“When you have proprietary apps that maintain their own database of users and access restrictions, it becomes more difficult and expensive,” notes Toby Weir-Jones, director of product management at Counterpane Internet Security, in Chantilly, Va. “Traditional infrastructure companies are populated with huge numbers of these applications. You can’t just rip them all out and do something simple.”
For example, Regions Financial began implementing Sun Microsystems’ access management scheme for its 25,000 employees in January 2005, but only completed phase one of the project -- password management -- in August. Part of the challenge was making sure that Sun Java System Identity Manager could communicate with the many diverse applications Regions uses in its day-to-day operations, says Bruce Paterson, a senior project manager at the company’s technology department in Montgomery, Ala.
To do this, Regions uses software “adapters” that log in to each application and sync user names and passwords with those in Identity Manager. Sun’s IDM suite came bundled with adapters for such well-known systems as Lotus Notes and Microsoft Active Directory, but Regions had to build custom adapters for many of its other apps. The password management system had to be tested across Regions’ individual PC and network environments, then incrementally rolled out across the company.
“We did a lot of testing to make sure Identity Manager would work with all the different environments in the company,” Paterson says. “We tested it in our retail branches, back offices, and call centers over a two-month period before we started the rollout, then we took another six weeks to implement it across our different geographical regions. We did this so if a problem was detected, it wouldn’t impact the entire company.”
At press time, Regions was beginning to roll out Sun’s account provisioning functionality. Instead of tackling the organization as a whole, the bank is only defining job roles as employees are hired or change jobs. Provisioning will initially be limited to the network, Lotus Notes, and the mainframe. In the next phase, slated to be completed in February, Regions plans to automate provisioning for its bank tellers.
Paterson says the project has cost around $500,000 so far, including the cost of all internal labor, outside contractors, and consultants.
“We believe in developing some functionality, then deploying it; developing a little more functionality, deploying that, and so on,” says Paterson. “If you keep doing this type of spiral development, your customers can see your progress.”
The identity challenge
For many enterprises, however, the hardest part of rolling out an IDM suite isn’t merely testing and deploying the software. The bigger challenges involve documenting business practices and defining who gets access to what.
“Having clear processes documented from the start was a huge help,” says Cindy Sellers, chief information security officer at Principal Financial, which uses Thor Technologies’ Xellerate to automate and track access for its 15,000 employees. “If we had to start from scratch by documenting our processes, it would have slowed us down tremendously.”
No one understands that better than SunTrust’s Callahan. “The hardest part for us has been defining the roles,” he says. He estimates that the company has defined approximately 150 roles or levels of access based on business unit and job title.