Part 4 -- The Human Factor
Technical tools and tricks exist to integrating the many different components--human resources (HR), enterprise directory, identity management and physical access control systems (PACS)--that drive converged identity and access management (IAM). Yet humans have a great deal of control over how--and whether--identities are managed. This last article in our four-part feature examines the human issues in achieving converged IAM.
While the technological tools available to manage logical and physical identities continue to grow in sophistication, they are just that: Tools designed to help humans create effective identity management strategies--and there's no getting around the extensive, people-focused methodology necessary to create such strategies.
"When you look at what identity management really means, there's a lot more to it than just defining identities: there's roles and business rules and processes around it," said Greg Thornbury, vice president for Dallas-based SecureNet Inc., a systems integrator that has been implementing converged IAM solutions for the last nine years.
"It doesn't do any good at all for me to push changes to an identity sitting in a database across the U.S. if I still have someone who can walk in tomorrow and manually create an identity and violate those business rules and processes," he said.
"Identity management is a process, not a technology," agreed Guy Huntington of Huntington Ventures, an identity management consultancy that has worked with Boeing, Capital One, Kaiser Permanente and Toronto Hydro.
That process begins with figuring out where identities currently exist, understanding how they are being created and by whom, what the de facto procedures are for managing them. Streamlining these practices means involving a myriad of enterprise functions, said Huntington. "I have to put everyone around the table and figure out who owns all these identities," he said.
"Understanding how many identities you have for single individuals really outlines the scope of the challenge," said Dan DeBlasio, director of business development for identity and access management, Americas, for HID Global.
Enterprise identity creators include HR, IT, physical security, plus business units. Other identities may be owned by third parties who often access the enterprise virtually or physically: trusted customers, contractors, temporary workers, repair, delivery and maintenance workers; custodial crews; visitors and guests.
Security itself may be credentialing some of these identities via the PACS and card management system. "A lot of people with passes [to your enterprise] aren't in your IT systems," said Huntington, echoing several vendors who said clients have realized the same fact after reviewing identities.
Just what should be the ultimate authoritative identity source may depend on human factors. Many physical and logical identity management solution vendors, from CA, Sun Microsystems and IBM to Quantum Secure and AlertEnterprise, prefer to tap an HR-owned data source.
However, some enterprises prefer identity management solutions to tap Active Directory, Microsoft's widely used enterprise directory tool, or a similar Lightweight Directory Access Protocol (LDAP) based tool, in lieu of HR systems.
Using Active Directory as the primary data source means IT owns the initial onboarding process for an identity, argued Dave Hansen, corporate senior vice president and general manager, CA Security Management. "That's not IT's role," he said. "It's absolutely critical that HR owns the onboarding process."
Yet HR departments in his client base--energy, health care, food processing, critical infrastructure and governments--often are reluctant to permit a direct link into a live database, said SecureNet's Thornbury. In those cases, SecureNet might be given access to a database copy or do batch updates, but eight of ten times finds itself tapping Active Directory as the authoritative data source for enterprise employee data.
"We've done it both ways. It's great to connect straight to HR--that's truly the originating point for a lot of that data," said Thornbury. "But in other cases, it seems like HR doesn't keep up everything the way that IT does from an employee location standpoint.
"A lot of what we do as an integrator is work with our clients and do a lot of listening to find out what is the best authoritative source," he said. "You're going to find in a lot of organizations that answer is not going to be consistent."
Whatever the authoritative identity data source turns out to be, it's rare to find a company that has only one such source. Different divisions may run different HR systems. Many vendors say contractor data is usually in a separate data source, and visitors may be run through a PACS or separate visitor management system.
Rather than trying to create a single data source, what's critical is creating processes that include enforceable rules for creating, maintaining and terminating master identities in the designated authoritative data sources.
Identity rules and roles
Rules for creating, provisioning and managing the logical/physical identities as they change over time are influenced or defined by regulatory bodies as well as by internal needs and practices.
Roles-based provisioning tools can help enterprises see how their identities are behaving. CA, IBM, Sun and others offer data mining tools in their identity management suites that examine user actions and then suggest which sets of users might be grouped under roles as well as help define those roles. In the future, new users automatically can be assigned a role that, by definition, contains all their logical access rights.
Further, these logical roles can be associated with predefined physical roles in a PACS. Then, when PACS are integrated with each other and to the enterprise directory, "physical access rights can be automatically given" by the PACS based on data in the enterprise directory, said Brandon Arcement, manager, global security technology for Johnson Controls, based in Milwaukee, Wis.
Roles-based provisioning greatly simplifies meeting compliance requirements because a manager can certify that a role is correct and that the right staff members have the right roles, instead of trying to match staff members to various applications and their functions, said Daniel Raskin, chief identity strategist at Sun.
However, some business unit managers want more control over roles than predefinitions always allow, said Eric Larsen, director, product management for Lenel Systems International. He said that's especially the case regarding project-specific privileges.
Other vendors noted clients rarely start out knowing all the rules they'll need to associate with roles, whether within applications and systems or facilities, such as only permitting someone onto a factory floor or airport tarmac after they've successfully completed safety training. "What's important is that you install an infrastructure and an architecture that allows you the flexibility to create and customize rules," said Arcement.
Some IBM Tivoli customers start without any rules, instead deploying data capture tools to see how users are interacting with an application. That data then helps them decide what rules should be, said Joe Anthony, program director of identity and applications security management, IBM Tivoli, Austin, Texas.
Championing converged IAM
Rules that help an enterprise fulfill its regulatory compliance obligations are a clear, powerful driver behind IAM convergence. Yet the IAM process also offers an array of benefits that have different appeal to various enterprise audiences.
"We used to go in selling the IT people the value of the security, and it turns out what they are more interested in is SSO [single sign-on], password management and auditing capabilities," said David Ting, CTO at Imprivata. He noted the physical security leaders like the ability to incorporate their access data with the IT rules and policy data.
Huntington and others point out converged IAM most benefits security when logical and physical security alerts are monitored and correlated from a centralized console. Otherwise, convergence is not compelling, said Jasvir Gill, founder and CEO of AlertEnterprise, which integrates physical, logical and control systems.
"The reason is integrating IT and physical access is not good enough," said Gill. "Unless you are doing risk analysis across all these environments, people really don't see the value," he said.
Industries with the toughest security and compliance reporting requirements, such as finance, transportation, power/critical infrastructure, health care, are among the early experimenters with converged identities, vendors agreed.
In other markets, converged identities may take awhile to make inroads. "When customers come into Sun to talk about the problems they need to solve, they're still sitting there saying how do I get my provisioning infrastructure set up, how do I just start to do roles," said Raskin. "Most organizations haven't completed single sign-on and are just starting federation, let alone getting into these more complex things."
Yet even less regulated industries running a patchwork of identity solutions could benefit from identity convergence. "A lot of people don't realize how much money they're spending, trying to manage a lot of disparity in their access control systems," said Arcement.
Fluid boundaries
Forward-thinking enterprises also want to take advantage of a more IP-centric physical security backbone that can be integrated with IT systems, said Anthony at IBM Tivoli. "We're starting to see more convergence of the organizational structure, and that's when we see people looking across the different boundaries and trying to make better sense of the data available to them," he said.
"Part of the discussion driving this is that people are trying to take both sides of their house to a new level," said CA's Hansen. He and others noted that desire usually involves competition between physical security and IT security experts, with some nascent jockeying for control of the whole.
Physical access control integrated with logical access control may turn out to be just one piece of that w hole. Lenel has launched a green initiative involving ALC, a sister UTC company, and Cisco Systems, which is running and analyzing the proof of concept project. According to Larsen, it involves a PACS integrated with a facility's IP telephone network system as well as its building automation energy management system. A visiting employee comes to the facility and requests office space at a kiosk. The integrated systems then activate the assigned space: his phone number is transferred to the IP phone; printers activate and the building automation system adjusts the room's light and temperature based on a predefined profile in the PACS.
The system can also use intelligent video monitoring and analytics to check conference rooms, determining when they're empty; the PACS then notifies the building automation system to turn off the lights and other room resources. "It's taking it all to the next level," said Larsen.
***
Converged physical-logical identity and access management is a young concept. Yet it is a logical outgrowth of the IT and physical security systems many enterprises of all sizes and industries already have invested in. Converged IAM is a way to get more out of those systems and improve business, compliance and security practices. It is undoubtedly a major project, yet it can be handled in stages. The open questions are how long it will take enterprises to embrace the concept and whether IT/physical security will drive the process or be forced along for the ride. Whichever the case, it's sure to be an interesting journey.
