Identity Management
-
Upload
venetia-natasha -
Category
Documents
-
view
34 -
download
0
description
Transcript of Identity Management
HVL/Nulli Secundus 2001
Identity Management
Guy Huntington, President HVLDerek Small, President Nulli Secundus
HVL/Nulli Secundus 2001
Why Bother?• Identity management leads to
significantly reduced costs, improved service, increased productivity and competitive advantages over competitors
• E-business requires a high degree of system integration
• Identity management is the place to start in rethinking system workflows
HVL/Nulli Secundus 2001
Identity Management
• Identity Management is the secure process of defining, creating, handling, updating and archiving core information about an individual
HVL/Nulli Secundus 2001
Core Information
• Core information includes such basics as name (first, last, full name, common name), identification number(s), contact information, and any other information about an individual the enterprise deems important to securely gather, store, monitor and exchange portions of between systems
HVL/Nulli Secundus 2001
But We Already Do That!
• You’re right…you do it potentially hundreds of different ways and that’s where the problems and opportunities are
• The ERP, HRIS, financials, payroll, data warehouses, CRM, marketing, sales, manufacturing, security, network, portals, contact management, e-mail, facilities and all your other 100-200 systems create, store, handle, archive and secure identities their own way
HVL/Nulli Secundus 2001
Identity Universes
• Each application has a system of managing identities that lacked identity standards when they were built
• From an identity management perspective, each system in effect views itself as if the other systems don’t exist
• You might be surprised how much this approach is costing you in productivity, maintenance costs and competitive advantage
HVL/Nulli Secundus 2001
Look-Ups & Org Charts• Companies like Cisco and
others have calculated the cost to their company in finding out who people are in the organization, their reporting structure and how to contact them
• The costs with their old legacy systems are in the tens of millions of dollars each year
HVL/Nulli Secundus 2001
• Not being able to find people instantly causes an even bigger hit in overall productivity
• Too much time is spent on trying to find information and people rather than dealing with the core tasks pertinent to achieving corporate goals
Look-Ups & Org Charts
HVL/Nulli Secundus 2001
New Hires
• Poor identity management for the new hire process is another big financial and productivity hit in corporations
• Often the new hire may take weeks and even months to get finished with all the 100-200 business system registrations
HVL/Nulli Secundus 2001
New Hires
• What is the cost to your corporation for every day, week and month of lost productivity for new hires?
• The costs can easily be millions or tens of millions of dollars annually
HVL/Nulli Secundus 2001
Competitive Advantage
• In the world of internet time, integrating systems internally, between you and your partners and with the internet for your customers is imperative
• The cost you pay for poor, slow and expensive identity information transfer between your systems is a competitive disadvantage against competitors who have figured out a modern identity management strategy makes money
HVL/Nulli Secundus 2001
Competitive Advantage
• By instantly synchronizing all your identity systems, you can consider new forms of doing business with your customers
• Offer new identity based services from your back-office systems to improve service
• Integrated, nimble identity systems means fast response to market changes
• Provides greater control over ensuring the customer their information is secure
HVL/Nulli Secundus 2001
Security• In e-business, the lack of coordinated
identity systems often leads to security lapses– Time lapse– Information continuity
• Customer, employee or business partner identity information may be placed at risk or inadvertently given out
HVL/Nulli Secundus 2001
Security• The response time to making an identity
change creates security breaches – A consultant leaving a company may still remain
for some time with network, application and even authorization privileges
– A customer requesting their information be kept confidential may find themselves still on mailing, distribution and publicly available access lists for months after making the request
– Companies may have trouble ensuring employee home numbers/social security id’s are not given out and are properly secured
HVL/Nulli Secundus 2001
Security• The evolving information laws in Europe
and Canada in particular place the onus on the company to ensure employee and customer information is secure
• The potential for litigation and adverse public perception in the marketplace increase by relying on older systems that weren’t designed with integrated identity security in mind
HVL/Nulli Secundus 2001
Security• The desire for single sign on for
customers, business partner’s employees and your own employees means identity system integration is a must
• How else are you going to standardize, coordinate and enforce authentication within a domain, between domains and with your customers?
HVL/Nulli Secundus 2001
Is There a Magic Bullet?
• No
• There are however many short terms steps you can take to put yourselves on the road to a modern identity management strategy and tactical deployment thereof
HVL/Nulli Secundus 2001
Grunt Work• The first step is to prioritize
the identity management systems for integration and change
• You’re looking for low hanging financial fruit, strategic gain and internal productivity improvements– Integrating identity
information in HR, HRMS, ERP’s and NOS’s are good starting points
HVL/Nulli Secundus 2001
Grunt Work • Then begins the task of diving into the minutiae of how these identity systems currently work– What information is stored?
– What’s the syntax used?
– How long are the fields?
– What character sets do they use?
