Business today is a world of mobile work forces, networks and scattered places where employee information is stored. Wouldn't it be great to have technology that makes it easier to manage the flow of corporate information, improve the quality of data gathered, and have a tighter rein on what users can do when it comes to computing?
Identity management could be just the ticket. Think of it as a set of tools and technologies that let companies control the use of programs and other networked resources, and determine what information can or cannot be viewed, all from a central system.
It acts like a gatekeeper, applying defined rules and policies regarding who should be doing what on the network, then letting through those who have permission and keeping out those who don't.
ID management is a concept typically associated solely with information technology security, and it's why the big adopters have tended to be companies that must comply with legislation requiring close control, monitoring and logging of processes and business activities.
-- But there's much more to ID management, and even companies that aren't so security-conscious ought to be thinking about it these days.
"It's seen as a security tool rather than as a productivity tool," according to David Senf, a research analyst with IDC Canada Ltd. in Toronto, who points out that ID management is really a collection of technologies that helps improve efficiency. "There are password resets and single sign-on as the typical technologies you'd consider as identity management. But one of the core components that often gets overlooked is user-account provisioning. That allows a business to take user-account activation and deactivation and integrate these into its business processes."
The technology is a lot simpler to buy, install and use these days, making it easier for smaller organizations to adopt, Mr. Senf says.
Inventure Solutions Inc., the IT arm of Vancouver City Savings Credit Union, embarked on ID management shortly after migrating from Windows NT to Windows 2003 about three years ago.
"We wanted to come up with something that was a single place to keep data about employees and keep it consistent -- then use it for other things like single sign-on," says Tony Fernandes, Inventure's vice-president of IT operations. "We saw it as a huge efficiency benefit. [Without it], you can end up duplicating coding in all types of systems to identify employees."
Among the first and toughest steps was to think centrally and start gathering all human resources information into a single data repository. From there, it's fed out into other applications and systems by an ID management engine -- in this case, Microsoft Corp.'s Identity Integration Server coupled with Active Directory software.
Rob Church, Inventure's manager of software architecture Mr. Senf says, says actual deployment of the ID management system was relatively straightforward compared with the mapping of places where data might end up. "We joked within this project that the technology was the simple part. The hard part was in understanding the business processes."
Inventure's ID management system builds user-rights profiles for access to IT and communication systems, and dynamically administers these rights throughout all relevant systems, applications and processes across the company's network. This saves a lot of time for HR and IT staff, who would otherwise have to configure all the systems for each employee manually.
"HR sets them up, but once [information on an employee] is set free in the organization, other things occur," Mr. Church says. "An employee gets space on a [business server] disk, for example. It happens as a result of a record that triggers some action."
The ID management system drives security-related functions you'd expect, such as single sign-on to networks and programs, but an employee is also automatically allocated things such as a number on the company's telephone system. If a teller is transferred to another credit union branch, for example, the staffing change gets noted in the ID management system by HR, which triggers the necessary changes in the phone system.
Any changes noted by HR of an employee's status or location automatically triggers appropriate changes in IT resources permissions, too. And when an employee leaves the company, the HR's removal of that employee's identity likewise triggers the immediate deactivation of all IT services and rights.
That's one of the most significant security-related benefits of ID management, Mr. Senf says. "It's important to have a handle on what accounts are active, and to ensure which aren't active if they aren't supposed to be."
Credit Valley Hospital in Mississauga is another good example. It is working on a project using ID management to administer a set of security policies for a wide range of old and new applications and processes. Different applications required separate administration and tracking that was time consuming and costly, so ID management is being used to tie everything together in a centralized way.
"There are audit requirements, so we need to ensure there is an audit trail from access to patient information," says Leigh Popov, the hospital's manager of technical infrastructure. "On top of that, there are simple operational issues. The less places you manage security, the more secure your environment will be."
The hospital is creating a centralized ID management engine to administer a common set of security rules for its applications and processes. It's an ongoing effort, and Mr. Popov says he eventually hopes to automate the activation and deactivation of IT resources for staff through ID management.
He says automating processes through ID management is a cost saver, even though it's difficult to build a specific return-on-investment model because of the number of groups and systems involved. "We're a publicly funded institution, so we try to do things as cost effectively as possible . Price is a big factor for us. My gut feel is that typical payback is less than 18 months, and in a lot of cases . . . less than a year. I think as you get into that sort of thing and use more [activation and deactivation] systems, the return gets even better."
Dan McLean is editor-in-chief of publisher ITWorldCanada.com.
In Pictures:
