Companies can’t afford to be careless about what information systems employees can access. Learn how identity management tools can help your company be less vulnerable.

As security concerns gain urgency and intellectual property gets more sensitive, companies have to be more careful about what employees access and when. Immediately withdrawing employee access rights across the enterprise once that individual leaves the company is imperative. Neglecting to block access makes companies susceptible to hacker attacks as well as information leaks.

And vendors claim, former employees often do take advantage of such oversights, accessing systems and divulging information to their new bosses or other interested parties. “It’s a common problem. It’s a serious problem,” says Jeff Drake, director of Tivoli Security Strategy and former executive vice president and cofounder of Access360, which provides provisioning software. “Nobody would deny that it’s happening, but few companies would acknowledge with anecdotal evidence that it’s happening to them.”

Companies need to take care of the two processes that comprise identity management—provisioning and access management. Provisioning involves IT assigning employees and external partners with user names and passwords, changing passwords when users can’t remember them and shutting down user accounts when people leave or switch departments.

The second process—access management—involves verifying that users are who they say they are and then ascertaining access privileges based on company policies or an individual’s position in the company. One form of access management is a single sign-on application, which allows users to sign on once and access several systems.

IT vendors who offer provisioning tools automate and simplify the lengthy, expensive and cumbersome manual process of granting new employees identities and access rights, and modifying access rights for workers who assume new positions in the company. In fact, automated provisioning systems can halve how much time your company’s IT department spends on creating, changing and closing down accounts, says Jonathan Penn, a research director for Massachusetts-based Giga Information Group.

For an idea of how unwieldy manual provisioning can become, Burlington Northern Santa Fe Railway (BNSF) in Fort Worth, Texas, offers a good case in point. Whenever BNSF hired a new worker, the person’s direct manager would have to complete a paper form indicating which applications the employee should be allowed to access. The manager would then send the form to the user registration group, which often had to contend with incomplete forms that required them to contact the manager. When the form was finally complete, a person in the user registration group would update every application for access by the new user.

According to Rick Perry, director of enterprise operations and security at BNSF, the process was time-consuming, taking hours, or even days, based on the type of user. The user registration group asked for weeks of advance notice and if they weren’t given sufficient lead time, new employees could report to work on their first day, only to find out that they couldn’t access the systems they needed to perform their job.

Shutting down departing employees’ access rights was even more problematic for BNSF, as it is with most firms with many seasonal employees. Not only was the process time-consuming, its registration group had trouble making sure that it did not overlook an account among all the applications used by BNSF’s 38,000 employees. In fact, according to a Meta Group survey, most companies cut off access to only 10 out of an average of 16 systems employees gain access to.

To streamline provisioning, BNSF implemented provisioning software from Waveset in 2001. Now managers can click on the corporate intranet and quickly choose which applications new employees will be able to utilize. When selected applications require further authorization, access requests automatically go to the appropriate managers. The form then makes it way to the user registration group, where with a simple mouse click, Waveset’s product reconciles the affected systems with the form data.

Withdrawing employees’ access rights is a snap as well. “When someone leaves the company, we have a single place where we can make changes without having to go to each platform,” says Perry.

The next process—access management—takes over after companies finish with provisioning and workers log in to systems. Just like provisioning software, access management tools can help companies streamline the process. Access management products from such companies as Entegrity Solutions and OpenNetwork, verify that users are who they claim to be and stop individuals from going into systems that they are not authorized to use.

Many vendors tackle both processes. In fact, some analysts and vendors believe that there will soon be a complete, single-source identity management platform. However, since this total platform has yet to materialize, companies such as Dallas-based supply chain software vendor i2 Technologies are building an identity management infrastructure from applications from different vendors, otherwise known as the best-of-breed approach.

Indeed, whatever approach a company decides to take, the concept of managing users and their access to systems from a single place is here to stay. In fact, it has only now taken hold despite being around for a while because it offers three key benefits—security, efficiency and productivity—all of which are especially important to IT at the moment.

Identity management tools can trim costs, improve service to internal customers and bolster security. By automating provisioning and access management, companies can spare IT workers from having to take care of every password change request and let them focus on more important projects. According to John Frazier, director of infrastructure services at i2, “at the end of the day, that’s what our internal customers want more than anything—for us to give them tools that make their lives better and easier.”

Sources: Who Goes There?
Meridith Levinson
CIO Magazine, Dec. 1, 2002
http://www.cio.com/archive/120102/et_article_content.html