The thing with identity management is every person has an opinion, and they are all right.
Hi-Tech Security Solutions recently asked a few industry experts to join our round-table discussing identity management, how it has evolved over the years and where this vital concept is in business today. Our goal was to come away with a clearer understanding of identity management in today’s enterprise, as well as starting points for those organisations about to embark on an identity management project.
Those who have dealt with this topic before will understand that we achieved none of the above. Identity management (IDM) is a contentious and complex topic and one’s view of it depends on your experience and your requirements, not to mention your employer’s view of the topic. Safe to say there is no single IDM solution, no matter what your favourite vendor may tell you. There have been efforts over the past years to create common ground, primarily with Internet-based services, but even there we are still a long way away from a globally accepted standard.
When it comes to business and governmental IDM, however, the chaos at South Africa’s Home Affairs department, which is supposedly responsible for taking care of citizen’s identity documents and passports, is an example of the state of the market as a whole. Fortunately, vendors who have to pay their own way are not as disorganised and incompetent and there are workable IDM solutions for companies out there, but they are generally more proprietary in nature than open, but again, this is also changing.
These solutions are, unfortunately, also complex and what we see happening is that instead of adopting IDM solutions as a complete standard, companies are using what they feel they get the most benefit out of. While this seems to be realistic and effective, it often leaves security vulnerabilities open to exploitation. As our attendees will show, IDM is a science while not being a science and is open to opinion, chance and clever sales people.
So what is IDM?
The first step in a debate about IDM is actually defining the concept. In one company identity management is a time and attendance system that determines who enters a building or work area when and for how long, and this can be extended to when the person logs onto their computer and which resources they use. In another company, the idea of IDM is to link every employee to a single source of identity for whatever transactions they need to perform, from paying invoices to buying a sandwich in the canteen.
James Redlinghuys, director at Supervision Biometric Systems suggests we need to take a step back. He says the definition on Wikipedia (see: Identity management defined below) is quite comprehensive and most vendors use much the same words, “just scrambling it up ... to make it complex so whether you read it forward or backwards, it does not make sense.
“Using the Wikipedia definition as a base, I think there are three elements here: it is about categorically identifying individuals; looking at what these people can do, the rights associated to them logically and physically; and the process and implementation of provisioning that identity.”
“We have to start off with identifying the population of identities we are going to want to manage,” says Karel Rode, principal consultant with RSA, the security division of EMC. “So we look at who is in our population, who is our constituency and in most cases the easiest way of doing that is to find the single point of truth. Probably the easiest way to do this is to go to an HR payroll system and decide that if you work for this company, then you are on the payroll and in the population. Additionally, if you do not work for the company permanently, but are paid by it, then you are probably a contractor and somebody in payroll should also have some awareness of your role and so on.”
Rode says there will be some form of database or databases in most organisations that identifies all of the people within that particular population to some extent. The value and depth of information about each individual varies, but it is a starting point for an effective IDM project.
Creating an IDM process is also based on trust. When two people are introduced, they initially create a small bond of trust as a result of the person that introduced them, and this (potentially) grows as they interact with each other. In the corporate world, a similar process occurs as an individual is introduced to a company via another trusted party, supplies information to HR, which (supposedly) verifies it, after which he/she is given trusted access to parts of the building and IT resources. As the individual progresses in the company, this trust grows and he/she has access to more resources.
As such, IDM is a never-ending process. Just ask the person responsible for deprovisioning people from corporate systems whether it ever ends.
Not so simple
Of course, it is more complicated than that since the status quo in most organisations sees different departments involved in independent processes. Rode says often we see physical access managed by one team and logical access managed by multiple teams. And, naturally, they do not talk to each other except in exceptional cases – such as when the board demands action after a major loss from fraud and insider crime.
IDM goes further than simply coming in the door and logging onto your PC. Different applications can require different logon credentials, normally passwords (see below: How much do passwords cost?). But associated third party applications also require a different identity and access infrastructures – such as accessing a medical aid provider’s website. This makes it an even more complicated muddle.
Redlinghuys jumps in here saying that while one part of the IDM conversation is about the benefits of centralised identity stores with one provisioning and deprovisioning facility, which is the goal everyone should work to, we are still missing the point. We still need to have a way of accurately identifying every individual, a way that cannot be contested with arguments such as 'I lost my card', or 'someone used my password', or 'someone stole my token'.
“It does not help you to have this very nice architecture of managing identities, but the identities themselves are flawed. Garter says these systems are simply a depository of identities, but we are not actually indentifying the individual.”
He goes on to promote the use of biometrics (not only fingerprint systems) as a way of clearly identifying people and their associated transactions through identity chains. This ensures the right people are definitively associated with the transactions they perform, whether logical or physical activities. Using biometrics you link individual identities to specific actions at specific times and the identity (or person) can’t complain that his/her biometric was stolen.
