BellSouth Corp.'s call center employees often need to access several applications to answer a single customer service call. Each time they have to type in a new password -- or retype the same password -- it makes the call take a little longer. And in call centers, where manpower is the biggest expense, time wasted means money lost. BellSouth's answer to this problem is an identity management project that allows the call center reps to access the company's most commonly used applications with a single log-in.
BellSouth's project might not fit the information technology industry's definition of true identity management -- which would include not only single sign-on, but also strong authentication (proof-of-user identities) and rule- or role-based provisioning (automatically providing access to the right applications and data) -- but the industry definition misses the point.
This is identity management in the real world, where CSOs live and work.
CISO Mark Johnson says Halliburton Co. is taking a phased approach to defining end user roles.
Companies ask two critical questions of their employees and business partners: Who are you? And what resources do you need to do your job? Simple questions, yes. But when you've got hundreds or thousands of employees, customers, databases, systems and physical plants, the answers become exponentially more complex. Identity management aims to simplify and automate those answers. In fact, the early hype claimed that identity management would solve those problems completely. Early adopters, though, found that trying for the whole enchilada typically resulted in severe indigestion, as they wrestled to implement systems, cobbling together directory tools, biometric systems, single sign-on applications, workflow software and a host of other technologies.
Today's CSOs have scaled back their expectations and are happier for it. Ask a dozen companies to describe their identity management projects (for this article, we did), and you'll get as many different answers -- from reduced sign-on at BellSouth to provisioning-focused work at Halliburton to smart card-based network and facility access at The Boeing Co.
"A lot of people use the term identity management loosely," says John Lyons, Boeing's manager of identity systems and services. "I think it's academic. Identity management is a matter of what your particular business model is." Lyons certainly has hit on the heart of the matter. In some cases, narrow identity management solutions will scale up to greater ambitions. In others, the scope may remain small. CSOs at both extremes report with great pleasure that identity management pays off in very concrete ways when the scope and details are determined by the needs of the business.
Cutting password clutter
At most sizable companies, passwords are like potato chips: Bet you don't have just one.
"We're seeing that the average user has roughly 15 user IDs and passwords -- all expiring at different dates," says Roberta Witty, a vice president of research at Gartner Inc. As a result, corporate help desks are inundated with requests for password reminders and resets. Cutting sign-on complexity is, for most companies, the low-hanging fruit when starting identity management efforts and demonstrating immediate payback.
For example, Motorola Inc., using existing user directories, has reduced sign-on for "tens of thousands of employees" to two primary account passwords -- one for Web services and the other for Windows -- according to Vice President and CISO Bill Boni.
The trick is to avoid being seduced by the word single in single sign-on. Boni says reducing sign-on to a number of other applications proved too problematic from a technology standpoint. BellSouth's project demonstrates a second benefit of reduced sign-on: faster service time. "In a highly sensitive call center environment, it's critical to take as little time as possible per call. So not having to log in with a lot of credentials and passwords to different applications saves time and money," says Monique Shivanandan, vice president of information technology strategy, security and business continuity for BellSouth. Since January 2003, BellSouth has converted 20 percent of its busiest call center applications into one sign-on, with plans to convert remaining applications during their regular new-release schedules (so long as there are no functional conflicts).
BellSouth's work illustrates a common result among today's identity management projects. Those who start and succeed with a single manageable task often find their systems being stretched to take on additional functionality.
Shivanandan says that almost from the onset of the company's sign-on reduction project, IT and business managers started envisioning new uses for identity management -- provisioning, workflow management, inventory management, vulnerability management and multifactor authentication (including biometrics). "We realized all sorts of business cases around why we're doing this and started identifying other places we could make improvements," she says.
Eventually, for example, a provisioning system would also achieve regulatory compliance for access audit trails, stabilize the system by creating a common identity structure and dramatically reduce the cost of account administration, she continues. In particular, the process of getting a new worker up and running with all his resources could potentially be cut to an hour instead of taking several days to a week.
