When James Richardson International Ltd. set out to replace legacy applications with Web-based systems in 2002, security wasn’t the driving force. “The general goal was review and modernization,” recalls Paul Beaudry, technical services director for management information services at the Winnipeg grain distributor.
JRI implemented identity management tools so developers wouldn’t have to keep re-inventing the code to authenticate users, and so users could log on once and have access to the applications they needed. It was only afterward that JRI saw the additional benefit. “We realized as we were doing it, holy smokes, we just hit the holy grail of security,” Beaudry says.
That’s because identity management makes it so much easier to add and remove users.
Giving a new employee access to everything he or she needs could take two or three days in the past, Beaudry says. Taking away a departing employee’s access to company systems took only an hour or so, but that hour was too long if the person wasn’t leaving on friendly terms. It was long enough that a fired employee could have gone home, logged on from a home computer and done some damage before his or her access privileges disappeared. No more, Beaudry says. “We click in one place – disabled.”
It’s made Beaudry’s life easier at audit time. “When they hit me with the security question,” he says, “it’s a 15-minute discussion.”
That’s a common motivator, says Ross Chevalier, chief technology officer at Novell Canada Inc. in Toronto. “Organizations that have been through any type of audit are very highly motivated to get some sort of identity management in place.”
While less of a security benefit, giving new employees access faster is certainly an efficiency gain. “You often got the call on Monday morning: ‘Oh, we forgot to tell you, we hired a guy starting this morning,’ “ Beaudry grumbles.
When getting that new employee up and running involved multiple systems with their own access controls, “there was some order in which it has to be done – I can’t do this until you’ve done that.”
Depending on when everyone involved in the process was available, it could take two or three days. Now, Beaudry says, if the call comes at nine the employee should be set up before 10.
Identity management has become a more popular information technology concern in the past couple of years. Warren Shiau, lead analyst at research firm The Strategic Counsel in Toronto, expects identity management software installations in North America to grow 18 per cent from this year to 2008.
In Canada, Shiau is projecting even faster growth – around 28 per cent over the next 12 to 18 months. The reason for the faster growth in Canada is that the U.S. has more manufacturing-based businesses, which are less concerned with identity management than other types of enterprises, Shiau says.
There’s no doubt increased concern about security and about compliance legislation like Canada’s Bill C-198 and the U.S.’s Sarbanes-Oxley have helped make that happen. The new compliance laws hold publicly traded companies and their top executives responsible for ensuring proper procedures are followed, making reliable control over access to key information more important than ever before.
But identity management involves “much more than just security and compliance issues,” says Joe Greene, Ottawa-based vice-president of IT security research at International Data Corp. (Canada) Ltd. of Toronto.
Compliance is a big concern in some sectors, Greene says, but “your average business, the majority of businesses really aren’t thinking about compliance as much as they should.” More businesses are starting to understand compliance issues, and their responsibilities under privacy legislation, Greene says, and so they should. But there are more reasons than compliance and security to be looking at identity management. It’s also about efficiency.
It’s common for businesses to take several days to activate new users and even to deactivate departing employees’ accounts, Greene says. In some cases it never happens – thousands of user accounts lie dormant. This is a concern from both a security and an efficiency standpoint. And there is another efficiency issue: getting rid of cumbersome duplication of user IDs and passwords.
At James Richardson International, one sign of that efficiency is a dramatic drop in calls to the help desk since the company implemented enterprise-wide identity management using Novell Inc. eDirectory and Identity Manager tools.
End users previously had to deal with multiple passwords, so they frequently forgot them. This is typical, according to Mike Daniels, practice lead for identity management and security consulting at IBM Canada Ltd. in Markham, Ont. – “often 20 to 40 per cent statistically of help desk calls are password-related.”
Meanwhile JRI’s software developers are saving time and trouble – “it’s all about leveraging,” Beaudry says. “We’re not recreating the wheel.”
With the advantage of starting from scratch, the year-old MaRS Discovery District in Toronto created a comprehensive identity management system using Sun Microsystems Inc. technology. It provides single sign-on for all applications, and even integrates the research cluster’s voice-over-IP phone system and the electronic cards that control physical access, says Robert Smith, technology consultant at MaRS. “In the grand scheme of things, it gives you one place to go.”
The major security benefit is being able to revoke privileges fast, Smith says. “You can kill things very quickly from a single location.” For end users, it means the convenience of single sign-on. MaRS’ system deals with some complex requirements, supporting a range of users from full-time employees and tenants to employees of organizations affiliated with the centre to people who attend an event there.
Centralized identity management makes it much easier to ensure nothing is missed, Smith says – though he adds that the flip side of that coin is the worrying fact that a single mistake could have wide-reaching consequences.
Identity management tools have come a long way in the last few years. “When we did this in 03,” Beaudry at JRI recalls, “I could find very few articles on identity management.” Today, “I’m reading articles with people talking about what they hope to do, and I’m thinking ‘we did that three years ago.’
“I kind of chuckle to myself, thinking ‘were we actually ahead of the curve?’”
If JRI was ahead of the curve, the good news for those who follow is that implementing identity management is getting a bit easier. Beaudry describes the Novell product at the time as very complicated, and says his company brought Novell technicians in for a week to help with the installation because “we thought you knew we’re never going to get good at this product.” Things have changed since then. “We’ve done the last two upgrades ourselves,” Beaudry says – “on the weekend.”
That’s not to say identity management is now child’s play. “I still think it’s in its infancy in terms of its capability and just intuitiveness,” Smith says. “I’d like to see it probably be simplified a little bit.”
Some say the next step is federated identity, in which multiple organizations unite their identity management efforts. A customer and a supplier, for instance, might tie their systems together so an employee of the customer could log on once and have secure access to some of the supplier’s systems. It’s a nice idea – but one that is mostly theoretical today.
There is very little real activity in federated identity to date, says Shiau – “not because of the technology per se – it’s actually not that hard to get federated identity working between organizations – but there are actually a lot of legal complexities involved in this.” Because of concerns about liability and responsibility, Shiau concludes, most real-world use of federated identity software is tying together closely related companies or helping newly merged companies with different systems get them working together quickly.
As with many emerging technologies, dealing with multiple vendors’ products still presents plenty of challenges. “I wouldn’t say it’s plug and play yet,” Smith concludes.
However identity management technology evolves, it can’t guarantee success. “It’s people, it’s process and it’s technology,” Greene notes. “A lot of the issues we’ve seen over the last two to three years have been people and process issues rather than technology issues.” These are the issues senior executives need to pay attention to, Greene says. The good news is that – even if there are other, more compelling reasons to be looking at identity management – a recent upsurge of interest in compliance laws has helped focus attention on it.