Successful identity management.Increasingly, the pressure to cut costs, conflicting with the need to tighten control of system access, means sleepless sleep·less adj. 1. a. Marked by a lack of sleep: a sleepless night. b. Unable to sleep. 2. nights for CIOS CIOS Communication Institute for Online Scholarship CIOS Channel Island Occupation Society (Channel Islands) CIOS Claim Imaging Operation Services (insurance) CIOS Central Imaging Operation Services . Solutions for enterprise-wide identity management and provisioning offer a realistic solution. However, introducing them is a highly complex task and demands a sound methodology to ensure that the desired return on investment is achieved, and that the projects do not get out of hand. The topic of security is precarious as it is, and has been further exacerbated by the increasing use of Web applications and access permission for external users such as customers or partners. But greater security is not the only incentive offered by central provisioning. There is also: * A high potential for rationalisation * A growing number of users can he managed without an increase in costs * New employees can receive access rights far more quickly * Rights can be revoked much more simply for employees who change posts or leave the company. In this way, some 90% of a security administrators routine manual activities can be automated. Currently these changes usually have to he made by the different administrators of the various technology platforms RACF (Resource Access Control Facility) IBM mainframe security software introduced in 1976 that verifies user ID and password and controls access to authorized files and resources. RACF - Resource Access Control Facility , Top Secret, Windows NT/2000, NetWare or UNIX UNIX Operating system for digital computers, developed by Ken Thompson of Bell Laboratories in 1969. It was initially designed for a single user (the name was a pun on the earlier operating system Multics). for example for each application. This involves considerable work and is consequently often neglected in practice. However, the accumalisation of rights from an employees different posts at the company, or the failure to withdraw access permissions, harbours a high risk of data theft or sabotage that, given the difficulty in quantifying it, is frequently ignored in ROI (Return On Investment) The monetary benefits derived from having spent money on developing or revising a system. In the IT world, there are more ways to compute ROI than Carter has liver pills (and for those of you who never heard of that expression, it means a lot). calculations. Provisioning solutions pay off here thanks to the effect of automation alone. In addition identity management reduces the workload on the administration and help desk teams thanks, to features such as single sign-on An identification system that lets users log into multiple Web sites on the Internet with one username and password. Single sign-on systems are also used within an enterprise, enabling users to access all authorized resources in the local network using the same username and password. and automatic password resetting, Users no longer have to remember a different password for each system or even application, but can obtain automatic access to all the relevant systems by entering a single password. The result: the help desk no longer needs to he contacted because users have forgotten their passwords or IDs, which means up to fifty percent fewer queries addressed to the help desk ,queries that cost 15 US dollars each, according to according to prep. 1. As stated or indicated by; on the authority of: according to historians. 2. In keeping with: according to instructions. 3. estimates. Accordingly, the prospects for a high ROI with identity management are extremely enticing provided that the implementation project runs on time and within the defined budget. Obstacles to projects The first obstacle on the path to successful identity management is the choice of suitable software. The market is swarming swarming 1. a phenomenon observed in cultures of Proteus spp. on solid media in which there is progressive surface spreading from the parent colony. 2. the periodic bee migration of the old queen and accompanying workers and drones from a full original hive which is with vendors of comprehensive identity management solutions (including security provisioning) such as Beta Systems, BMC (BMC Software, Inc., Houston, TX, www.bmc.com) A leading supplier of software that supports and improves the availability, performance, and recovery of applications in complex computing environments. , IBM (International Business Machines Corporation, Armonk, NY, www.ibm.com) The world's largest computer company. IBM's product lines include the S/390 mainframes (zSeries), AS/400 midrange business systems (iSeries), RS/6000 workstations and servers (pSeries), Intel-based servers (xSeries) Tivoli, CA or Novell, alongside a host of providers from related markets. Yet a software product for single sign-on or an authentication (1) Verifying the integrity of a transmitted message. See message integrity, e-mail authentication and MAC. (2) Verifying the identity of a user logging into a network. tool is far from being the basis for an end-to-end security concept. Prospective purchasers should therefore look for a solution that offers all the components for ensuring central administration of users and rights across all systems and applications. A key