A great number of companies, no matter what their size or work field is, require some type of solution for identity Management. Despite that, most of them do not have procedures or systems to help them with this task. Identity Management systems were created many years ago and even though nowadays there is a wide range of them on the market, it is very common that companies do not have one of them.
Before analysing the possible inconveniences that explain why this kind of solutions is not widely extended, we will proceed to explain what Identity Management solutions are, the problems they resolve and the advantages they offer.
We can define an “Identity management System” (IdM) as an integrated system that includes processes, policies and technologies for organisations to control the access of users to their resources and applications. They empower to protect their confidential information, both personal and professional, from unauthorised users.
IdM solutions usually include a set of tools in suite mode to provide everything necessary to establish an “identity government corporative policy”. In the next graphic we will see a summary of the elements present in IdM suites.
What problems does an IdM resolve?
It can resolve a great number of problems related to identities within an organisation:
- Security loss: perhaps this is one of the biggest problems caused by the lack of control on identity management processes. Security loss affects directly the organisation’s activity, risking its survival. Studies have proved that 81% of security failures come from unhappy employees and that only 62% of users are deleted from the systems when they do no longer belong to an organisation. “Orphan” accounts increase security risks 23 times.
- Noncompliance: managers have the responsibility to fulfil intern control rules, as well as to ensure compliance with new regulations (LOPD, ISO 27000, Sarbanes-Oxley, Basel II, EU Privay, etc.) As surprising as it may sound, only 50% of companies comply auditory controls, as several studies from independent audits have proved.
- Cost increase: the cost of administration user management is not always controlled, which makes it necessary to dedicate more resources for this task. License cost is one example: it is associated to users that do not belong to an organisation anymore but are still present in some environments (orphan accounts). Costs associated to non-compliance are also part of this group of expenses.
- Productivity reduction: studies from independent audits have proved that approximately between 15% and 25% of user creation activities have to be repeated due to failures, 27% of the companies spend more than 5 days to provide or delete access rights to users and between 40% and 60% of calls to the service desk are related to access keys.
- Data quality loss: inconsistent user information is another problem that can be solved with IdM. The problem is the following: a user has privileges depending on its role and profile in a system; however, it also has some erroneous privileges in other systems that come from a role or profile that they may have had in the past and who were not updated when their circumstances changed (60% to 80% of access profiles are not correct according to IDC studies). Bad data quality has a negative impact on service.
What other advantages does an IdM have for an organisation?
As can be inferred from the problems exposed, IdM systems offer a great number of solutions to these problems, as well as multiple advantages, resumed below::
- Indirect cost saving in managing and help desk due to automatisms’ implementation and direct cost saving, related to license over-provisioning.
- Productivity improvement: user creation and deletion services are made faster, as most of these processes were until now manual.
- Supply of the best services for users (such as self-service tools so users can update their personal information, change or recover their password, know the systems they have access to, etc.)
- Corporative security increase: it avoids vulnerabilities from unauthorised access by users with orphan accounts or systems that do not have the right to access due to their role or position. It should be noted that cloud tools, mechanisms of provision automation and especially federated authentication provide high quality and trust rates that can help us decide to go for a tool of this type. The result is a bigger trust by users, clients and providers.
- Law compliance, endorsed by reports and scorecards, to access control (authentication and authorisation levels), audit on the processes of user creation, deletion and modification in system and establish security corporative policies (passwords, process approbations). It reduces direct costs from fines and indirect costs from the loss of the associated image.
Why are IdM systems not extended in organisations?
After many years working with this type of systems I came to the conclusion that there has been a great number of access barriers, both intern (inherent to organisations) and extern (associated to manufacturers and solutions). In my opinion, the main barrier when we are going to implant an IdM solution is the organisation, as most of the organisations have not normalized the identity policies concerning users, access, departments, fluxes related to creation and deletion, related approvals, etc.
This work requires some effort and, especially, methodology. There are many companies specialised in consultancy services that can help organisations with this task.
Then... why is it not done?
