Identity management in action

Implementing an identity infrastructure has real rewards, say customers, but it isn't easy

Think you’re ready to deploy IDM (identity management) in your organization? John Aisien, vice president of marketing at IDM vendor Thor Technologies, won’t kid you about the realities.

“Identity management is by definition hard, and anyone who says otherwise doesn’t have enough experience doing it,” Aisien says. “You have to centrally manage multiple applications and platforms that were not designed to be managed centrally. The technology lets us do that, but it’s not easy.”

It’s also usually anything but cheap. Costs vary widely, based on the size and complexity of the organization and the kinds of services it implements. Throwing federation into the mix complicates matters further (see Federation takes identity to the next level).

Most companies are loath to talk about how much they’ve actually spent or to quantify the return on their investment. For large or complex organizations, however, it’s safe to say that implementing IDM can take years and cost many thousands of dollars. Aisien says his firm’s customers typically have revenues of $1 billion or more and pay a minimum of $100,000 in annual license fees.

IDM is not for the faint of heart.

Nonetheless, The Radicati Group projects that the worldwide identity management market will grow from around $1.2 billion in 2005 to more than $8 billion by 2009. It’s not hard to see why when the potential benefits are so compelling.

Big money, big returns?

“Security is not the number one reason why we adopted [identity management], but it’s a really nice side effect,” says Paul Beaudry, director of technical services for James Richardson International (JRI). The agribusiness giant uses Novell Identity Manager and a home-grown portal app to provide SSO (single sign-on) for its financial, database, and ERP applications.

Before implementing its system, JRI’s 800-plus computer users had multiple user names and passwords “written on sticky notes pasted to their keyboards,” Beaudry says. Now each has a single portal ID and password, and users are prompted to change their log-ins every 90 days.

In addition to facilitating smarter security policies, SSO can also provide real cost savings. By reducing the volume of IT help desk calls from users who forget their passwords, SSO can save companies an estimated $15 to $30 per call.

According to Tim Callahan, group vice president in charge of access control and support services at SunTrust Banks, nearly a thousand bank employees used to spend part of each day retrieving or resetting users’ passwords -- the equivalent of 60 full-time positions. Since implementing an IDM suite from Courion, the company has slashed that number by 75 percent.

But the biggest return comes from provisioning -- automating the process of creating accounts for new hires, changing access levels as employees change jobs, and shutting off accounts when employees leave the company.

Prior to using Courion, it could take as many as 10 days to get new hires fully up and running at SunTrust, Callahan says. Now, the provisioning process takes less than a day. And when SunTrust needed to consolidate employees from 28 recently acquired companies into one unified entity, the Courion software was invaluable.

When SunTrust acquired National Commerce Financial (NCF) in October 2004, for example, Callahan says the bank was able to map most of NCF’s employees to roles it had already created. “Rather than coming over haphazardly and ugly, they came over in a clean fashion,” he says.

“Instead of pulling aside your entire IT department for months to integrate a company you’ve just acquired, you can enable it to happen in a couple of days automatically,” says Courion president and CEO Chris Zannetos. Indeed, he says, making it easier to assimilate large numbers of new employees is one of the key drivers behind IDM systems.

Like many people interviewed for this InfoWorld story, SunTrust’s Callahan is reluctant to reveal the exact cost of his IDM project. Although he says it’s “less than seven figures,” he estimates that having an identity infrastructure saves the company $2 million a year on provisioning and password management alone.

Comply or die

The network management benefits of IDM are attractive to any organization, but the biggest single driver for the adoption may be Uncle Sam. IDC analyst Sally Hudson estimates that compliance is behind 70 percent of the revenue in the identity and access management market.

“There’s a big rush to be compliant, especially around Sarbanes-Oxley,” says Wynn White, senior director of technology marketing and security and identity products at Oracle. “Companies have put together these manual processes with chewing gum, baling wire, and crazy glue. It’s very expensive and not all that secure.” White says IDM systems can standardize how enterprises segment users and control access, driving down the overall cost of compliance.

Rich Casselberry, CIO for networking security firm Enterasys, says its identity management system makes dealing with compliance issues a more pleasant experience. The company uses MIIS (Microsoft Identity Integration Server) 2003 to manage accounts for more than 800 full-time employees and up to 150 contractors.

Because Enterasys is a longtime Windows shop, integrating MIIS 2003 into its network was relatively straightforward, Casselberry says. It took the company less than three months to implement the IDM system, at a cost of $125,000.

