Recall the time, perhaps a decade ago, when identity and access management was a struggle. When identities were managed largely through layers of manual processes. When users were often individually provisioned to the applications and resources they needed by the appropriate application owners, or network and system management teams.
Look back to how, in those days, auditors would lug around stacks of three-ring binders crammed with lists of users and resources they could access.
Unfortunately, if you're in many large and mid-sized enterprises, these problems may not sound like those of a decade ago. They more than likely sound like problems of the here and now.
For many reasons, when it comes to effective identity management, many enterprises haven't made much progress.
While there's more automation available to provision users to the applications, systems and other resources they need, enterprises still struggle to keep digital identities aligned with the reality of their organizations. And, as the CISOs and identity managers interviewed told us, most organizations still struggle to get the basics right. They grapple with the increased number of and complexity in the applications they use. They strain to map the real-world roles employees provide with their jobs and access levels, and they fight with upper management's check-box and "project" mentality.
With all of that in mind, let's take a look at three pressing identity management challenges organizations face today.
Also see: " Identity is the new perimeter"
For many, this is the biggest challenge, but it doesn't always have much to do with technology or the software that vendors provide. It's that the complexity of IT has increased. There are more applications, but there are also more types of applications and resources that employees access. That includes those applications that are provided on-premise, or those, such as Software-as-a-Service, that are based on cloud architectures.
Consider the challenge to simply understand the roles and access requirements for most employees. "Organizations have a very difficult time with the very basic task of figuring out precise job roles and then being able to associate those roles with appropriate levels of access to resources," says Martin Fisher, director of information security at WellStar Health System, a not-for-profit healthcare provider based in Atlanta.
According to Fisher, WellStar is required by policy to have a job description for each of its workers. Those job descriptions must identify employees' authority, responsibilities and deliverables. "That's certainly a valuable thing to have. The problem is that the effort creates a lotand I mean a lotof different job descriptions," says Fisher. "For instance consider a registered nurse who works in cardiology. She is going to have a significantly different job description than a registered nurse who works in a primary care practice. They're both nurses, but they do very different jobs. So at least within healthcare, we're trying to increasingly embrace the idea of role-based identity and move away from thinking just about positions, but it takes a lot of work and a lot of time."
2. Treating identity management as a project
Despite the fact that the complexity of identity management trips up enterprises, many IT and business leaders still underestimate what it takes to build a viable identity management program. That's why it's often a challenge to convince executives that it's necessary to invest properly in identity, not so much in the technologies and the toolsetsbut in the effort it will take to gain a full understanding of how workers operate and then build the IT processes to reflect that reality.
That was certainly the lesson learned by the identity manager at a mid-sized food processing company based just outside Milwaukee. The company had invested in an identity management suite with the hope of speeding the provisioning of users to the resources they needed. It was a function that had became burdensomely slow as the company began growing more quickly. "We bought and installed the software, however the initiative eventually ground to a stop after we managed to get sign-on to a few of our major enterprise applications," says the identity manager, whose company didn't permit attribution. "We have a large number of old applications. Applications that reside on the production floor and in the warehouses don't often change. Initially, we wanted to control identity for most of our applications, but management wouldn't fund the upfront work required to study employee and contractor roles and to map that to the appropriate applications," he says.
That unfortunate outcome doesn't surprise Drew Koenig, user access manager at a health services firm based in Minnesota. "When organizations get a few months into these implementations, it turns out that 90 percent of the team's efforts focus on educating the business leaders, managers and data owners," he says. "And getting the organizational mentality rightthat it's the data owners, not the group managers, that approve access. You need to successfully get through all of that before your initiative can progress."
Fisher agrees. "You not only need to have executive sponsorship, because your effort is futile without it, but also eager buy-in across multiple business units. If you don't have all of that support in place, you are going to have a large number of potentially insurmountable challenges," he says. "You're really working on the very fabric of the organization. And if you screw that up, the cascade of problems that generate can sap so much productivity and add so much cost to the environment."
Those costs can include everything from workers not getting access to the applications they need, to end users deciding to share credentials so they can get work done, to increased difficulty responding to valid audit requests.
It's for these reasons that many identity management professionals say that the bulk of the effort is in the enterprise's approach to adoption, and the technology and tools are the least of the focus. "I think a lot of the faulty mentality toward identity management can be blamed on the vendors," argues Koenig. "They're trying to sell software and push the notion that a multimillion-dollar identity management suite is going to get you identity management. It doesn't. Identity management is not like a service desk or a project management suite or a utility type of product where it does this one thing. Identity management, as an implementation of business processes, goes much deeper than that."
3. User authentication gone bad
One of the cornerstones of successful identity management is good authentication. Currently, most organizations still rely on username and password combinations to vet access. As we've witnessed through recent attacks, such as the breaches experienced by social networking site LinkedIn or music site Last.fm that exposed millions of usernames and passwordspasswords are not always the most secure way to control account and resource access.
Yet don't expect passwords to disappear any time soon. Many of the stronger authentication methods -- because of their own complexities and costs -- have failed to gain much traction in the market.
Joe Van Overberghe, IT manager at the Otis R. Bowen Center, a behavioral healthcare services provider in Indiana with 700 employees spread across nine primary locations and additional satellite offices, knows the challenges of strong authentication all too well. Until recently, only a few of the Otis R. Bowen Center's healthcare workers would regularly access its systems remotely. However, as the center began moving in a significant way to electronic medical records, that began to change. "With electronic medical records, we suddenly had an explosion of the need for remote access," explains Overberghe.
Until recently, for remote access, the center had relied almost entirely on a hardware token that fit on a key ring. However, as a healthcare nonprofit that must watch every dollar closely, hardware tokens deployed widely throughout the organization would probably prove too expensive. "They're hardware, so they're costly. People aren't very friendly on hardware devices. They break them. The batteries run out and they're not replaceable. They are lost. So you end up constantly having to buy new tokens. We needed to figure a way to keep costs down and manage the expense," he says.
Overberghe began investigating other alternatives, such as software-based two-factor authentication provided by WikID Systems. With WiKID, a user enters a PIN, a username and the one-time passcode into a software-based token, for access. "End users can have as many software tokens as they want within a domain and they can use any device that they have," says Overberghe. Currently, the Bowen Center has about 30 users transitioned to WiKID, and, explains Overberghe, all new users are being set up this way. "We now have people calling and asking if they can just use their phone and get rid of their old hardware token," he says.
Putting a solid identity management system in place is worth the effort, despite the challenges. Identity is the foundation of good security and solid regulatory compliance. To succeed, it requires a bit of savvy planning and work up front, but as with most things in business, success begets even more success. And the early successes in efficiency and speed of provisioning will lead to more wins and business investment down the line. "With those early victories, you can then build even more sophisticated identity management that will, hopefully, further improve how the company operates and its security," says WellStar's Fisher.
George V. Hulme writes about security and technology from his home in Minneapolis. You can also find him tweeting about those topics on Twitter @georgevhulme.
Read more about identity management in CSOonline's Identity Management section.