats; it is the fact that they can’t even identify threats in the first place. Keeping bad guys out is not the most significant problem – getting the good guys in is the major advantage identity management brings.

A strong identity management capability can improve security and reduce business risk in a number of ways. The actions of ‘superusers’, the people who could do the most harm, can be monitored to ensure that their actions remain in compliance with policy. Automating the provisioning of access rights and linking those rights to roles means that ‘fine-grained’ access can be defined. A person’s access privileges are added and removed by virtue of their role(s), not just accumulated over time. Finally, in times of staff turnover, access rights can be terminated – completely – because all access rights are known.

SP. I’ve been in the IT field myself for almost 20 years, and across three geographies around the world, so I have seen a lot of change and different approaches taken. What is clear is that we have undergone a revolution (not evolution) over that time. Back when I started, I was solely involved in IBM mainframe systems operations, systems programming and security. At that time, the security focus was primarily on ID management, auditing and access controls, and I recall writing and deploying some simple self-service password management solutions for two different companies back in the mid 1990s. Major companies have been experiencing ID management problems like these for some time now.

What happened during the late 1990s and into the early years after Y2K was that much of that focus was taken away by the huge flurry of malcode the industry fell victim to; the network worms, viruses, vulnerability exploitation and so on. All these security problems are really important to solve, but solving them is not strategic to businesses. It is tactically important but it is not strategically significant.

The other really significant factor along this journey was the dotcom boom-and-bust cycle. I really think that if the original dotcom cycle had not imploded we would have seen a re-recognition of the importance of identity and access management (IAM) earlier than now. B2C, B2B and G2C business models really rely on the adequate authentication, authorisation, auditing and administration of service consumers. So what we’re seeing now is the re-emergence of these services and businesses re-engaging with IT and driving adoption of IAM as a service bus that enables deployment of business services, via IT, to new channels. Meanwhile, the anti-ware market has taken a back seat (where it belongs) and is now seen as an IT problem again, not a business problem. This cycle isn’t finished yet; in fact, I think we’ve a good five years of really interesting development taking place as SOA and federation evolve as concepts.

CXO. What challenges do organisations face in terms of implementing an ID management solution?

TD. Often, given the size of the challenge, it’s a case of ‘where do we start and how do we get to where we need to be – in fact, do we even know where we need to be?’

One major challenge is underestimation of the business process change impact on the project. As with other areas of IT, a successful identity management deployment has its roots in understanding the business processes at play. The focus on understanding the identity lifecycle of users within their business roles is key to a successful deployment of an identity management solution.

Another issue is that there seems to be many technical and business requirements that relate to identity management. So how do we consolidate our needs and develop an identity management strategy? A related challenge is the overall cost of a full solution once the various requirements are captured. The answer here is to work out your high-level goals for an identity management platform (how it will support the business goals and initiatives of the company), break the overall strategic identity management roadmap into ‘quick win’ milestones and show iterative ROI, and leverage your current investments to re-use what you have wherever possible.

With many departments and people affected by or involved in the identity management requirements, it can be very political and difficult to manage the project. As a result, you need to get executive management buy-in for the project. Agree on accountabilities and establish a representative programme team early.

SP. First and foremost, not recognising that IAM projects are potentially business process reformation projects as well. Treat it as only an IT project and you will almost guarantee that the wheels will fall off – you have to have a business side and senior sponsor internally. Secondly, build for future re-use of the technology and service deployment, but do it in a way that provides quick-wins from the project along the way. That is why we took the modular and integrated approach five years ago, and that is why we’re seeing the rest of the industry take the same approach now.

CXO. Is there an identity management ‘checklist’ that companies should use when rolling out such a solution? What should they look out for? Are different approaches (federated, centralised, user-centric) better than others for certain needs?

SP. I recall a Dire Straits song from the 1980s with following line in it: “Two men say they’re Jesus, one of them must be wrong.” I quote this because across the industry there are today a number of ‘best practices’. At least one of them may be ‘best’ practice, but this would really imply that the rest of them are ‘almost-as-good-but-not-best’ practices. The real lesson is that there is no single ‘always works’ approach to IAM. Certainly, we have taken elements of COBIT, ITIL, ISO27001 (nee BS7799) and our own expertise garnered from extensive IAM deployments globally and have developed a structured approach to IAM that involves the idea of maturity models and staged deployments of technology, as well as process change. We map out technology dependencies, the actors and stakeholders in an organisation who are typically involved in various elements of an IAM projects, and possible approaches to deployment. Certainly, this has allowed us to set expectations better aligned to reality so that if someone says “We’d like to federate the management of identities between ourselves and our business partners” we’re able to check off whether the organisation has the basic process and technology building blocks in place to do that ie. Are they mature enough yet in their IAM approach to do Federated ID Management (FIM). There is not a single “works every time” approach – you have to be consultative with IT and the business to understand priorities. You have to adapt to individual needs. Then you cast that across a maturity model that has proven to be repeatable and successful. It works, it sets a background of common expectations, and it sets a roadmap for deployment of technology as the organisation improves their capability. Remember the most important aspect – we are talking about the deployment of enterprise class solutions that are meant to provide a reusable service framework.