This is where barriers related to technology and to manufacturers appear. IdM solutions have been traditionally expensive in terms of Total Ownership Cost:
- License acquisition and maintenance fees,
- Solution deployment, caused by the number of included components, (not always connected as they were purchased from third companies) and also acquisition of third components that are not included in the solution (operating systems, BBDD, web servers...)
- Administration and upgrading, caused by the reasons explained before
- Solution evolution, due to the use of owner tools not based in standards that make difficult to have human resources in the market for its use and development.
In many occasions, even when a company decides to implant an IdM solution, the long deployment period and the reduction of economic resources destined to consultancy services (caused for the high acquisition costs) make that most of the projects fail or do not reach an acceptable deployment rate. Even those who see the light, in many occasions come up without being viable. In the daily management, clients find out that even if they have disbursed an enormous quantity of money, the support that has been provided by manufacturers is insufficient and inefficient.
Open Source, the alternative.
ello, las soluciones basadas en open source y en la entrega integral de componentes son una muy buena alternativa a las soluciones tradicionales. WBSVision es un buen ejemplo de ello.
WBSVision es una solución open source completa de gestión de identidad en una plataforma appliance.
WBSVision supone una nueva generación en los sistemas de gestión y federación de identidades, incluyendo servicios de directorio y metadirectorio, servicios de autenticación y seguridad, servicios de red y servicios de interoperabilidad. Permite a través de sus múltiples módulos, provisionar y controlar el acceso de usuarios, a recursos, repositorios y aplicaciones, en base a perfiles, roles y reglas de negocio.
An appliance is a server device that provides an application with a certain functionality. It is designed so the final user does not have to understand the details of the operating system, the commands associated or the different software components the application works with. These devices have its own hardware and/or software preconfigured by the manufacturer. The user can manage and administrate the supplied functionality through an easy user interface. These devices are usually designed for its management in remote (via web) after the initial configuration.
In the case of a physical appliance, both the hardware platform and all the necessary software, installed on the platform, are provided.
In the case of a virtual appliance all the software platform ready to be deployed in an virtualisation environment is provided (VMWare vSphere, Citrix Xen, Microsoft HiperV, Redhat KVM, Virtual Box...) and packaged in a deploy archive compatible with these environments.
To sum up, an appliance provides the following advantages:
• It features all the components needed to work
• It is not as complex as integrating all the components that it includes
• Easy to deploy
• Easy to upgrade
• Easy to manage
Open Source and standards use:
The use Open Source and Open standards empowers the incorporation of new functionalities in reasonable delays (Time-to-Market improvement). It makes it possible to understand and improve its components to correct the failures that may be produced. The standards also ensure the interoperability with the ecosystem of integration, and of course, the easier localization of human resources to be capable to administrate and develop our integrated solutions deployed in clients’ systems.
Finally, it empowers to transfer clients a pay-for-services model and not a pay-for-licenses one, which results on the reduction of acquisition fees and the dedication of economic resources to what we think that will really contribute to the success of the IdM platform deployment and survival.
The philosophy of our products, such as WBSVision, is clear: clients must pay for services that our partners and we provide, not for the use of licenses. The huge saving in costs thanks to the non-acquisition of use licenses and in the deployment of systems that the platform includes, empowers to use the economic resources to consultancy and deployment services that ensure the success of a deployment project in an IdM solution. In addition to that, once the project is deployed, the service level (the core of companies like ours) allows to supply a support service of integrator level directly from a manufacturer.
I will finish mentioning some operating examples or use cases of Open Source solutions such as WBSVision:
• Unification of user credentials Active Directory/ Human Resources / CRM / ERP...
• Unification of local credentials from an organisation with Google Apps 7 Sales Force / Cloud...
• Password synchronizing among different applications based in an unified security policy
• Self-service services for users (password change, data modification, access to resources requests...)
• Identity federations of Google Apps / SalesForce / Cloud... with inter credentials, without needing information to come out of the organisation
• Web Single Sign On
• Authentication via RESTful
• Authentication platform Radius/802.1x to secure networks based in cable or captive portals in Wi-Fi environments.
• Generation of digital certificates X.509 for its later use in authentication as a corporative security police.