Easing access control

Pity the poor security administrator. Charged with enforcing safe-computing policies, he or she often discovers that users "hide" multiple passwords to multiple network resources under mouse pads. Forgotten-password syndrome leads workers to flood the help desk with calls. Productivity grinds to a halt for workers locked out of key applications.

Such trying situations are enough to make anyone consider a career change. But there may be help for those who must ride herd over portals, intranets, extranets and other hard-to-corral resources. A suite of applications, grouped under the heading of identity management, promises to solve many problems administrators face.

Those applications include single sign-on, password management and user provisioning. The software varies in maturity. Single sign-on is perhaps the best-established area, but newer products offer to broaden the horizons of identity management. Vendors offer identity management point products or suites, with market participants ranging from start-ups to industry veterans.

Identity management may relieve some headaches, but deploying it is a challenge. Solutions may be difficult to install across multiple Internet domains or have trouble supporting more users. But technology isn't the only challenge. Identity management projects may span departments and external constituencies such as business partners and citizens. Buy-in from such diverse groups is crucial.

Because of identity management's complexities, most organizations have adopted an incremental approach.

"We're doing it in very small, incremental steps, but we've developed a long-range, overarching plan for identity management," said Brent Roberts, identity administrator for North Carolina. Its deployment will eventually cover employees, businesses and citizens. "We didn't want to tack all those [groups] upfront. We started with one agency, one application and created a repeatable model."

Single Sign-On

Those agencies pursuing identity management have a wealth of functionality to consider. Single sign-on, for example, lets users sign on once to dig into an organization's portfolio of Web applications. The password management function provides a self-service capability that enables users to reset their passwords. Account management and user provisioning, meanwhile, help administrators create or delete user accounts and provide access to network resources.

An organization's most pressing need usually determines which identity management feature is deployed first.

Single sign-on is the priority for some agencies. Benefits include an improved user experience and better enforcement of security policies. The method eliminates the need for multiple passwords, which frustrated users frequently write down rather than memorize.

The single sign-on function has been around longer than other identity management components, first coming to the forefront during the late 1990s' e-commerce frenzy. "A lot of companies can do single sign-on," said Rick Simmons, director of federal sales at Oblix Inc., an identity management vendor. "That's almost a commodity now."

Single sign-on may be familiar, but that doesn't make it any easier to implement. Ray Bjorklund, vice president of market intelligence and chief knowledge officer at Federal Sources Inc., calls the government's use of single sign-on sporadic. "The government would like to do something like this, but [agencies] are trying to figure out what...classes of users need to be working within this information-sharing environment," he said.

"Most people are struggling with single sign-on," added Michael Beckley, co-founder of Appian Corp., a software and professional services firm. "Some entities have done well and some continue to struggle mightily based on the complexity of internal agency structures. Some agencies have hundreds of separate [Microsoft Corp. software] domains they are trying to enable single sign-on across."

At the Army, however, single sign-on is available for hundreds of applications, Beckley noted. Appian, systems integrator for the Army Knowledge Online portal, brought in Netegrity Inc.'s SiteMinder for single sign-on capability. Appian also used its own personalization software.

Other organizations have begun single sign-on pilot projects. The Navy's Task Force Web initiative provides a particularly complex example. It aims to implement identity management across naval enclaves, including users at sea, also known as "float" users.

The Navy is testing Oblix's NetPoint as a single sign-on solution for the Navy Enterprise Portal, said Terry Howell, the portal's program manager. The pilot project involves one battle group.

"There's still some engineering we need to do to make single sign-on really work for our float users, who are occasionally disconnected," Howell said. For those users, "the ability to have single sign-on available for all the infrastructure that's on the beach is difficult to do if the shore establishment can't reach back to the ship to verify that the user is indeed who he says he is."

Password Management

For agencies seeking a reasonably fast return on investment, password management may top the identity management wish list.

Password management's benefits are readily quantifiable, said Tom Rose, vice president of marketing at Courion Corp., an identity management vendor. Users who can reset their forgotten or expired passwords don't need to call the help desk.

"It's well documented that those calls are expensive," Rose said, noting that a help-desk SOS can cost $30 a ring.

The Internal Revenue Service deployed password management to reduce help-desk calls and boost customer satisfaction. The bulk of IRS' information technology infrastructure is based on IP, so access to almost all its applications is through local-area networks. "So you've got to be able to get to your workstation in order to be productive," said Jim Kennedy, the agency's program manager of enterprise systems management.

Employees often complained of being locked out of their workstations, however. IRS' enterprise service desk found that Microsoft Windows NT unlocks and resets accounted for about a third of its call traffic — about 200,000 calls between November 2002 and the end of March.

IRS decided self-service password management could alleviate the situation. Last month, the organization began rolling out Courion's PasswordCourier to some 80,000-plus workstations. The deployment was ongoing at press time, but Kennedy believes a 70 percent to 80 percent reduction in unlock and reset calls would have a huge impact. "That's a lot of cost avoidance," he said.

Provisioning

Some executives contend user provisioning may become the next major identity management application.

Identity management systems generally include tools for creating user accounts and managing user groups. User provisioning further automates administration, granting or revoking access to such resources as e-mail, enterprise applications, databases and portals.

"We are waiting to get beyond password management deployment and will look at a broader account management," the IRS' Kennedy said. Agency officials would like to be able to automatically give new employees appropriate network access. The goal is to "have those accounts created systemically instead of involving an administrator," he said.

The Navy Task Force Web hasn't yet moved to user provisioning, but Howell said the approach is consistent with the group's goals. He calls user provisioning the next logical step once single sign-on has been established.

And with this step-wise progress, agencies hope to reach the promised land of improved security, greater productivity and a friendlier user experience.

Moore is a freelance writer based in Syracuse, N.Y.

***

Fitting in

Identity management systems can't stand alone.

Products on the market today have a variety of integration points into existing systems. To authenticate users, identity management systems must interact with corporate and departmental directories, where the user information is stored. Accordingly, vendors typically support such directory servers as Microsoft Corp.'s Active Directory, Novell Inc.'s eDirectory and Sun Microsystems Inc.'s SunOne Directory Server.

Identity management wares support a range of authentication methods, including traditional passwords, smart cards and biometric devices. And some products integrate with other security systems, such as IBM Corp.'s mainframe-oriented Resource Access Control Facility. Oblix Inc.'s NetPoint product family, for example, includes a connector that can tap mainframe repositories for user identity information. North Carolina officials are exploring integration between NetPoint and RACF.