Maiendra Moodley, principal consultant at CA Southern Africa acknowledges the value of biometrics in certain instances, but denies this is the ultimate solution for everyone.
“There is a place for biometrics, and I am sure everybody will have a particular solution that they all pitch at a certain point, what is core to understand is how we view the whole issue of identity management. The failure of identity management occurs when we isolate it and simply manage a person and ignore the physical and logical access somebody has.
“In other words, if you do not manage both the identity and the data, and link both in some form of data classification system, all you really get is either a glorified version of single sign-on, which defeats the purpose; alternatively what happens is identities are treated as some sort of basket into which you throw everything.”
Moodley also refers to the growth in and need for role-based provisioning and deprovisioning, or role-based access control. Some personnel may have different functions depending on the day or the context and may execute different functions on different days. Someone who operates behind a till on busy days in a retail environment may be assigned a supervisor role on slow days, for example. The individual’s access needs to change as required as supervisor resources cannot be assigned to a till operator and vice versa.
More than biometrics
Moodley says these are fundamental challenges that are rarely dealt with successfully in most identity management approaches. For example, nobody talks about the overhead associated with the upkeep of permissions as an identity moves through an organisation. As one develops in your company, you gain access to new areas and resources, but what happens to older permissions you do not use or should not have access to?
“The challenge is not necessarily to find a perfect solution, it is to actually find a solution that is practical for your organisation and will leverage your virtual and your physical identity, linking it back to what you should be able to access and how you should access it,” Moodley explains.
Teryl Schroenn, CEO of Accsys adds: “I think a critical aspect we are not focusing on is what each individual company’s objective is. If you do not know what they are trying to achieve with the whole access control and identity management issue, what chance is there of delivering what they want?
“We recently installed a barcode system for a client. That was all they wanted and they are happy with it. Your solution depends on what the purpose behind it is. Is it because you sre trying to stop strangers coming onto your site? Is it because you want to know who is where and what they are doing? Is it a data collection situation where you want to know how much time each person spent on a particular function or are you limiting people’s access to a particular area?
“Is it important from a speed point of view that everybody’s sitting on a single data base? Do you have multiple systems because each system provides a different solution?
“When you are looking at identity management, the first thing to consider is what the purpose of the project is, what are they trying to keep out, what are they trying to keep in and what do they want to know? Do they need business intelligence from it or do they simply not want to allow certain people through the door? Otherwise it is just over complication.”
Redlinghuys argues that this concept reverts to identifying the person accurately for whatever the purpose of the organisation is. Once the identity is reliable, the provisioning task is simpler and the person leaves an accurate trail. No matter what the task at hand, even if it is only opening one door, the record of who did what will be accurate.
Provisioning accurately will become even more important when cloud computing becomes the norm, adds Moodley. “Many of our clients are saying to us they are going to get to cloud computing at some point in time. If they get to cloud computing and they have to pay for access and functionality, you do not want to be paying for someone to have access to applications and functionality they no longer need. Additionally, you cannot afford to have a nebulous identity management system in place that is not able to accurately match an identity and a transaction to a specific individual.”
Security according to sensitivity
Neil Cameron, general manager: Systems & Service Africa at Johnson Controls adds to the complexity of IDM by stating that solutions should also have different levels of security per person depending on the application. “If you have a low-level need for security in a particular area, you can more or less decide that a person can access the area or service. For example, when logging onto the Internet, you do not need a serious password to get on, you are not causing any damage and you do not have access to payment applications.
“If you are walking into a canteen area, you can walk in with an access card. If it is lost or stolen, the risk associated to that identity is not that important. If you have guests coming in, barcode is great, a very cheap identifier of a person allowing them certain access rights.”
Cameron says it is possible to have multiple identifies depending on the individual’s risk factor. In other words, depending on the risk and cost factors involved, one identity can have multiple identifiers. “So companies can have the flexibility of implementing biometric finger print readers in sensitive areas, while other areas might need iris readers, and others allow people to walk through with a PIN code or card.
“In the logical world, people may be able to log onto some areas of the IT infrastructure without even needing a password (although this is not recommended), while others, such as banking, will need more serious forms of identification, such as biometrics or tokens etc.
“Of course you need unbeatable IDM when dealing with finances or confidential information, but 'more or less' can work well in many cases,” adds Cameron. He tells of a research project Johnson Controls was involved with. We were putting some cameras in a shopping centre in Cape Town and using CA neural networks to identify people. Now there was no exact identification possible, but we had a 70% success rate of knowing who people were, identifying them by giving them a unique number and then defining where they go, which shops do they frequent and what shopping patterns can we pick up.
“In theory, this 'more or less' scenario could have evolved to the point where we could have collected cellular numbers and sent text messages to the identities about special offers, knowing what their habits were. It is not traditional identity management, but shows the power of effectively identifying people.”
