Computer access management was designed years ago with the idea that a user signed on at a single location, was verified, and proceeded to use the allowed data. That simply is not true anymore.
As companies have expanded operations, acquired new subsidiaries and ran into the massive world of regulatory compliance including SOX, HIPAA and the like, access management became a forest of complex log-ons and passwords across multiple sites. For large enterprises and government agencies, it is a nightmare.
While IT-based identity management has not been the go-to product or service for traditional security integrators, there is certainly an opportunity here for firms looking to break into the IT security market. Thanks to easy-to-deploy and relatively inexpensive software, the traditional security integrator can offer a solution to a major problem faced by large enterprises across several vertical markets.
FishNet Security, an information security solution provider, is an expert in providing IT identity management services. “We are more about solution selling than being a value added reseller,” says Robert Block managing director of strategic services for the Kansas City-based company. “Most of our customers have way too many back-end user repositories, too many IDs and too many passwords.”
In most cases, a typical FishNet customer will bring them an identity management system problem and have little clue how to solve it. One solution the integrator regularly uses to bridge the gap is a virtual directory that comes from supplier Radiant Logic. Since it is a software product, Block says, it is not an overly expensive fix.
The Challenges of Granting Access
Identity management is a changing field. A typical provisioning project putting identity management in place will take 12 to 22 weeks. Historically, integrators approached this space as simple identity management; later, it became identity and access management. Today, it is identity and access governance, since tracking use is vital.
Any large company — especially those in finance or healthcare, and most state and federal agencies — are laboring under the problem of granting audited access from a variety of portals to a host of workers who want to sign on from anywhere on the planet. Those workers do not want to have a list of a half-dozen passwords to get access to all of their accounts. Virtual directory is a simple solution.
“The integrator who is looking for a long-term, ask-me-first relationship with a customer sees this as a way to future-proof their offering,” says Wade Ellery, director of sales, Western Region, at Radiant Logic.
Identity sprawl plagues every IT environment, Ellery adds. A user’s IT identity is spread over countless domains, forests, directories, databases and applications. It is unlikely any user knows how many places their ID is stored, according to Ellery. Each incidence of storage is set up to service a single application or need — the result is an inefficient, error prone and disjointed user profile. “Traditional IDM solutions only paper over the problem and never resolve the underlying cause leading to continued identity sprawl,” Ellery says.
Customers often are not aware that a solution exists that allows them to get the end-result they seek at less cost with less complexity and still meet compliance targets, Ellery continues.
Simplicity is one of the aspects that FishNet appreciates about the Radiant Logic system. “There is no code required for their product. You don’t need a programmer on staff,” Block says. “It is much easier to sell since the services spend is not as big.”
Target Customers
Typically, there are three classes of buyer who are interested in consolidating identity systems, Block says. The first group is made up of fast-growing companies that do not want to hassle with synchronizing active directories. Many hospitals, for example, are acquiring three or four new companies every year. Other businesses may be adding one or two new operations in each business cycle.
All of the many directories, mail systems, applications and users need to be synchronized. “Virtual directory makes it easy to do,” Block says.
A second classic case would be a company with an inside infrastructure that is growing out of hand. There are tools to integrate Novell and Active Directory, of course — but what does one do with all the apps? Radiant Logic’s product covers that with a single sign on.
Large EDAP systems like Oracle, SAP and SASS point only to a single place. “For organizations that need more than one user repository in their environment, this provides a single view,” Block says. A typical case might be a system that is required to handle both internal employees and external customers with a single view.
Super accounts are another common bugaboo for access. Most systems do not let IT management link corporate data to the user’s personal accounts nor do they link silos of information to any of the other accounts.
The U.S. Government, for example, has implemented Federal Identity and Credential Access Management (FICAM) that provides workers a card that is loaded with the access available to a worker. FICAM will talk to this system, a real time and energy saver for security integrators faced with FICAM challenges.
It is not just government that has such requirements. Companies including Disney, Target, Discover, Liberty Mutual, Wachovia, Comcast, Sony, U.S. Air Force, BP, Daimler Chrysler, the Canadian National Defence and Ford, use the system to get a handle on managing identity of employees, partners, customers, and things.
Inside the Technology
The basic RadiantOne solution is a virtual directory that is targeted for deployment in complex enterprise Identity Management programs. RadiantOne 7.0 introduced HDAP, an LDAP directory based on search technology and large cluster computing, and features an advanced identity integration layer based on virtualization. HDAP enables enterprises to harness the power of large cluster and elastic computing in their identity infrastructures, while the RadiantOne virtualization layer creates a single view of identity from across disparate data stores.
“This eliminates 70 percent of the overhead by providing the identity access in the format the system needs,” Ellery says. While the apps may speak different languages, this will translate Active Directory to LDAP or vice versa – transparently to the user and to the system itself.
Such a view is essential for companies with diverse identity infrastructures, enabling them to effectively leverage web application management, cloud apps, and other platforms for collaboration.
“This is not a convenience sell,” Ellery tells integrators. “Sell it on the basis of compliance,” he advises. “Administrators can work harder. But compliance has visibility in corporate offices.”
Curt Harler is a technology writer and regular contributor to SD&I magazine. Reach him at [email protected].