TD. There are three high-level steps toward continuous compliance that must be addressed. The first is to align privileges and policies to people. A person’s access privileges are associated with the user’s identity information. An organisation must be able to answer the question “Who are all of the users that touch my organisation’s IT resources?” It is critical that all identity information be linked back to the associated person. It is also important to build a standard policy model within the organisation that supports the compliance mandates being imposed.

Secondly, automate the process of entitlements and approvals. The number of applications, systems, and data stores that require authentication for a person to achieve access is growing at an accelerating pace. Each of these IT resources requires the assignment of access rights in a fast and efficient manner. Any delay in assigning access rights to internal or external users, employees, contractors, partners, and customers creates opportunities for inappropriate access and behaviour. By using an automated approval process and empowering users with self-service, a foundation can be created for improving the ability to know ‘who approved a user’s access?’

Finally, achieve controls and governance with agility. The decision to respond to compliance demands is no longer in the hands of the IT organisation. The choice is not whether to respond, but rather in what way to respond – either with manual processes or through the alignment and automation activities described earlier. With the ever-increasing pressure on IT from internal and external auditors to provide adaptive reporting, it is critical to implement a process where measurements and reporting are automated, adaptable to the viewer’s role, and available in a business dashboard format. Depending on the role of the user – business owner, security administrator, auditor – different information must be available for confirmation by the end user.

CXO. The security benefits of ID management are a given. But what other advantages does it offer – for instance, in terms of greater opportunities for collaboration with customers and partners?

TD. By managing access privileges for the entire user population, organisations can bridge the gap between people, process, and infrastructure, thereby maximising customer value. What’s more, by integrating with other service management processes, identity management can help organisations deliver enterprise-wide business service management (BSM).

For those not yet familiar with BSM, BSM is considered the most effective approach for managing IT from the perspective of the business. The goal of BSM is to help IT organisations do more of what supports the business and less of what doesn't. With BSM, BMC has seen organisations reduce cost, lower risk of business disruption, and benefit from an IT infrastructure built to support business growth and flexibility. BMC provides all three dimensions of BSM: best practice IT processes, automated technology management, and a shared view of how IT services support business priorities.

Our identity management suite of products is a critical piece of successful BSM because it addresses all three of these dimensions. Customers are starting to require the need for deeper and stronger integration of identity with business processes. That’s why BMC provides identity management solutions that integrate with other processes to deliver efficiency, productivity, and security gains within core BSM disciplines, such as change and configuration management, asset management, incident and problem resolution, and ties identity to the business through a centralised CMDB.

SP. Transactional B2anything would not work successfully without ID management – full stop. In fact, we believe that the SOA model won’t work without effective ID and privilege management. So not only are we talking about IT service backbones, we’re also talking about IT systems that provide services fundamental to business models. That is why this is strategic. It is why the business, not just IT, needs to be driving this.

It follows that the next area of concern that needs to be addressed is that of trust. Trust is not the same as security, but it is fundamental to operational models such as FIM. Why should I trust your ability to manage privileges? Why should I trust that your IT systems won’t be a backdoor to mine once we’re joined up? How will my business standing in the market be affected if we federate strongly at the backend and your IT systems are breached leading to a disclosure of confidential data? These are really serious questions that need to be addressed and are being addressed by companies looking to federate.

CXO. Compliance is another hot ticket right now. In what ways is ID management helping firms meet their compliance requirements? Is this a big driver within the industry?

SP. Compliance is a really interesting area. For a start, a third of the projects labelled as ‘compliance-related’ (in terms of their business justification) are really just using that as an excuse to unlock funding. So you really have to dig to get to the real picture. That said, compliance is very important to those companies affected by it (SOX, HIPAA, GLBA, SB1386, various country specific privacy laws, various other breach-notification laws, etc.). The implications of many of these laws are that a company must know who accessed what data, when, why and what they did. Those are questions fundamental to IAM and answered only by IAM. It’s as simple as that.

TD. Regulatory directives have dramatically increased management’s required visibility into day-to-day operations. This visibility comes with a price, which many organisations mistakenly think to be a one-time cost. What is often overlooked is the burden of day-to-day regulatory compliance activities and the maintenance that occurs with such new initiatives. To maintain compliance on a year-to-year basis, enterprises must automate the process of complying with current and new regulatory directives.

