One of the critical requirement of governance mandates like SOX 404, PCI Compliance, HIPAA and SAS-70 is that companies manage their provisioning in a more controlled and audited manner.
Companies with disparate applications from different vendors are confronted with the challenges around it. As part of my discussions with companies I have been talking to (in the Oracle E-Business Suite customer base), companies are still trying to get a handle on streamlining the model of provisioning. The fact that the workforce is increasingly becoming diverse is exacerbating the issue.
In addition to addressing the need around the business applications companies are trying to integrate email, voicemail, instant messenger, calendars, file shares, security cards, VPN access and other accounts that would allow employees to access various resources in the company.
Here is how the landscape of identity management shaping up.
Centralized User Management
Most companies (atleast the mid-to-large ones) invariably have a LDAP based directory that stores all the users (Active Directory, SunOne, Lotus Notes, Novell…). Enterprise applications like Oracle E-Business Suite, SAP ship some form of directory services like Oracle Internet Directory (OID) with adapters to sync with MS-Active Directory. Additionally, companies extend this to include every application they have on user desktop like Email, Network File Shares using Kerberos based centralized authentication right when they log on to the network so user does not have to authenticate in each application. With the directory setup the primary needs around access for email, network, file shares, instant messengers etc are met.
Centralized Administration of roles and privileges
While managing users has been accomplished by most Identity Management solutions, managing business applications and modeling the security and access privileges to map to that of each business application has been a distant dream. Case in Point, Oracle E-Business Suite security model. EBS security model is made up of Responsibilities, Menus, Functions, Roles and Permissions, Data Security. Some of them are hierarchical in nature and modeling the same in a traditional identity management solution has been a challenge. So companies have been forced to implement provisioning in a quasi-automated fashion.
Managing passwords and policies that control the password format has been another challenge. Different applications have different models, controls to define password policies and expiration policies. Considering that there are no real standards around it, companies have been implementing password policies to meet PCI guidelines at the same making applications work smoothly has been stopping the implementation of enterprise wide Identity Management solutions.
In addition, some of the other challenges that are being faced include delegation of approval authorities across a global company, integration with auditing tools, reporting tools are still primitive.
Maintaining passwords and login credentials in a single directory provides way to provision and revoke access. But while someone has access to resources in the company, it is also important that logging is done to identify any patterns and potential of unauthorized access. Companies have started investing in a lot of log mining tools like Splunk to get a handle on all the logs that are generated from various systems.