Identity management addresses the difficulties encountered when one physical user has separate user IDs and passwords on multiple systems and applications. Access management addresses the challenges associated with the specific access rights and permissions of multiple user IDs.
Large, complex organizations have the greatest potential to benefit from software-based IAM. Smaller organizations may find that performing an IAM readiness review could generate policy and process improvements that would facilitate initiatives that would allow the organization to realize benefits without implementing new software.
Internal control and corporate governance are the primary drivers of IAM solution implementations. Benefits include centralized monitoring, detection of policy exceptions and segregation of duties. Other considerations include controlling access to centralized IAM, defining and tuning rules, and integrating the IAM solution with the organization’s current internal control environment.
The ideal IAM solution must effectively manage the life cycle, which runs from the creation, change and, ultimately, to the deletion of a user’s multiple user IDs and associated permissions.
Integrators should be measured on cost, functionality, track record, their expertise with existing systems, and their ability to scale with you as your business changes.
Readiness criteria and maintenance should be determined prior to implementation.
Bryce H. Peterson, CISA, is a manager and Paul Smedegaard is a senior manager in KPMG’s IT Advisory Services practice in Phoenix. William G. Heninger, CPA, Ph.D., and Marshall B. Romney, CPA, Ph.D., CFE, are on the faculty of Brigham Young University in Provo, Utah. Their e-mail addresses are, respectively, firstname.lastname@example.org, email@example.com, firstname.lastname@example.org and email@example.com.
Imagine that you’re on the golf course, one of your clones is at work, and the other clone is preparing dinner. It sounds like a perfect scenario until the clone at work gets fired and the other clone burns down your house. Just as managing multiple physical identities would present challenges and expose you to greater risk, managing or auditing multiple logical identities, like user IDs, passwords, and permissions on various systems, poses a formidable challenge and greatly increases risk exposure. This is where identity and access management (IAM) comes in.
Identity management addresses the difficulties encountered when one physical user has separate user IDs and passwords on multiple systems and applications. Access management addresses the challenges associated with the specific access rights and permissions of multiple user IDs. Identity and access management becomes more burdensome as the size and complexity of the company grows. This article focuses on the benefits, risks, leading practices and audit considerations of both identity and access management.
EVALUATING THE IAM BUSINESS CASE
Generally, the larger and more complex your organization, the greater the potential benefit that would be derived from software-based IAM. Alternatively, smaller and less complex organizations may find that simply performing an IAM readiness review could generate policy and process improvements that would facilitate compliance and information security initiatives that would allow the organization to realize benefits without implementing new software.
Policy and process improvements include user ID naming conventions; process work instructions that clearly detail steps for user administration functions; defined segregation of duties policies; and user ID reviews that focus on higher risk systems. Standard cost/benefit models can be used to generate a realistic IAM business case as long as the model adequately considers implementation risks and a thorough analysis of a company’s unique business circumstances.
BENEFITS OF IAM TO INTERNAL CONTROL
Compliance with Sarbanes-Oxley section 404 requirements for internal control over financial reporting is one of the primary drivers of IAM software implementations. The following are key benefits and considerations from an internal and external audit perspective:
n Centralized monitoring. IAM software provides the ability to centrally manage and monitor user IDs and access permissions based on pre-defined rules. This allows auditors to inspect IAM configurations and rules to gain comfort with the user administration controls for multiple systems.
n Detect policy exceptions. As IAM tools continually monitor linked systems, if a user ID is provisioned—created and access assigned—on a system without being first provisioned in the IAM tool, an alert will be sent to the IAM process owner. This allows the auditor to gain comfort that a detective control is in place to monitor potential policy violations, often called control workarounds.
n Segregation of duties (SoD). A common system access deficiency identified during compliance audits is a lack of, or inconsistent enforcement of, segregating conflicting functions (for example, the ability to modify vendor records, post invoices, and cut checks in the procure-topay business process). Because this control deficiency can be considered pervasive and creates a higher risk of fraud, many organizations have implemented SoD analysis tools, such as Approva’s BizRights or SAP’s GRC, and link these tools with their IAM software to identify potential SoD issues at the beginning of the user ID life cycle.