The bottom line, according to Rode, is that an identity needs to be unique and owned by a responsible individual. On top of this, the organisation needs to define the principles that apply to its identities, such as data classification policy or a perimeter policy etc, where they define trusted, semi-trusted and untrusted environments and the processes applicable in each. “What I am trying to say is you need to define your principles, then write the policies that are going to govern your organisation from an identity management and access management point of view. In addition, I want to stress those two, it is not just identity management, it is identity and access management together. Once you have done that you can then define your policies, your procedures, your standards and your guidelines within which you are starting to now talk about the various technologies and methods that you are going to deploy.”
Complexity does not sell
While IDM may be a complex topic with as many different solutions as there are vendors, one certainty is that no matter how technically good a solution is, if it is hard to use, users will ignore or bypass it. “If you put the world’s greatest security in place and nobody wants to use it, no matter what you do, they will all spend half their lives trying to get around it,” notes Moodley. “For example, unless you put some sort of anti-pass back on a door, you will find that eventually somebody walks in, holds the door and five guys walk past.”
The same applies to the password phenomenon. Schroenn says she counted the passwords she needs to use and she has 47. That is a costly problem waiting for an accident, especially if your system insists on users changing their passwords regularly – we only have so many children and pets to use.
So effective IDM and/or access control depends on usability plus a solution being fit for purpose. A pile of passwords is not a good solution, but is biometrics the solution?
While Redlinghuys believes fingerprint biometrics is the solution to ensure accurate identification and avoid password overflow, as well as the hassles involved in forgotten passwords, not everyone agrees. Biometrics has a tainted history with people promising silver-bullet solutions before the technology was viable. Today things are somewhat different and technology has advanced (for fingerprint biometrics in any case), but there are still those who are sceptical, and then there is the cost.
Schroenn also supports fingerprint biometrics and says it has worked for Accsys clients in small and large companies. She again stresses that it depends on what the client wants and is prepared to spend.
Rode supports two-factor and token-based identification (not to mention RSA’s encryption technologies) as it extends security beyond what the individual knows. Even if someone does steal your password, without the token, access will not be granted.
Moodley, on the other hand, has another solution in keyboard-based biometrics. This is a solution in which each person can use the same passphrase (as opposed to a password) and the biometric technology interprets the way in which each individual types on their standard keyboard to confirm their identity – of course this only works for logical access.
It is clear that education and understanding is very necessary in the world of IDM. There are many solutions, some seemingly infinitely complex that business leaders need to work through to find an acceptable solution for their companies.
Schroenn believes education is critical when it comes to IDM as a whole. Many mistakes will be made while business leaders are confused by the variety of IDM solutions offered. What matters is the communications you engage in with your customers and the change management around new solutions. If the new solution makes sense, is easy to use and delivers value, there is a better chance people will accept it.
One thing is clear, a product-based approach is not the way to go about IDM. Once you know what you want and have developed the policies and processes to achieve it, the technical aspects will fall into place almost immediately. You may also want the advice of a seasoned, independent consultant in developing an IDM strategy.
Identity management defined
“Identity management is a broad administrative area that deals with identifying individuals in a system (such as a country, a network, or an organisation) and controlling access to the resources in that system by placing restrictions on the established identities of the individuals.
Identity management is multidisciplinary and covers many dimensions, such as:
* Technical – Employs identity management systems (identification, implementation, administration and termination of identities with access to information systems, buildings and data within an organisation).
* Legal – Deals with legislation for data protection.
* Police – Deals with identity theft.
* Social and humanity – Deals with issues such as privacy.
* Security – Manages elements such as access control.
* Organisations – Hierarchies and divisions of access.”
How much do passwords cost?
For a moment, forget about the security aspects of passwords and focus on their costs. Although they appear free, passwords cost your organisation a material portion of its IT support budget. A portion that could be more wisely utilised while increasing your security. This silent budget killer is simply the time your technical support staff devote to resetting users passwords. This does not include the abstract costs associated with lost productivity of the user or security breaches, etc, but the good old
fashioned labour cost of the help desk personnel physically resetting passwords on the system. It does not matter if you provide technical support with in-house personnel or outsource it, if you pay for technical support 'by the call' or it is fixed price, this cost is a major and often hidden component of your support budget.
According to the Gartner Group, between 20% to 50% of all help desk calls are for password resets. Forrester Research states that the average help desk labour cost for a single password reset is about $70.
Although statistics vary depending on the organisation, the following are universal findings; the stronger the enforcement of security policy for password management, the greater the number of calls for password resets. For the user, a forgotten password represents frustration; for the IT organisation, it is mundane and time consuming work that is the leading cause of high turnover in technical support positions.
|Tel:||+27 11 543 5800|
|Fax:||+27 11 787 8052|
|Articles:||More information and articles about Technews Publishing (SA Instrumentation & Control)|
© Technews Publishing (Pty) Ltd | All Rights Reserved