aspect in a projects success is cooperation between the parties involved. Identity management projects are mostly driven by various departments, including IT Auditing, IT Management, Security, Architecture and Organisation. The main target group for this software is large enterprises with around 3,500 users or more, such as those in the financial sector, industry, the health sector or public authorities which tends not to have the simplest of structures. This results in bulky security specifications that often comprise 60 to 70 pages. An enterprise-wide identity management concept requires that every person is involved in the project address, not just the processes throughout a company above and beyond his own department, but frequently also a whole host of changes to existing procedures and processes. It is a challenge to reconcile the many, typically between three and ten, of interest groups. Protecting vested rights otherwise ends in trench warfare trench warfare. Although trenches were used in ancient and medieval warfare, in the American Civil War, and in the Russo-Japanese War (1904–5), they did not become important until World War I. , with the result that success depends in the final analysis on a competent project manager who is accepted by all parties, the willingness of the parties to compromise and their commitment to the common goal. Well-plamed introduction A particularly decisive factor Noun 1. decisive factor - a point or fact or remark that settles something conclusively clincher causal factor, determinant, determining factor, determinative, determiner - a determining or causal element or factor; "education is an important determinant of is how the new system introduction is organised. That is why, for example, the vendor Beta Systems has developed a four stage methodology for implementing its software SAM Jupiter. Precisely because this issue is complex, and rapid and successful implementation of such projects demands a great deal of experience, a methodical me·thod·i·cal also me·thod·ic adj. 1. Arranged or proceeding in regular, systematic order. 2. Characterized by ordered and systematic habits or behavior. See Synonyms at orderly. approach is vital. Following a preparatory examination of the current security systems, the software is installed and the most important target systems are integrated. This is followed by loading of the existing security data, such as users, user groups, resources and authorisations, from the individual systems, and the creation of a single central repository containing security definitions. The focus is now on consolidation. One important task is to consolidate the user accounts on the connected systems and to merge them into one user identity that is unique throughout the enterprise. This work is part of the first project phase (project step 1: Consolidate). One strength of the methodology is role- and rule-based access protection management. Instead of internal and external employees, customers and partners being regarded as individual cases when it comes to assigning rights, the different security requirements can be pooled in roles. This slashes the cost and effort involved in administration, since new users can be automatically assigned their relevant roles on the basis of the data transferred from human resource (HR) applications or with the aid of workflows. Tools such as data mining are employed to enable rapid implementation of an adequate role concept. This technology can he used, for instance, to cluster existing authorisations into roles. Automation, rationalisation and management The next project step involves largely automating the processes through integration of various sources of information (for example the HR system) (project step 2. Automate). In this, all information on changes to employee data is constantly transferred to SAM from the HR data systems. One tool that is additionally configured is an integrated workflow that, for example, ensures the assignment of permissions to deputies in the event of illness or for the purpose of work in short-term project structures. Integration of HR and creation of workflows demands precise planning of the processes to be automated, for instance definition of the parameters to be used as the basis for role membership or the definition of niulti-level approval procedures for the workflow. As soon as an appropriate infrastructure is available with the creation of a central directory for user and rights administration and the integration of all relevant security systems under the roof of the identity management software, implementation of services such as single sign-on and automatic password reset can be tackled (project step 3: Streamline). The aim in productive operation is then to adapt the system and assigmnent of rights to organisational and structural changes at the company, integrate new applications or platforms, and support administration with iterative it·er·a·tive adj. 1. Characterized by or involving repetition, recurrence, reiteration, or repetitiousness. 