Demonstrating compliance requires that businesses maintain auditable records that regulators or auditors can use to verify compliance. From an identity management perspective, some relevant audit questions are: “Who has access to a given system? What level of access do they have? Who granted the access and when? Were changes made in accordance with company policy? Was it properly approved?”

Automated solutions, such as BMC Audit and Compliance Management, help organisations to achieve and demonstrate compliance by allowing them to automate, monitor, control, and report on IT controls, systems, and data. For example, by using the compliance dashboard provided by BMC Audit and Compliance Management, organisations can monitor the activity of people who have access to data and automate the system to notify the appropriate people when unusual activities occur. This eliminates the potential for human error by standardising and automating manual processes. The solution’s reporting, logging, monitoring, and alerting facilities — not to mention its open architecture and modular implementation capabilities — provide the information needed to validate regulatory compliance efforts.

In addition, BMC Audit and Compliance Management provides a meaningful corporate-level analysis of user access rights. This analysis provides historical, current, and predictive perspectives so that organisations can identify business-level weaknesses and implement corrective measures, as needed.

Based on the BMC Identity Services Architecture, BMC Audit and Compliance Management addresses the needs of people, organisations, and businesses to simplify policy management, mitigate security risk and centralise audit data.

CXO. And where do we currently stand in terms of standards and interoperability? In which direction do you think the industry is headed? What’s next on the horizon for identity management?

TD. Over the next two to three years, identity management will be required by the market to be encapsulated into the overall business service management market through the continual maturation of the customer base and the need for deeper and stronger integration of identity with business process. Vendors will approach this need in a number of ways – embedded into business applications, core services provided by platforms, and point solutions for emerging pain points.

BMC has been committed to the standards efforts of various organisations involved with identity management, including OASIS and Liberty. BMC is an acknowledged leader in the areas of federated access control and provisioning and supports all published standards in these areas (SAML, Liberty, WS-Federation, Shibboleth, SPML). What’s more, as the proven leader in BSM, BMC has the track record to help customers succeed.

With a singular focus on business service management, BMC believes that the market will be looking for efficiency, productivity, and security gains within their core BSM disciplines, such as change and configuration management, asset management, incident and problem resolution, and a centralised CMDB. By implementing identity management within the context of BSM, organisations will be able to optimise their IT processes, infrastructure, and compliance controls, so they can make better decisions and take actions to satisfy business requirements.

SP. We’ve come a long way as an industry around standards. SPML, SAML and so on are now pretty much settled and being deployed within COTS and custom-built products, and XACML is on the way. We need a standard auditing record and forensic data handling model, but I think those will come in the medium term as companies address incident handling in a more mature fashion. We’re very active on many of the standards committees and we’re really supportive of standards. We fell that openness and interoperability between vendor solutions is the only way that the industry will achieve the goal of unifying currently disparate operational areas and simplifying the way that systems are deployed and managed. I spend a lot of time with CIOs who tell me that they are looking closely at how to achieve this. For example, a few years ago many companies first began to look at management of the many aspects of their security infrastructure and hence we saw the development of the whole security management market (security event and information management). Now those same CIOs want to actually manage their security in conjunction with their existing network/systems/application/performance management methods.

In terms of ID management, we’re very bullish on three fronts: federation is real and will really take off through the end of 2007; IAM suites are the way forward; and re-usable IAM services that may be consumed by any number of services is the longer term goal.

Tim Dunn on common ID management mistakes…

“By looking at over 85 percent of our customers in production, BMC Software has identified a number of key issues that cause implementation failures. Some of the most common mistakes include the lack of pre-installation planning; a failure to understand business needs around identity management; a failure to document the functional requirements and solution design; and the lack of business and corporate level support.

“Based on previous implementations, we have discovered that differences between the test and production environments frequently cause the most issues with a production implementation. For example, if your test environment doesn’t fully replicate the production environment (i.e. firewalls, operating system levels), you may discover unexpected results in processing. Another factor when implementing a new user interface is communication. It is critical that users understand the change in processes represented by the new tool, along with the benefits and values received from the solution. Socialisation of the project at the highest levels of the organisation will ensure a more successful implementation.

“BMC works closely with each customer to determine the implementation approach and estimated schedule most applicable given the requirements, resources, timelines, and other characteristics of the engagement. Although no two engagements are alike, a typical project may include preliminary discovery, a readiness review, software installation and configuration, the population of the identity management repository with relevant user information, solution and product mentoring, extended implementation discovery, and post-implementation review.”