n Keys to the kingdom. Because IAM software has ultimate control of the parent user ID, users with access to the IAM software essentially control the "keys to the kingdom." Therefore, organizations should restrict access to the IAM tool to a limited number of people and implement monitoring controls (for example, logging or automated event alerts) over such users to prevent or detect any inappropriate use of their extensive access.
n Rule definition and tuning. An IAM software tool is only as effective and precise as the underlying rules that drive the user ID life cycle and alert functionality. During implementation, both internal and external auditors should be engaged to review the designed rule set for appropriateness, so that the solution can be relied upon from initial go-live. Furthermore, as rules are refined, appropriate documentation should be retained to demonstrate that the rule changes were initiated, certified and implemented according to existing change management policies.
n Internal control integration. Because the IAM solution will be part of the internal control environment, consideration should be given during the initial implementation to integrating the various IAM controls into the standard portfolio of internal controls and the associated control management processes, such as control modification, consolidation and continual improvement.
CHOOSING AN IAM SOLUTION
While a variety of IAM tools and solutions exist, the ideal solution must effectively manage the life cycle, which runs from the creation, change and, ultimately, to the deletion of a user’s multiple user IDs and associated permissions (see Exhibit 1).
When evaluating potential IAM solutions, requiring the IAM vendor to actually demonstrate its product’s functionality for the user ID life cycle allows a more objective decision among potential solutions (see Exhibit 1). The three stages of the user ID life cycle are discussed further below.
1. Create. When a user joins an organization and requires access to system resources, the typical process includes submitting an approved request to the Information Technology (IT) group to provision— create and assign permissions to— a user ID. However, when multiple platforms (such as Windows, UNIX, and IBM mainframe) and applications (such as SAP, Oracle, Web portals, and custom applications) exist, provisioning a user ID becomes complicated. For example, should the user ID on Windows be “bpeterson” while the user ID on SAP is “S145692” and the user ID on Oracle is “bhp”?
Ideally and logically, a company would attempt to strictly enforce consistency in the naming convention across all systems and applications, but the reality of acquisition and technological limitations (for example, if user IDs can only be three characters long on a custom application) often prevent achieving that ideal. When using an IAM tool, the IT group can create the user ID using the IAM solution, which will then create user IDs and permissions across the other required systems and applications according to the various formats on those systems. This can be done either automatically or by sending a notice to an administrator if technology or process restrictions prevent full automation.
These multiple user IDs will be controlled by the parent user ID on the IAM tool. This can be done even if the user ID on one system is “bheninger” and the user ID on another application is “heningerb.” And any change made to the parent ID will be cascaded to each of the other associated user IDs. Clearly, if business policies or technology limitations prevent full automation and integration among the IAM software and the linked platforms and applications, the expected overall efficiency gains for the IAM software would be reduced.
2. Change. Likely the most difficult aspect of managing multiple logical identities (user IDs) is enforcing the consistency of a change—simple or complex— across all affected platforms and applications. Effective IAM tools will automatically enforce and synchronize any change across the affected systems and applications once the change is made to the parent ID. Such a change would be necessary when a user’s last name is changed after marriage, for example.
Furthermore, the IAM tool can manage the transfer of a user’s identity when that user’s relationship to the organization changes. For example, many companies hire outside contractors to support various projects and then decide to make the contractor a permanent employee. Without an IAM solution in place, the conversion process might include removing the contractor’s multiple user accounts and associated permissions and then re-creating the same accounts with enhanced permissions as permanent employee accounts. An IAM solution could simplify the conversion to only modifying a few attributes in the parent user ID (for example, the employee status and employee ID) and adding the additional required access permissions that would be automatically replicated to the other associated IDs.
3. Delete. Common exceptions or deficiencies identified during user account reviews include generic, outdated, stale or orphaned user IDs. Generic user IDs are accounts that are shared by more than one user and have no specific accountability. Outdated user IDs are accounts with permissions that are no longer relevant based on organization or role changes. Stale user IDs are accounts that have not been used for a long time (and prompt questions about the need for a user ID), while orphaned user IDs are accounts that remain on systems or applications after a user has been terminated and the network (for example, Windows) user ID has been deleted or disabled. IAM solutions can be used to warn against or even prevent generic, outdated, stale and orphaned user IDs.
