Today’s complex, heterogeneous enterprises contain multifaceted and diverse information systems. The proliferation of the personal computer and the networking of those computers have caused the number and types of systems that are accessed, as well as the number of employees who must be granted access, to grow exponentially.
An enterprise may use any combination of Windows, Unix, Linux, Macintosh or legacy systems-each running a variety of applications and creating significant inefficiency because users must remember different passwords and take the time to access each one separately.
System security demands that authentication, authorization and administration be controlled for every identity of every user in the enterprise. This creates the majority of identity and access management challenges. In a complex, heterogeneous enterprise, the IT staff spends countless hours provisioning, de-provisioning and dealing with password management and other issues for each of these user identities.
These same factors impact the organization’s ability to maintain information security as required by government regulations, industry initiatives and established best practices frameworks. In fact, inconsistent password policies throughout the enterprise, non-secure authentication practices and delays in user de-provisioning-due to a mix of systems and IT teams with the authority to deactivate a user account-are the most common causes of compliance deficiencies.
Simplifying Identity and Access Management
Simplifying identity and access management
Several approaches or strategies exist to address these challenges. The security framework approach implements a framework around the entire environment, imposing structure on the disparate identity infrastructure.
Often called meta-directories or virtual directories, these security frameworks implement a master directory to which all other directories are synchronized. Among the drawbacks to the security framework, however, is its inability to unify each identity in a heterogeneous environment.
The point solution approach addresses individual cases as they occur, devising solutions and implementing technologies designed to solve the specific problem. The drawback here is that the solution usually fits the specific system for which it is designed, while a similar problem in another system would require an additional solution.
Custom development is another option. With enough time and effort, custom-developed solutions will integrate any components. Standards exist and tools are available to enable an organization to integrate its Unix systems with Active Directory. However, on the down side, these projects usually prove too complex, time-consuming and expensive to be viable for a large, complex organization.
Relying on the status quo is the reality for which many organizations opt when faced with identity and access management challenges. They make do with what they have, perhaps in combination with point solutions and custom-developed solutions.
Get to One Strategy Is Best of All Worlds
Get to one strategy is best of all worlds
One strategy stands out above the rest. A “get to one” strategy not only combines the best of all the previously mentioned solutions, it also avoids many of their shortcomings. A “get to one” strategy will have the extensive and robust capabilities of the security framework, the targeted functionality of the point solution, the forward-looking innovation of the custom approach, and the cost-effectiveness of maintaining the status quo.
Since most identity and access management challenges stem from the complexity and disparity of the modern heterogeneous enterprise, eliminating these myriad identities, authentication practices, roles, policies and processes is the quickest path to more efficient, controlled and compliant identity and access management.
A good “get to one” solution will literally consolidate directories, automate identity administration from a single point, extending it to all unified systems and leverage an organization’s existing investments in identity infrastructure-in most cases, Microsoft Active Directory-to create truly unified identity and access management that crosses platform boundaries.
With one identity, one point of management, one set of policies and one secure and strong authentication mechanism, all the identity management projects-single sign-on, provisioning, password management, directory consolidation, strong authentication, role management and audit/compliance-will be simplified.
With fewer identities to manage and administer, the efficiency improvements and cost savings both for users and IT staff will be immediately apparent. The ability to implement single sign-on will improve user productivity by eliminating the number of times users must log on, as well as the downtime that occurs when a forgotten password prevents them from logging on.
With fewer accounts to manage and fewer passwords to reset, IT staff can focus on more important tasks. In addition, IT’s manual management of user identity is greatly reduced when identity administration tasks are automated.
Enhance Security and Achieve Compliance
Enhance security and achieve compliance
The “get to one” approach enhances security by providing a more consistent and controllable environment from which security principles can be established and enforced. It also strengthens authentication for systems and applications pulled into Active Directory, providing for traditional multi-factor authentication solutions to be implemented consistently across the entire newly-unified enterprise.
Finally, a “get to one” solution will empower organizations to achieve compliance by unifying previously non-compliant platforms into the inherently-compliant Active Directory infrastructure. It will enable the enterprise to implement strong authentication for both Windows and non-Windows systems.
It will also provide powerful auditing and reporting tools to collect and distribute information from a central identity repository, based on the unified identity in Active Directory.
The key is to unify identities completely. In reality, some systems or applications cannot have their identity subsystems fully unified within the existing infrastructure, so in those cases, a “get as close to one as possible for as many systems as possible” approach still can provide good opportunities to simplify identity and access management, and to obtain improved efficiency and enhanced security and compliance.
Jackson Shaw is Senior Director of Product Management for Identity and Access Management at Quest Software. Jackson joined Quest as part of its acquisition of Vintela. He oversees product direction, strategy and go-to-market activities for Quest.
Prior to Quest, Jackson was a key member of the identity and access management marketing team for the Windows server marketing group at Microsoft. He was responsible for product planning and marketing for Microsoft’s identity and access management products, including Active Directory and Microsoft Identity Integration Server (MIIS) 2003.
Jackson has been involved in directory, meta-directory and security initiatives for 20 years. He has spoken at various industry events and writes a popular identity management blog. Check it out at http://jacksonshaw.blogspot.com. He can also be reached at [email protected].