2. Grammar Frequentative. Noun 1. role engineering and systematic authorisation auditing (project step 4: Manage). The central acess rights database in future provides answers to management-related questions, such as whether employees actually have the rights they need or whether general statutory requirements are being complied with. The highest possible system flexibility is a key factor, above all in times of frequent company mergers and the resultant combining of different IT landscapes. Quicker ROI counts Experience shows that the large number of applications and systems to be integrated harbours a great potential for problems in introduction. The greater the difficulty in integrating them in the central provisioning system, the more CIO's tend to ask whether it is really worthwhile to incorporate every application. A cost/benefit analysis should he conducted here. Admittedly, systems that are not so important are frequently ignored as a rule. However, the selected identity management tool should be designed to enable rapid integration of systems. One aspect is overlooked in many provisioning projects: achieving an ROI depends to a major extent on what target systems are integrated first. If a large number of target systems are meticulously integrated within a year, but only one department with five hundred users, the benefit will be far less than that from a strategy that envisages integrating the three most important target systems within three to five months, yet reaches at least 90% of users within this time. The decision as to what systems am integrated first can be based on the largest number of users, the largest administration overhead or the greatest relevance to security. The breakeven breakeven 1. The level of output or sales necessary to cover fixed expenses. Companies in industries that have high fixed costs and, consequently, high breakevens, such as automobile and steel manufacturing, are likely to exhibit large fluctuations usually be achieved within 12 to 1 5 months with the right strategy. Systems Software AG are exhibiting at Infosecurity Europe 2004 from 27th to the 29th April 2004. www.infosec.co.uk SAM system components SAM Jupiter The core component of the product line, SAM Jupiter optimises cross-platform, enterprise-wide user administration in complex IT networks. With its automated identity management, SAM offers functions for central administration of account information, passwords, configurations, access permissions and resources, and identity management for employees, business partners and customers. In addition, security provisioning, i.e. the immediate provision of work aids and resources for new employees, facilitates everyday security management at enterprises. * SAM Password Synchronisation Noun 1. synchronisation - the relation that exists when things occur at the same time; "the drug produces an increased synchrony of the brain waves" synchroneity, synchronicity, synchronism, synchronization, synchronizing, synchrony offers an efficient infrastructure for logging into different IT platforms and applications with one password. * SAM Password Reset offers end users the means of resetting locked passwords automatically. * SAM Role Miner analyses the repository in SAM Jupiter using state-of-the-art data mining technologies and optimises role definitions in enterprises. * SAM Distributed Single Sign On enables simple and secure access to all business applications with uniform authentication. Bibliography (1.0) Axel Axel: see Absalon. Kern :Advanced Features for Enterprise-Wide Role-Based Access Control The identification, authentication and authorization of individuals based on their job titles within an organization. Contrast with mandatory access control and discretionary access control. See least privilege. . In: Proceedings of the 18th Annual Computer Security Applications Conference, Las Vegas Las Vegas (läs vā`gəs), city (1990 pop. 258,295), seat of Clark co., S Nev.; inc. 1911. It is the largest city in Nevada and the center of one of the fastest-growing urban areas in the United States. , Nevada, USA, pages 333-342, December 2002. (2.0) Axel Kern, Martin Kuhlmam, Andreas Schaad Andreas Schaad (born April 18, 1965) is a former Swiss nordic combined skier who competed during the late 1980s and early 1990s. He won a two medals in the 3 x 10 km team event at the Winter Olympics with a silver in 1988 and a bronze in 1994. , Jonathan Moett: Observations on the Role Life-Cycle in the Context of Enterprise Security Management. In. Proceedings of the 7th ACM (Association for Computing Machinery, New York, www.acm.org) A membership organization founded in 1947 dedicated to advancing the arts and sciences of information processing. In addition to awards and publications, ACM also maintains special interest groups (SIGs) in the computer field. Symposium on Access Control Models and Technologies (SACMAT SACMAT Symposium on Access Control Models and Technologies 2002), Monterey, California For other uses, see Monterey (disambiguation). The City of Monterey is located on Monterey Bay along the Pacific coast in central California. As of 2005, the city population was 30,641. , USA, pages 43-51, June 2002. (3.0) META Group: The Value of Identity Management: How security identity management provides value to the enterprise. White Paper, August 2002. (4.0) Roberta Witty: User Provisioning The ability for customers to change voice and data services from their carriers online without having to place the order with a human representative. Web-based user provisioning lets you add and delete services and features from your browser. See automated provisioning. ae, Automating Accounts and Access, Research Note COM-1 8-3284. Gartner Group (company) Gartner Group - One of the biggest IT industry research firms. Address: Connecticut, USA. , October 2002. |
|
||||||||||||||||
Printer friendly
Cite/link
Email
Feedback
Reader Opinion