Because the parent user ID in the IAM solution controls the user IDs defined in the other linked systems and applications, a rule can be created to flag generic IDs; and modifying or deleting the parent ID would update, delete or disable (either automatically or via sending a notice to an administrator) the other associated user IDs. Again, if the linked systems are not correctly interfaced or if the cascading rules are not correctly defined, the management of these troublesome user IDs could be compounded rather than simplified.
SELECTING AN IAM VENDOR AND INTEGRATOR
Because implementing an IAM system comes with significant costs, choosing the right IAM vendor and integrator is critical.
In 2006, the overall size of the global IAM market, including software license and related implementation service fees, was about $2.6 billion. Forrester Research predicts the IAM market will grow to $12.3 billion by 2014.
Major IAM software vendors include Avatier, BMC Software, Beta Systems, CA, Courion, Evidian, Fischer International, HP, IBM, Microsoft, Novell, Oracle, SAP, Siemens and Sun Microsystems. IAM integrators include many of these vendors as well as the Big Four accounting firms, the mainstream consulting firms, and a variety of boutique firms and independent consultants. Each vendor’s software package and each integrator have strengths and weaknesses, so if you do not have the expertise to manage the integration of an IAM tool, we recommend evaluating integrators using the following criteria:
1. Cost. Because software licensing fees and integration fees can be as high as a company is willing to pay, compare the base license fees from each vendor based on the existing (not promised) functionality options and continuing service commitment that might be included.
2. Functionality. As with many products and services, the promises of marketing professionals don’t always equate to reality. Require live demonstrations of each vendor’s products and integration methodologies to get a more realistic picture of true functionality and service offerings.
3. Record. With a long list of vendors and integrators to evaluate when making an IAM selection, speaking with former and current clients of the prospective vendor or integrator will help to distinguish the vendors and integrators that are serious about taking care of their customers before, during and, more importantly, after the sale.
4. Leverage. If your company already has a professional relationship with a vendor or integrator, leveraging the existing products or services being provided can assist in reducing the overall costs associated with IAM implementation.
5. Scalability. As most companies are trying to grow business, your IAM vendor and integrator should be as scalable (based on track record rather than verbal promises) as your business plan.
With all of the benefits available with IAM software tools, why aren’t companies rushing to implement them? For the same reasons that companies should not rush into any technology decisions—they require careful consideration of several common challenges as well as planning to address such challenges. A few common challenges of IAM tools—implementation, business readiness, and long-term maintenance— can be more successfully navigated by partnering with the right IAM integrator. Evaluating the following implementation considerations can help determine if an IAM solution is right for your company. Furthermore, requiring potential IAM integrators to demonstrate competency addressing these considerations and to provide former and current client references to validate their competency can facilitate an objective service provider selection.
As with many system implementations, costs of implementing an IAM tool can quickly soar out of control; and the original business benefits associated with the implementation may not be fully realized if proper controls are not in place from the start. The sidebar “Common Pitfalls of IAM Implementations” lists some of the problems that can arise.
To address such risks, these leading practices may be helpful:
n Obtain stakeholder consensus. As all IAM implementations are different and include unique project requirements, the project team should identify all key stakeholders and gain their consensus on scope and approach.
n Obtain executive-level sponsorship. Because an IAM implementation affects multiple business units within an organization, obtaining executive sponsorship is critical to realizing the full benefits of the software. For example, a state government recently implemented an IAM system, which was sponsored by the Department of Administration. Because the senior state leadership promoted the project, the IAM tool is achieving the intended cross-agency adoption.
n Adopt and implement a structured project management approach. Implementing an IAM solution is not a simple “plug and play” operation. According to Gartner Research, “Large-scale user-provisioning projects are complex initiatives and require experienced management to increase the chances of success. Although the success rates of such initiatives are now higher than in previous years, userprovisioning projects still have a significant failure rate due primarily to scope definition and managing to that scope.”
Common Pitfalls of IAM Implementations
n Project risk management and governance models are not in place or are lacking.
n Analysis and definition of business and technical requirements are incomplete.
n Validation of proposed solutions, integration partners and rules is limited.
n Scope of services and functionality continues to expand beyond original strategies (scope creep).
n Executive sponsorship is insufficient or political agendas are in place.
n Testing and migration of the final solution are insufficient.
n Existing errors are either undetected or ignored (for example, IAM system doesn’t interface with other systems correctly or the system is unusable).
n Eventual production system does not meet original expectations.