Technical tools and tricks exist to integrating the many different components--human resources (HR), enterprise directory, identity management and physical access control systems (PACS)--that drive converged identity and access management (IAM). Yet humans have a great deal of control over how--and whether--identities are managed. This last article in our four-part feature examines the human issues in achieving converged IAM.
While the technological tools available to manage logical and physical identities continue to grow in sophistication, they are just that: Tools designed to help humans create effective identity management strategies--and there's no getting around the extensive, people-focused methodology necessary to create such strategies.
"When you look at what identity management really means, there's a lot more to it than just defining identities: there's roles and business rules and processes around it," said Greg Thornbury, vice president for Dallas-based SecureNet Inc., a systems integrator that has been implementing converged IAM solutions for the last nine years.
"It doesn't do any good at all for me to push changes to an identity sitting in a database across the U.S. if I still have someone who can walk in tomorrow and manually create an identity and violate those business rules and processes," he said.
"Identity management is a process, not a technology," agreed Guy Huntington of Huntington Ventures, an identity management consultancy that has worked with Boeing, Capital One, Kaiser Permanente and Toronto Hydro.
That process begins with figuring out where identities currently exist, understanding how they are being created and by whom, what the de facto procedures are for managing them. Streamlining these practices means involving a myriad of enterprise functions, said Huntington. "I have to put everyone around the table and figure out who owns all these identities," he said.
"Understanding how many identities you have for single individuals really outlines the scope of the challenge," said Dan DeBlasio, director of business development for identity and access management, Americas, for HID Global.
Enterprise identity creators include HR, IT, physical security, plus business units. Other identities may be owned by third parties who often access the enterprise virtually or physically: trusted customers, contractors, temporary workers, repair, delivery and maintenance workers; custodial crews; visitors and guests.
Security itself may be credentialing some of these identities via the PACS and card management system. "A lot of people with passes [to your enterprise] aren't in your IT systems," said Huntington, echoing several vendors who said clients have realized the same fact after reviewing identities. Just what should be the ultimate authoritative identity source may depend on human factors. Many physical and logical identity management solution vendors, from CA, Sun Microsystems and IBM to Quantum Secure and AlertEnterprise, prefer to tap an HR-owned data source.
However, some enterprises prefer identity management solutions to tap Active Directory, Microsoft's widely used enterprise directory tool, or a similar Lightweight Directory Access Protocol (LDAP) based tool, in lieu of HR systems.
Using Active Directory as the primary data source means IT owns the initial onboarding process for an identity, argued Dave Hansen, corporate senior vice president and general manager, CA Security Management. "That's not IT's role," he said. "It's absolutely critical that HR owns the onboarding process."
Yet HR departments in his client base--energy, health care, food processing, critical infrastructure and governments--often are reluctant to permit a direct link into a live database, said SecureNet's Thornbury. In those cases, SecureNet might be given access to a database copy or do batch updates, but eight of ten times finds itself tapping Active Directory as the authoritative data source for enterprise employee data.
"We've done it both ways. It's great to connect straight to HR--that's truly the originating point for a lot of that data," said Thornbury. "But in other cases, it seems like HR doesn't keep up everything the way that IT does from an employee location standpoint.
"A lot of what we do as an integrator is work with our clients and do a lot of listening to find out what is the best authoritative source," he said. "You're going to find in a lot of organizations that answer is not going to be consistent."
Whatever the authoritative identity data source turns out to be, it's rare to find a company that has only one such source. Different divisions may run different HR systems. Many vendors say contractor data is usually in a separate data source, and visitors may be run through a PACS or separate visitor management system.
Rather than trying to create a single data source, what's critical is creating processes that include enforceable rules for creating, maintaining and terminating master identities in the designated authoritative data sources.
Identity rules and roles
Rules for creating, provisioning and managing the logical/physical identities as they change over time are influenced or defined by regulatory bodies as well as by internal needs and practices.
Roles-based provisioning tools can help enterprises see how their identities are behaving. CA, IBM, Sun and others offer data mining tools in their identity management suites that examine user actions and then suggest which sets of users might be grouped under roles as well as help define those roles. In the future, new users automatically can be assigned a role that, by definition, contains all their logical access rights.
Further, these logical roles can be associated with predefined physical roles in a PACS. Then, when PACS are integrated with each other and to the enterprise directory, "physical access rights can be automatically given" by the PACS based on data in the enterprise directory, said Brandon Arcement, manager, global security technology for Johnson Controls, based in Milwaukee, Wis.
