Home » Identity & Access » Identity Management

How To

Tips for Tackling Identity Management

Tom King, CISO of Lehman Brothers, answers readers' questions about implementing identity management products and processes

August 01, 2005 — CSO —

Q: What were the most challenging issues in the implementation of your identity management solution?

A: Aligning business and administrative processes with our goals was the most challenging. A significant number of well-established business processes had to be reengineered to fit within the framework of the projectâ¬some processes changed, some standardized, others were invented from scratch. It was challenging to manage a large-scale deployment of new technology to many application owners.

We overcame the problems by ensuring that the people who owned the processes that were changing were partners in the success of the program. They understood that the benefits of the ID management project (security, compliance, efficiency) were significant, and that those benefits would be achieved only if everyone participated. They were then able to sell the benefits to their customers and overcome the natural resistance to change.

Q: In your opinion, which department should be managing an ID management solution in the enterprise?

A: Deploying an ID management project at a midsize to large enterprise is probably too significant of an undertaking to be managed solely by one group. It should be governed by a team that includes all stakeholders. A significant number of processes will likely be changed to accommodate an enterprise ID management solution; therefore it would be beneficial to have a representative from the stakeholding groups help manage the solution.

To ensure the ongoing success of identity management, it must become a core requirement that applications participate in ID management.

Q: Where have you seen the most significant cost savings?

A: The single largest benefit was in the time to provision and deprovision staff. We were able to reduce this time dramatically through standardizing and automating numerous account setup and disable processes. These efficiency gains were realized by both users and IT staff almost immediately, and we estimate that after just four months into the project, we had saved the equivalent of one year of a security administrator's time. These cost savings have expanded as we automated manual account setup processes. We expect these savings to continue accumulating as more applications are automated. It is important to note that the benefits of a robust ID management project extend beyond cost savings and result in increased security.

Q: Are there environments, as defined by size or industry, where identity management would not be a good fit?

A: Identity management is a hard requirement for any environment where information is a prized and high-value asset. This is especially true in regulated environments. With recent regulations like Sarbanes-Oxley, I think the threshold for environments where ID management would be a good fit has fallen significantly, encompassing almost all entities directly or indirectly subject to U.S. securities law. However, taking the time to define, optimize, enforce and create documentary evidence of your identity management processes does not mean that full automation of these processes through technology is necessary. The three main factors that determine the likely value from automation are the number of identities to be managed, the heterogeneity of the environment and the cost of current identity-related processes.