When a new employee is hired at a large company, he or she usually fills out a long series of forms that prompts each department to provide the new user with necessary equipment or information, such as desks, telephone extensions, laptops, user IDs and PDAs. As a new hire at a major Wall Street financial firm, I once waited five weeks for my computer and user ID. Somewhere along the line, the manual process broke down and the person responsible for issuing it didn't do so. As a result, the firm was paying me but I couldn't produce the needed work. The executive vice president suggested that, as a makeshift solution, I put in a full eight hours at the office and then do my actual work at home at night on my own PC, logging on to the network with his ID and password, which he handwrote and delivered. Talk about a security breach!
My story isn't that unusual. I've heard similar tales from other sources, and they're always about large, well-known and well-respected firms. These stories illustrate that the manual account management process has glitches, and they also point out that even management can be terribly ill informed about proper security procedures and policies. In many cases, companies find out about their glitches when they pay the heavy price of losing valuable data and equipment, or losing funds through embezzlement. Remember, too, that when an employee leaves a company, all the spaces and tools that were issued need to be re-appropriated and their accounts need to be immediately deprovisioned. Who hasn't heard of instances where accounts are still active and being used long after an employee departs from the firm? Some of the most costly industrial espionage and largest funds transfers have taken place not because of hackers, but because a departed employee still had legitimate network access.
For these reasons and more, identity management has become a major concern in companies, especially since they have became dependent on digital data. Most companies have spent a great deal of time, effort, and money on controlling user identity. That, in part, accounts for the current popularity and growth of identity management software.
Realizing the benefits of automation, enterprises have been consistently automating a variety of processes since computers were adopted in business. In the 1990s, enterprises began automating human resources information, giving rise to SAP and PeopleSoftHR applications.
Identity management has been delegated to a category of software known as provisioning solutions. Provisioning is proving effective at replacing costly manual actions with an automated system that decreases human error and security breaches and prevents identity abuse. Privileges can be extended to both employees and other users, and the software also takes into account platform and application diversity that in turn allows companies to tie different platforms and applications together without conforming to one type.
Provisioning software can automate many common IT tasks including creating, maintaining and deleting accounts, managing passwords, disabling e-mail accounts, changing the entitlement on smart cards and configuring PBXs. It appears to be ideal for network systems, and some vendors offer out-of-the-box provisioning connectors to specific routers, firewalls and other security hardware and software. While account provisioning software generally concentrates on access control, determined not by who the individual is but rather by previously established access rules, the software also has the ability to deal with group delegations and users whose roles are not fully defined. This means that security administrators are able to apply company security policies, which results in tighter access restriction than determining access solely by user groups (which is the method used by an active directory or a lightweight directory access protocol?LDAP).