Roles-based provisioning greatly simplifies meeting compliance requirements because a manager can certify that a role is correct and that the right staff members have the right roles, instead of trying to match staff members to various applications and their functions, said Daniel Raskin, chief identity strategist at Sun.
However, some business unit managers want more control over roles than predefinitions always allow, said Eric Larsen, director, product management for Lenel Systems International. He said that's especially the case regarding project-specific privileges.
Other vendors noted clients rarely start out knowing all the rules they'll need to associate with roles, whether within applications and systems or facilities, such as only permitting someone onto a factory floor or airport tarmac after they've successfully completed safety training. "What's important is that you install an infrastructure and an architecture that allows you the flexibility to create and customize rules," said Arcement.
Some IBM Tivoli customers start without any rules, instead deploying data capture tools to see how users are interacting with an application. That data then helps them decide what rules should be, said Joe Anthony, program director of identity and applications security management, IBM Tivoli, Austin, Texas.
Championing converged IAM
Rules that help an enterprise fulfill its regulatory compliance obligations are a clear, powerful driver behind IAM convergence. Yet the IAM process also offers an array of benefits that have different appeal to various enterprise audiences.
"We used to go in selling the IT people the value of the security, and it turns out what they are more interested in is SSO [single sign-on], password management and auditing capabilities," said David Ting, CTO at Imprivata. He noted the physical security leaders like the ability to incorporate their access data with the IT rules and policy data.
Huntington and others point out converged IAM most benefits security when logical and physical security alerts are monitored and correlated from a centralized console. Otherwise, convergence is not compelling, said Jasvir Gill, founder and CEO of AlertEnterprise, which integrates physical, logical and control systems.
"The reason is integrating IT and physical access is not good enough," said Gill. "Unless you are doing risk analysis across all these environments, people really don't see the value," he said.
Industries with the toughest security and compliance reporting requirements, such as finance, transportation, power/critical infrastructure, health care, are among the early experimenters with converged identities, vendors agreed.
In other markets, converged identities may take awhile to make inroads. "When customers come into Sun to talk about the problems they need to solve, they're still sitting there saying how do I get my provisioning infrastructure set up, how do I just start to do roles," said Raskin. "Most organizations haven't completed single sign-on and are just starting federation, let alone getting into these more complex things."
Yet even less regulated industries running a patchwork of identity solutions could benefit from identity convergence. "A lot of people don't realize how much money they're spending, trying to manage a lot of disparity in their access control systems," said Arcement.
Fluid boundaries
Forward-thinking enterprises also want to take advantage of a more IP-centric physical security backbone that can be integrated with IT systems, said Anthony at IBM Tivoli. "We're starting to see more convergence of the organizational structure, and that's when we see people looking across the different boundaries and trying to make better sense of the data available to them," he said.
"Part of the discussion driving this is that people are trying to take both sides of their house to a new level," said CA's Hansen. He and others noted that desire usually involves competition between physical security and IT security experts, with some nascent jockeying for control of the whole.
Physical access control integrated with logical access control may turn out to be just one piece of that w hole. Lenel has launched a green initiative involving ALC, a sister UTC company, and Cisco Systems, which is running and analyzing the proof of concept project. According to Larsen, it involves a PACS integrated with a facility's IP telephone network system as well as its building automation energy management system. A visiting employee comes to the facility and requests office space at a kiosk. The integrated systems then activate the assigned space: his phone number is transferred to the IP phone; printers activate and the building automation system adjusts the room's light and temperature based on a predefined profile in the PACS.
The system can also use intelligent video monitoring and analytics to check conference rooms, determining when they're empty; the PACS then notifies the building automation system to turn off the lights and other room resources. "It's taking it all to the next level," said Larsen.
***
Converged physical-logical identity and access management is a young concept. Yet it is a logical outgrowth of the IT and physical security systems many enterprises of all sizes and industries already have invested in. Converged IAM is a way to get more out of those systems and improve business, compliance and security practices. It is undoubtedly a major project, yet it can be handled in stages. The open questions are how long it will take enterprises to embrace the concept and whether IT/physical security will drive the process or be forced along for the ride. Whichever the case, it's sure to be an interesting journey.
Part 4 -- The Human Factor
Technical tools and tricks exist to integrating the many different components--human resources (HR), enterprise directory, identity management and physical access control systems (PACS)--that drive converged identity and access management (IAM). Yet humans have a great deal of control over how--and whether--identities are managed. This last article in our four-part feature examines the human issues in achieving converged IAM.
While the technological tools available to manage logical and physical identities continue to grow in sophistication, they are just that: Tools designed to help humans create effective identity management strategies--and there's no getting around the extensive, people-focused methodology necessary to create such strategies.
"When you look at what identity management really means, there's a lot more to it than just defining identities: there's roles and business rules and processes around it," said Greg Thornbury, vice president for Dallas-based SecureNet Inc., a systems integrator that has been implementing converged IAM solutions for the last nine years.
"It doesn't do any good at all for me to push changes to an identity sitting in a database across the U.S. if I still have someone who can walk in tomorrow and manually create an identity and violate those business rules and processes," he said.
"Identity management is a process, not a technology," agreed Guy Huntington of Huntington Ventures, an identity management consultancy that has worked with Boeing, Capital One, Kaiser Permanente and Toronto Hydro.
That process begins with figuring out where identities currently exist, understanding how they are being created and by whom, what the de facto procedures are for managing them. Streamlining these practices means involving a myriad of enterprise functions, said Huntington. "I have to put everyone around the table and figure out who owns all these identities," he said.
"Understanding how many identities you have for single individuals really outlines the scope of the challenge," said Dan DeBlasio, director of business development for identity and access management, Americas, for HID Global.
Enterprise identity creators include HR, IT, physical security, plus business units. Other identities may be owned by third parties who often access the enterprise virtually or physically: trusted customers, contractors, temporary workers, repair, delivery and maintenance workers; custodial crews; visitors and guests.
Security itself may be credentialing some of these identities via the PACS and card management system. "A lot of people with passes [to your enterprise] aren't in your IT systems," said Huntington, echoing several vendors who said clients have realized the same fact after reviewing identities.
Just what should be the ultimate authoritative identity source may depend on human factors. Many physical and logical identity management solution vendors, from CA, Sun Microsystems and IBM to Quantum Secure and AlertEnterprise, prefer to tap an HR-owned data source.
However, some enterprises prefer identity management solutions to tap Active Directory, Microsoft's widely used enterprise directory tool, or a similar Lightweight Directory Access Protocol (LDAP) based tool, in lieu of HR systems.
Using Active Directory as the primary data source means IT owns the initial onboarding process for an identity, argued Dave Hansen, corporate senior vice president and general manager, CA Security Management. "That's not IT's role," he said. "It's absolutely critical that HR owns the onboarding process."
Yet HR departments in his client base--energy, health care, food processing, critical infrastructure and governments--often are reluctant to permit a direct link into a live database, said SecureNet's Thornbury. In those cases, SecureNet might be given access to a database copy or do batch updates, but eight of ten times finds itself tapping Active Directory as the authoritative data source for enterprise employee data.
"We've done it both ways. It's great to connect straight to HR--that's truly the originating point for a lot of that data," said Thornbury. "But in other cases, it seems like HR doesn't keep up everything the way that IT does from an employee location standpoint.
"A lot of what we do as an integrator is work with our clients and do a lot of listening to find out what is the best authoritative source," he said. "You're going to find in a lot of organizations that answer is not going to be consistent."
Whatever the authoritative identity data source turns out to be, it's rare to find a company that has only one such source. Different divisions may run different HR systems. Many vendors say contractor data is usually in a separate data source, and visitors may be run through a PACS or separate visitor management system.
Rather than trying to create a single data source, what's critical is creating processes that include enforceable rules for creating, maintaining and terminating master identities in the designated authoritative data sources.
Identity rules and roles
Rules for creating, provisioning and managing the logical/physical identities as they change over time are influenced or defined by regulatory bodies as well as by internal needs and practices.
Roles-based provisioning tools can help enterprises see how their identities are behaving. CA, IBM, Sun and others offer data mining tools in their identity management suites that examine user actions and then suggest which sets of users might be grouped under roles as well as help define those roles. In the future, new users automatically can be assigned a role that, by definition, contains all their logical access rights.
Further, these logical roles can be associated with predefined physical roles in a PACS. Then, when PACS are integrated with each other and to the enterprise directory, "physical access rights can be automatically given" by the PACS based on data in the enterprise directory, said Brandon Arcement, manager, global security technology for Johnson Controls, based in Milwaukee, Wis.
