How To

Tips for Tackling Identity Management

Tom King, CISO of Lehman Brothers, answers readers' questions about implementing identity management products and processes

August 01, 2005CSO

Q: What were the most challenging issues in the implementation of your identity management solution?

A: Aligning business and administrative processes with our goals was the most challenging. A significant number of well-established business processes had to be reengineered to fit within the framework of the projectâ¬some processes changed, some standardized, others were invented from scratch. It was challenging to manage a large-scale deployment of new technology to many application owners.

We overcame the problems by ensuring that the people who owned the processes that were changing were partners in the success of the program. They understood that the benefits of the ID management project (security, compliance, efficiency) were significant, and that those benefits would be achieved only if everyone participated. They were then able to sell the benefits to their customers and overcome the natural resistance to change.

Q: In your opinion, which department should be managing an ID management solution in the enterprise?

A: Deploying an ID management project at a midsize to large enterprise is probably too significant of an undertaking to be managed solely by one group. It should be governed by a team that includes all stakeholders. A significant number of processes will likely be changed to accommodate an enterprise ID management solution; therefore it would be beneficial to have a representative from the stakeholding groups help manage the solution.

To ensure the ongoing success of identity management, it must become a core requirement that applications participate in ID management.

Q: Where have you seen the most significant cost savings?

A: The single largest benefit was in the time to provision and deprovision staff. We were able to reduce this time dramatically through standardizing and automating numerous account setup and disable processes. These efficiency gains were realized by both users and IT staff almost immediately, and we estimate that after just four months into the project, we had saved the equivalent of one year of a security administrator's time. These cost savings have expanded as we automated manual account setup processes. We expect these savings to continue accumulating as more applications are automated. It is important to note that the benefits of a robust ID management project extend beyond cost savings and result in increased security.

Q: Are there environments, as defined by size or industry, where identity management would not be a good fit?

A: Identity management is a hard requirement for any environment where information is a prized and high-value asset. This is especially true in regulated environments. With recent regulations like Sarbanes-Oxley, I think the threshold for environments where ID management would be a good fit has fallen significantly, encompassing almost all entities directly or indirectly subject to U.S. securities law. However, taking the time to define, optimize, enforce and create documentary evidence of your identity management processes does not mean that full automation of these processes through technology is necessary. The three main factors that determine the likely value from automation are the number of identities to be managed, the heterogeneity of the environment and the cost of current identity-related processes.

RESOURCE CENTER
Loading...
VIRTUAL CONFERENCE
Data Center Directions Virtual Conference

Data Center VCAttend this free, 100% online event exploring tools and techniques for making your data center deliver for today and tomorrow.

» Learn more and register here

WHITE PAPER
Maximizing Site Visitor Trust Using Extended Validation SSL

VeriSignNow with Extended Validation (EV) SSL available from VeriSign, you can show your customers that they can trust your site. Learn about EV SSL benefits in the free VeriSign white paper.

» Read the Paper

Featured Sponsors
Sponsored Links

Digital Identity Protection and Data Security Get Personal

IDC Defines an Identity and Access Management Submarket for Managing Privileged User Accounts and Meeting GRC Requirements

Manage your IT more effectively

IDC Defines an Identity and Access Management Submarket

Solving Online Credit Fraud Using Device Reputation

Secure your virtual and physical environments with the same software

Any company can promise identity protection. Only Debix can prove it

Envision Identity-Based Access Control for the Datacenter

When Customer Relationship is Everything, Businesses Bank on SSL Solutions

Managing SSL Security in Multi-Server Environments

The Latest Advancements in SSL Technology

How to Offer the Strongest SSL Encryption

Get in Compliance With Government Data Regulations

Taking the Botnet Threat Seriously

Welcome to the age of Service-Oriented Security (SOS)

Everything Today's CISO Needs to Know About Using SSO to Succeed in the Web 2.0 Era

Efficient - Flexible - Compliant

Simplify your data center with Juniper Networks. View the webcast

Forrester Total Economic Impact (TEI) report: Save Millions in Fraud Losses.

CA's IT Security centralizes your identity management to turn security into a proactive, business-building tool

How Are Open Source Development Communities Embracing Security Best Practices?

Using Likewise to Comply with PCI Data Security Standard

Enabling Compliance with Converged Mainframe Security and Storage

The Case for Business Software Assurance ~ Securing Your Applications

Maximizing Site Visitor Trust Using Extended Validation SSL

Understanding Data Location is Imperative for Data Loss Prevention

5 Steps to Secure Outsourced Application Development