For BellSouth, those provisioning dreams face some technical hurdles. For now, it's difficult to provision across a wide swath of applications because of the middleware-agent model these tools use -- not to mention the time it takes to determine the resources each employee would need in the first place. But as with reduced sign-on, provisioning isn't so daunting when companies start by identifying a small handful of applications that are most used, and don't worry about how many roles their system can accept.Roles are a critical concept in identity management. A role is essentially a job description that is connected to certain access rights. For example, a role broadly defined as "human resources" might be provided appropriate access rights to a suite of HR and payroll applications. When a new HR employee starts, the system administrator creating the employee's network account can simply assign her the "HR" role instead of having to set up access to those applications one by one.
Nextel Communications Inc., using Xellerate provisioning software from Thor Technologies Inc., started by developing only four basic user roles: employees, contractors, trading partners and customers. These roles are provisioned simply with the right access to Nextel's three most commonly used services: e-mail, LAN and intranet. "In time, we want to move to a more granular approach, like identifying whether (employees) are in sales or customer care," says Tom Deffet, Nextel's director of IT strategy and architecture. That way, he adds, they can better tailor resources to employees' specific job functions.
In fact, trying to define too many roles could be the kiss of death, says Gartner's Witty.
"Companies that try and establish roles for an entire enterprise, as opposed to one application or department, will end up with as many roles as there are employees," she says. "And it's hard to maintain because the business is always changing. So you must start small and look at all of this identity management as evolutionary."
In fact, this kind of provisioning exercise brings to light another important principle. Identity management, while it can involve numerous technologies and products, is ultimately more about business processes. "Setting and automating access across all systems used by people to do their jobs is a very nontechnical thing to tackle," says Gerry Gebel, senior analyst with the Burton Group. "It's more a social exercise in organizational dynamics. You've got to figure out how the company operates and how you can use technology to improve those processes."
Halliburton is an example of a company that has progressed a bit farther down that road. The company has already defined close to 100 user attributes in its role-based provisioning system, including country code, cost center, product service line and employee type. Halliburton's system uses three products -- OpenNetwork Technologies Inc.'s Universal IdP, Microsoft Identity Integration Server and Ultimus BPM -- for provisioning, password change, workflow management and resource entitlements. "We take a holistic approach to identity management," says Mark Johnson, Halliburton's CISO. "Our approach is access to information anywhere, anytime, by anybody. To accomplish that, we need fine-grained access and authorization when employees need it, where they need it."
That's a daunting profiling task; Halliburton has 100,000 employees (although Johnson notes that only half that number use computers). The company is managing the risk inherent in that complexity by biting off projects in digestible pieces. The first phase is the creation of "stub" accounts, which allocate to users only basic resources -- including Windows, the employee portal, online learning, the performance review system, e-mail, storage and remote access. These stub accounts are automatically created when a new hire is keyed into the company's SAP system.
Future phases will involve rolling out entitlement servers in Asia and Europe to improve response times to new provisioning requests. Early next year, several other applications should be provisioned into the infrastructure, and applications will continue to be provisioned during scheduled upgrades and new application development.
"People access our SAP HR data round the clock to make changes like adding and removing employees. Our system pushes out those changes and distributes them automatically six times a day," Johnson says. "Prior to that, all those changes -- roughly 2,000 a day -- were done manually. Even at one minute per change, you're talking 2,000 minutes. That's equal to three people doing this full time."
Furthermore, each application provisioned is one less place the administrator has to manually look for accounts to deprovision, says Phebe Waterfield, security analyst with The Yankee Group. "Deprovisioning is a real bee in my bonnet," says Waterfield, formerly a systems engineer for a financial firm. "It would take one to four hours to deprovision a single user. And even then, you never knew if you got all of them."
Reducing sign-on is clearly a security benefit because with one or just a few passwords, users are less likely to put those passwords in jeopardy by writing them down or storing them in a file on their hard drives. But it also creates a single point of entry into all the systems allocated to that password, which could pose an added risk.
That's why BellSouth's Shivanandan is currently evaluating biometrics as an extra layer of authentication in her enterprise.
St. Luke's Episcopal Hospital in Houston coupled smart cards with reduced sign-on in 2001. With workstations sprinkled throughout the hallways, the hospital's 922 doctors were spending too much time reauthenticating on each computer as they did their rounds, says Curtis Burkhart, lead system analyst on the Physician Information System Management Team.
Working with BNX Systems Corp.'s Authenticated Single Sign-On, the hospital integrated the doctors' user profiles into a single database and granted them access to five of the busiest hospital applications with a single sign-on using the smart cards to authenticate. Doctors must still log on and off of every computer as they proceed along the hallways. But the process of swiping the card through a keyboard reader and entering a self-selected PIN has trimmed five seconds off the original user name and password process. And they need to do it only once for the five most used applications.
Eventually Burkhardt would like to advance to proximity cards, which would also function as building access controls to save the doctors even more time. But that would require hardware replacement costs he can't currently justify.
Boeing, however, has the business case to do just that. The company is already rolling out combined logical- and physical-access cards for nearly 156,000 employees worldwide, in an identity management project that stemmed from Boeing's physical security operations.
In late 2001, Boeing's physical security group had plans for a common proximity badge to replace about a dozen different badge types that had proliferated across the enterprise (the result of a series of mergers and acquisitions). Swapping out the hardware was cost-justified because it eliminated the expense of maintaining as many different brands of badge readers to read all the cards. At the same time, the technical security team was looking into a separate secure authentication project using high-level RSA x.509-based digital certificates for a higher level of secure access to data resources. "The executives decided it would be better to combine the projects," says project program manager Sharon Lindley, who reports to both the CSO and the CIO.
Boeing plans to issue 35,000 combined smart cards/proximity badges by year's end (13,000 of which were already in use by September). The company will issue the remaining 120,000 in 2005.
"We feel that even strong passwords are too weak an authentication form," says Boeing's Lyons. "So we prove identity with the x.509 certificate on the badge. That in turn lets our authorization systems look up additional information about individuals in the electronic directory and make roles."
Like others, Boeing is taking the project forward in degrees by rolling out the cards group by group. And current roles are rudimentary. The company's internally written authorization logic bases its decisions on information such as, Is this person a U.S. citizen? Is this person a Boeing employee or a contractor? So, for example, if a non-U.S. worker wants access to the International Traffic in Arms Regulation data, the system will recognize that that person is a non-U.S. citizen and therefore restrict access, Lyons says.
Justifying the ends
There's an argument to be made for not plunking down the money for any identity management system until enterprisewide requirements have been defined. In fact, a recent Cutter Consortium report urged CIOs and CSOs to do exactly that, since a piecemeal approach could quite conceivably lead to incompatible systems or expensive overhauls down the road if the fledgling system can't scale up. But again, the folks on the corporate front lines seem unwilling to dally too long over enterprisewide definitions.
Boeing, for example, is not making its decisions based on any unified vision of identity management. Quite the contrary, says Lyons. With the company's product and intellectual property critical to national security, it's making its decisions based on primary business drivers, which are compliance-related in nature and inherently risk-averse. It can't afford the risk (despite potential cost-savings) of, say, using the same type of Web-based application for its U.S. Department of Defense clients as it does for its airline customers. So Boeing uses a separate, proprietary access system and segmented network for agencies connecting in from the DOD. And so, too, will the employee-contractor identity system always stand alone.
Says Lyons, "You need to manage the identities, logically separate how you do authentication, then extend that to make specific resource decisions."
With more than 100 flavors of identity management systems on the market today, Lyons' attitude makes perfect sense. Tailoring the organization to security just won't work. It's the security that must fit into the existing organization if it's to be done right. And given the unique drivers of businesses, it's no wonder identity management infrastructures are as different as snowflakes.