Roles-based provisioning greatly simplifies meeting compliance requirements because a manager can certify that a role is correct and that the right staff members have the right roles, instead of trying to match staff members to various applications and their functions, said Daniel Raskin, chief identity strategist at Sun.
However, some business unit managers want more control over roles than predefinitions always allow, said Eric Larsen, director, product management for Lenel Systems International. He said that's especially the case regarding project-specific privileges.
Other vendors noted clients rarely start out knowing all the rules they'll need to associate with roles, whether within applications and systems or facilities, such as only permitting someone onto a factory floor or airport tarmac after they've successfully completed safety training. "What's important is that you install an infrastructure and an architecture that allows you the flexibility to create and customize rules," said Arcement.
Some IBM Tivoli customers start without any rules, instead deploying data capture tools to see how users are interacting with an application. That data then helps them decide what rules should be, said Joe Anthony, program director of identity and applications security management, IBM Tivoli, Austin, Texas.
Championing converged IAM
Rules that help an enterprise fulfill its regulatory compliance obligations are a clear, powerful driver behind IAM convergence. Yet the IAM process also offers an array of benefits that have different appeal to various enterprise audiences.
"We used to go in selling the IT people the value of the security, and it turns out what they are more interested in is SSO [single sign-on], password management and auditing capabilities," said David Ting, CTO at Imprivata. He noted the physical security leaders like the ability to incorporate their access data with the IT rules and policy data.
Huntington and others point out converged IAM most benefits security when logical and physical security alerts are monitored and correlated from a centralized console. Otherwise, convergence is not compelling, said Jasvir Gill, founder and CEO of AlertEnterprise, which integrates physical, logical and control systems.
"The reason is integrating IT and physical access is not good enough," said Gill. "Unless you are doing risk analysis across all these environments, people really don't see the value," he said.
Industries with the toughest security and compliance reporting requirements, such as finance, transportation, power/critical infrastructure, health care, are among the early experimenters with converged identities, vendors agreed.
In other markets, converged identities may take awhile to make inroads. "When customers come into Sun to talk about the problems they need to solve, they're still sitting there saying how do I get my provisioning infrastructure set up, how do I just start to do roles," said Raskin. "Most organizations haven't completed single sign-on and are just starting federation, let alone getting into these more complex things."
Yet even less regulated industries running a patchwork of identity solutions could benefit from identity convergence. "A lot of people don't realize how much money they're spending, trying to manage a lot of disparity in their access control systems," said Arcement.
Fluid boundaries
Forward-thinking enterprises also want to take advantage of a more IP-centric physical security backbone that can be integrated with IT systems, said Anthony at IBM Tivoli. "We're starting to see more convergence of the organizational structure, and that's when we see people looking across the different boundaries and trying to make better sense of the data available to them," he said.
"Part of the discussion driving this is that people are trying to take both sides of their house to a new level," said CA's Hansen. He and others noted that desire usually involves competition between physical security and IT security experts, with some nascent jockeying for control of the whole.
Physical access control integrated with logical access control may turn out to be just one piece of that w hole. Lenel has launched a green initiative involving ALC, a sister UTC company, and Cisco Systems, which is running and analyzing the proof of concept project. According to Larsen, it involves a PACS integrated with a facility's IP telephone network system as well as its building automation energy management system. A visiting employee comes to the facility and requests office space at a kiosk. The integrated systems then activate the assigned space: his phone number is transferred to the IP phone; printers activate and the building automation system adjusts the room's light and temperature based on a predefined profile in the PACS.
The system can also use intelligent video monitoring and analytics to check conference rooms, determining when they're empty; the PACS then notifies the building automation system to turn off the lights and other room resources. "It's taking it all to the next level," said Larsen.
***
Converged physical-logical identity and access management is a young concept. Yet it is a logical outgrowth of the IT and physical security systems many enterprises of all sizes and industries already have invested in. Converged IAM is a way to get more out of those systems and improve business, compliance and security practices. It is undoubtedly a major project, yet it can be handled in stages. The open questions are how long it will take enterprises to embrace the concept and whether IT/physical security will drive the process or be forced along for the ride. Whichever the case, it's sure to be an interesting journey.
Technical tools and tricks exist to integrating the many different components--human resources (HR), enterprise directory, identity management and physical access control systems (PACS)--that drive converged identity and access management (IAM). Yet humans have a great deal of control over how--and whether--identities are managed. This last article in our four-part feature examines the human issues in achieving converged IAM.