– What’s the authoritative source?
– Which other systems use the same information?
– These are just some of the many starting questions
HVL/Nulli Secundus 2001
Grunt Work • The grunt work continues with examining who gets to see which identity attribute, who gets to modify it and who’s notified when any change to it is made?
• This is the heart of creating new streamlined workflow and secure identity management processes
HVL/Nulli Secundus 2001
Coordinating Systems
• Your existing identity information will likely be stored in a variety of databases
• A few may use directories
• You need to consider a directory strategy acting as a central coordination hub for the identity systems
HVL/Nulli Secundus 2001
Why Directories?
• Directories have a common standard “Lightweight Directory Application Protocol” (LDAP) for coordinating how information is stored and queried– You need a tool with a standard to
coordinate your disparate identity systems
• They’re optimized for fast reads– It’s critical in e-business that the
solution be fast for identity management including authentication
HVL/Nulli Secundus 2001
Do I Keep My Databases?
• Yes• You’ll use the directory to
coordinate them• You may eliminate the identity
portion of some systems and place it in a directory where it’s cost effective
• Others such as PeopleSoft v8 are now directory compatible and ease integration with external systems via the directory while still using their extensive internal databases and data warehouses
HVL/Nulli Secundus 2001
Directories • A typical directory project often has an ROI of between 5 and 7 times investment
• You need a directory strategy addressing identity system integration
HVL/Nulli Secundus 2001
Directory Design
• The design of the directory may be one of most critical decisions you make
• A poor design can cost money, time and effort in constantly changing as rapid changes occur in your organization
HVL/Nulli Secundus 2001
Directory Design
• The performance of the directory is also impacted by how you design the directory– That’s important when you’re
using the directory several thousand times a second to query for e-mail addresses, name, contact and org chart lookups, authentication and authorization
HVL/Nulli Secundus 2001
Is a Directory All I Need?
• No, it’s just the beginning• How are you going to manage and
display the identity information?• How are you going to ensure the
identity security within and between your systems, your business partners’ systems and the interaction with your customers?
HVL/Nulli Secundus 2001
Displaying Identity Information
• Let’s assume you’ve now got your internal identity systems coordinated and it’s time to get the employees, portal users, extranets and customers via the internet seeing the identity information they’re entitled to
• What’s your game plan?
HVL/Nulli Secundus 2001
Displaying Identity Information
• Directories are not end-user friendly
• Unless you want to teach everyone how to use LDAP syntax, you better think about some middleware tools to make it so easy to use the end user community loves and uses your new identity systems
HVL/Nulli Secundus 2001
What’s Required?
• Integrate with your intranets, extranets, portals and internet sites
• Graphically easy to search for, retrieve and display identity information
• See org charts on line if desired• What the user sees is based on their
security privileges
HVL/Nulli Secundus 2001
Delegated Identity Administration
• How are you going to manage the incredible volumes of identity information securely and cost efficiently?
• The answer is to use delegated identity administration
• You need tools allowing delegation of the identity administration by different methods including dept, title, object class, rules, roles or name
HVL/Nulli Secundus 2001
Self Serve Identity Administration
• Some portion of your identities may be best administered by the end-user themselves be it the employee, business partner employee or customer
• You need tools that allow you to securely delegate the administration as far down towards the end user as you deem appropriate
HVL/Nulli Secundus 2001
Self Serve Identity Administration
• The end user modification must be easy to do
• Needs to integrate with your other systems to streamline the workflows
HVL/Nulli Secundus 2001
E-Business Infrastructure Tools!
• Managing the whole identity process, securing it, delegating, displaying and integrating it with your systems is not trivial
• In our practice, we use Oblix as a primary infrastructure tool to coordinate and manage the identity process
HVL/Nulli Secundus 2001
Oblix
• Oblix produces two products “Publisher” and “NetPoint” to handle identity administration and security
• Directory based
• Integrates identity, authentication, authorization and auditing systems
HVL/Nulli Secundus 2001
Oblix Publisher
• Provides delegatable identity management to the level(s) you desire
• Integrates identity display with intranets and extranets
• Displays on-line org charts• Displays based on what the user is
allowed to see
HVL/Nulli Secundus 2001
Oblix
• Issue workflow requests to manage identity changes
• Control view, modify and notify privileges for each identity attribute
• Easy to scale across an enterprise• Works with different directory
vendors
HVL/Nulli Secundus 2001
The Bottom Line
• Identity management is critical to your profitability, responsiveness and productivity
• Identity management can be a cornerstone of a modern corporate infrastructure strategy with proper management, planning and tools
HVL/Nulli Secundus 2001
I’d Like to Learn More
Guy Huntington, HVL:• [email protected]• www.hvl.net• 604-921-6797
Derek Small, Nulli Secundus:• [email protected]• www.nulli.com• 403-270-0657