Using MIIS, Enterasys creates different types of accounts for contractors who need access to network resources -- help desk employees, for example -- and those who don’t, such as building contractors. Casselberry says that comes in handy when its time for the company’s annual Sarb-Ox audit.

The MIIS system “takes what used to be a two- or three-day conversation and reduces it to 30 to 45 minutes,” Casselberry explains. “The challenge is convincing the auditors that our system really works. They say, ‘It can’t be that easy; we need to see the logs.’ So we show them the logs.”

Results like these are often enough to convince even the most budget-conscious executives, says Oracle’s White. “One of the bigger pain points around identity management has been getting buy-in across the entire organization. In the early days you saw islands of deployment, but you ultimately hit a wall. Compliance concerns are helping push IDM out onto everyone.”

Confronting complexity

Although a simple SSO scheme can be rolled out in a matter of months, implementing a full IDM suite within a large enterprise can literally take years, due to the technical complexity of managing access across multiple platforms and applications.

“When you have proprietary apps that maintain their own database of users and access restrictions, it becomes more difficult and expensive,” notes Toby Weir-Jones, director of product management at Counterpane Internet Security, in Chantilly, Va. “Traditional infrastructure companies are populated with huge numbers of these applications. You can’t just rip them all out and do something simple.”

For example, Regions Financial began implementing Sun Microsystems’ access management scheme for its 25,000 employees in January 2005, but only completed phase one of the project -- password management -- in August. Part of the challenge was making sure that Sun Java System Identity Manager could communicate with the many diverse applications Regions uses in its day-to-day operations, says Bruce Paterson, a senior project manager at the company’s technology department in Montgomery, Ala.

To do this, Regions uses software “adapters” that log in to each application and sync user names and passwords with those in Identity Manager. Sun’s IDM suite came bundled with adapters for such well-known systems as Lotus Notes and Microsoft Active Directory, but Regions had to build custom adapters for many of its other apps. The password management system had to be tested across Regions’ individual PC and network environments, then incrementally rolled out across the company.

“We did a lot of testing to make sure Identity Manager would work with all the different environments in the company,” Paterson says. “We tested it in our retail branches, back offices, and call centers over a two-month period before we started the rollout, then we took another six weeks to implement it across our different geographical regions. We did this so if a problem was detected, it wouldn’t impact the entire company.”

At press time, Regions was beginning to roll out Sun’s account provisioning functionality. Instead of tackling the organization as a whole, the bank is only defining job roles as employees are hired or change jobs. Provisioning will initially be limited to the network, Lotus Notes, and the mainframe. In the next phase, slated to be completed in February, Regions plans to automate provisioning for its bank tellers.

Paterson says the project has cost around $500,000 so far, including the cost of all internal labor, outside contractors, and consultants.

“We believe in developing some functionality, then deploying it; developing a little more functionality, deploying that, and so on,” says Paterson. “If you keep doing this type of spiral development, your customers can see your progress.”

The identity challenge

For many enterprises, however, the hardest part of rolling out an IDM suite isn’t merely testing and deploying the software. The bigger challenges involve documenting business practices and defining who gets access to what.

“Having clear processes documented from the start was a huge help,” says Cindy Sellers, chief information security officer at Principal Financial, which uses Thor Technologies’ Xellerate to automate and track access for its 15,000 employees. “If we had to start from scratch by documenting our processes, it would have slowed us down tremendously.”

No one understands that better than SunTrust’s Callahan. “The hardest part for us has been defining the roles,” he says. He estimates that the company has defined approximately 150 roles or levels of access based on business unit and job title.

SunTrust began the process of defining access control roles in February 2003. By the end of the first year it had assigned roles for 60 percent of its 35,000 employees. Callahan says he hopes to reach 80 percent by the end of this year.

There is no doubt that implementing an identity management scheme can be expensive, complex, and time-consuming, but it can also lead to greater efficiencies and cost savings over the long haul. More importantly, the alternatives aren’t pretty.

Like insurance, the true value of an IDM infrastructure is often measured against the bad things that could happen if you don’t have one -- from running afoul of federal regulations to inadvertently exposing sensitive data to unauthorized parties.

“What would you pay to avoid being featured in a negative article on the front page of the Wall Street Journal? You’d pay a lot,” says Counterpane’s Weir-Jones. “In the end, it’s a lot cheaper to be well prepared than to recover from being ill prepared.”

Copyright © 2005 IDG Communications, Inc.

How to choose a low-code development platform