While the technological tools available to manage logical and physical identities continue to grow in sophistication, they are just that: Tools designed to help humans create effective identity management strategies--and there's no getting around the extensive, people-focused methodology necessary to create such strategies.
"When you look at what identity management really means, there's a lot more to it than just defining identities: there's roles and business rules and processes around it," said Greg Thornbury, vice president for Dallas-based SecureNet Inc., a systems integrator that has been implementing converged IAM solutions for the last nine years.
"It doesn't do any good at all for me to push changes to an identity sitting in a database across the U.S. if I still have someone who can walk in tomorrow and manually create an identity and violate those business rules and processes," he said.
"Identity management is a process, not a technology," agreed Guy Huntington of Huntington Ventures, an identity management consultancy that has worked with Boeing, Capital One, Kaiser Permanente and Toronto Hydro.
That process begins with figuring out where identities currently exist, understanding how they are being created and by whom, what the de facto procedures are for managing them. Streamlining these practices means involving a myriad of enterprise functions, said Huntington. "I have to put everyone around the table and figure out who owns all these identities," he said.
"Understanding how many identities you have for single individuals really outlines the scope of the challenge," said Dan DeBlasio, director of business development for identity and access management, Americas, for HID Global.
Enterprise identity creators include HR, IT, physical security, plus business units. Other identities may be owned by third parties who often access the enterprise virtually or physically: trusted customers, contractors, temporary workers, repair, delivery and maintenance workers; custodial crews; visitors and guests.
Security itself may be credentialing some of these identities via the PACS and card management system. "A lot of people with passes [to your enterprise] aren't in your IT systems," said Huntington, echoing several vendors who said clients have realized the same fact after reviewing identities. Just what should be the ultimate authoritative identity source may depend on human factors. Many physical and logical identity management solution vendors, from CA, Sun Microsystems and IBM to Quantum Secure and AlertEnterprise, prefer to tap an HR-owned data source.
However, some enterprises prefer identity management solutions to tap Active Directory, Microsoft's widely used enterprise directory tool, or a similar Lightweight Directory Access Protocol (LDAP) based tool, in lieu of HR systems.
Using Active Directory as the primary data source means IT owns the initial onboarding process for an identity, argued Dave Hansen, corporate senior vice president and general manager, CA Security Management. "That's not IT's role," he said. "It's absolutely critical that HR owns the onboarding process."
Yet HR departments in his client base--energy, health care, food processing, critical infrastructure and governments--often are reluctant to permit a direct link into a live database, said SecureNet's Thornbury. In those cases, SecureNet might be given access to a database copy or do batch updates, but eight of ten times finds itself tapping Active Directory as the authoritative data source for enterprise employee data.
"We've done it both ways. It's great to connect straight to HR--that's truly the originating point for a lot of that data," said Thornbury. "But in other cases, it seems like HR doesn't keep up everything the way that IT does from an employee location standpoint.
"A lot of what we do as an integrator is work with our clients and do a lot of listening to find out what is the best authoritative source," he said. "You're going to find in a lot of organizations that answer is not going to be consistent."
Whatever the authoritative identity data source turns out to be, it's rare to find a company that has only one such source. Different divisions may run different HR systems. Many vendors say contractor data is usually in a separate data source, and visitors may be run through a PACS or separate visitor management system.
Rather than trying to create a single data source, what's critical is creating processes that include enforceable rules for creating, maintaining and terminating master identities in the designated authoritative data sources.
Identity rules and roles
Rules for creating, provisioning and managing the logical/physical identities as they change over time are influenced or defined by regulatory bodies as well as by internal needs and practices.
Roles-based provisioning tools can help enterprises see how their identities are behaving. CA, IBM, Sun and others offer data mining tools in their identity management suites that examine user actions and then suggest which sets of users might be grouped under roles as well as help define those roles. In the future, new users automatically can be assigned a role that, by definition, contains all their logical access rights.
Further, these logical roles can be associated with predefined physical roles in a PACS. Then, when PACS are integrated with each other and to the enterprise directory, "physical access rights can be automatically given" by the PACS based on data in the enterprise directory, said Brandon Arcement, manager, global security technology for Johnson Controls, based in Milwaukee, Wis.
Roles-based provisioning greatly simplifies meeting compliance requirements because a manager can certify that a role is correct and that the right staff members have the right roles, instead of trying to match staff members to various applications and their functions, said Daniel Raskin, chief identity strategist at Sun.