ARE YOU READY?
As part of the IAM implementation, business processes and procedures should be considered to make sure they are consistent with the pending IAM technology. Common business readiness challenges include:
n Existing user administration processes are poorly defined.
n Control and process owners are inconsistently identified.
n Knowledge of compliance requirements is deficient.
n Audit considerations are not fully contemplated.
To plan for such challenges, these leading practices should be considered:
n Understand your user account landscape and associated complexity. If your company is larger and more complex (10 or more IDs per user), the associated complexity will equate to greater project management requirements and costs. If your company is smaller and less complex (five or fewer IDs per user with no anticipation of growth), you might consider alternative business process modifications instead of implementing an IAM solution.
n Understand your user population. If your users are not computer savvy, implementing a sophisticated employee self-service function as part of your IAM implementation may not be feasible or recommended.
n Properly prepare and train business units. If employees and users receive thorough training, they will have the ability and sense of ownership to maximize the IAM solution’s intended value.
n Understand your regulatory requirements. If your organization is required to comply with regulatory standards such as Sarbanes-Oxley, Payment Card Industry Data Security Standard and the Gramm-Leach-Bliley Act, integrating regulatory requirements into your implementation plan allows you to address compliance concerns before they become compliance gaps.
After successfully implementing an IAM solution, many organizations fail to adequately plan for short and long-term maintenance. Lack of maintenance planning quickly invalidates the IAM solution and leaves the organization questioning the cost of integration. These questions may help in planning for maintaining the IAM software:
n Who will support the IAM tool after implementation? As the IAM solution vendor or integration partner may offer maintenance services for the solution, a decision should be made sooner rather than later regarding who will maintain the solution and how the maintenance costs will be leveraged in the licensing or integration contract.
n Which group will own the ongoing maintenance costs? Everything costs money and, because the IAM solution will impact platforms and applications across the enterprise, identifying the owner(s) of the ongoing maintenance costs can be politically difficult, but critically important.
n What level of availability will be required of the tool? If the IAM solution is considered mission critical, backup and recovery processes should be included and certified in the initial implementation project to prevent potential availability issues down the road.
n Who will monitor the business processes supporting and impacted by the IAM solution? Compliance managers know that changes to key business processes can substantially alter the control environment, so resources should be identified to monitor the business processes and procedures associated with the IAM solution to avoid invalidating the controls provided by the solution.
n How can we continue to optimize the IAM solution? Because continual improvement is often included in the initial implementation business case, a formal methodology should be developed as part of the integration plan to continue optimizing the effectiveness of the IAM tool after the initial implementation is complete.
Now that you have an understanding of the common challenges and the potential benefits associated with IAM solutions, you have the basis to consider engaging internal or external professionals to perform an IAM readiness review. The results of such a review will provide the additional knowledge needed to develop a business case to determine if an IAM solution is right for the organization and if it is the right time to consider an IAM implementation.
" Help Prevent Identity Theft," June 07, page 30
"Small Business Computer Security," March 06, page 32
"Trust Services: A Better Way to Evaluate IT Controls," March 05, page 69
IT Membership Section, www.aicpa.org/infotech
Certified Information Technology Professional (CITP), www.aicpa.org/CITP
2008 Top 10 Technology Initiatives, www.aicpa.org/toptech
Additional information can be found in the Top Technology Initiative Content Suites for this topic at http://infotech.aicpa.org/Resources/Top+Technology+Initiatives/
n “Identity Management Market Forecast: 2007 to 2014,” by Andras Cser and Jonathan Penn, Forrester Research, Feb. 6, 2008
n "Magic Quadrant for User Provisioning, 2H07," by Earl Perkins and Roberta J. Witty, Gartner Research, Aug. 23, 2007
n "The Truth About Federated Identity Management," by Sarah D. Scalet, CSO Online, Oct. 1, 2006
n "Automated Password Reset Can Cut IT Service Desk Costs," by Kris Brittain and Roberta J. Witty, Gartner Research, Dec. 13, 2004