However, some business unit managers want more control over roles than predefinitions always allow, said Eric Larsen, director, product management for Lenel Systems International. He said that's especially the case regarding project-specific privileges.
Other vendors noted clients rarely start out knowing all the rules they'll need to associate with roles, whether within applications and systems or facilities, such as only permitting someone onto a factory floor or airport tarmac after they've successfully completed safety training. "What's important is that you install an infrastructure and an architecture that allows you the flexibility to create and customize rules," said Arcement.
Some IBM Tivoli customers start without any rules, instead deploying data capture tools to see how users are interacting with an application. That data then helps them decide what rules should be, said Joe Anthony, program director of identity and applications security management, IBM Tivoli, Austin, Texas.
Championing converged IAM
Rules that help an enterprise fulfill its regulatory compliance obligations are a clear, powerful driver behind IAM convergence. Yet the IAM process also offers an array of benefits that have different appeal to various enterprise audiences.
"We used to go in selling the IT people the value of the security, and it turns out what they are more interested in is SSO [single sign-on], password management and auditing capabilities," said David Ting, CTO at Imprivata. He noted the physical security leaders like the ability to incorporate their access data with the IT rules and policy data.
Huntington and others point out converged IAM most benefits security when logical and physical security alerts are monitored and correlated from a centralized console. Otherwise, convergence is not compelling, said Jasvir Gill, founder and CEO of AlertEnterprise, which integrates physical, logical and control systems.
"The reason is integrating IT and physical access is not good enough," said Gill. "Unless you are doing risk analysis across all these environments, people really don't see the value," he said.
Industries with the toughest security and compliance reporting requirements, such as finance, transportation, power/critical infrastructure, health care, are among the early experimenters with converged identities, vendors agreed.
In other markets, converged identities may take awhile to make inroads. "When customers come into Sun to talk about the problems they need to solve, they're still sitting there saying how do I get my provisioning infrastructure set up, how do I just start to do roles," said Raskin. "Most organizations haven't completed single sign-on and are just starting federation, let alone getting into these more complex things."
Yet even less regulated industries running a patchwork of identity solutions could benefit from identity convergence. "A lot of people don't realize how much money they're spending, trying to manage a lot of disparity in their access control systems," said Arcement.
Fluid boundaries
Forward-thinking enterprises also want to take advantage of a more IP-centric physical security backbone that can be integrated with IT systems, said Anthony at IBM Tivoli. "We're starting to see more convergence of the organizational structure, and that's when we see people looking across the different boundaries and trying to make better sense of the data available to them," he said.
"Part of the discussion driving this is that people are trying to take both sides of their house to a new level," said CA's Hansen. He and others noted that desire usually involves competition between physical security and IT security experts, with some nascent jockeying for control of the whole.
Physical access control integrated with logical access control may turn out to be just one piece of that w hole. Lenel has launched a green initiative involving ALC, a sister UTC company, and Cisco Systems, which is running and analyzing the proof of concept project. According to Larsen, it involves a PACS integrated with a facility's IP telephone network system as well as its building automation energy management system. A visiting employee comes to the facility and requests office space at a kiosk. The integrated systems then activate the assigned space: his phone number is transferred to the IP phone; printers activate and the building automation system adjusts the room's light and temperature based on a predefined profile in the PACS.
The system can also use intelligent video monitoring and analytics to check conference rooms, determining when they're empty; the PACS then notifies the building automation system to turn off the lights and other room resources. "It's taking it all to the next level," said Larsen.
***
Converged physical-logical identity and access management is a young concept. Yet it is a logical outgrowth of the IT and physical security systems many enterprises of all sizes and industries already have invested in. Converged IAM is a way to get more out of those systems and improve business, compliance and security practices. It is undoubtedly a major project, yet it can be handled in stages. The open questions are how long it will take enterprises to embrace the concept and whether IT/physical security will drive the process or be forced along for the ride. Whichever the case, it's sure to be an interesting journey.
Bookmark this on Delicious
Subscribe to our site's news feed
I like the idea of converging physical and electronic Identity management worlds. We have been doing so for a number of years (at least at the system level) and are finally taking that to the next level where issuing ID cards will also drive creation of Email accounts and inclusion (if appropriate) in the enterprise white pages directory.
Students and employees are driven directly by the Registrar and HR systems, but the "guest" population is finally being brought under control.
It is nice to see the "industry" starting to catch on to this.