Account Provisioning

When a new employee is hired at a large company, he or she usually fills out a long series of forms that prompts each department to provide the new user with necessary equipment or information, such as desks, telephone extensions, laptops, user IDs and PDAs. As a new hire at a major Wall Street financial firm, I once waited five weeks for my computer and user ID. Somewhere along the line, the manual process broke down and the person responsible for issuing it didn't do so. As a result, the firm was paying me but I couldn't produce the needed work. The executive vice president suggested that, as a makeshift solution, I put in a full eight hours at the office and then do my actual work at home at night on my own PC, logging on to the network with his ID and password, which he handwrote and delivered. Talk about a security breach!

My story isn't that unusual. I've heard similar tales from other sources, and they're always about large, well-known and well-respected firms. These stories illustrate that the manual account management process has glitches, and they also point out that even management can be terribly ill informed about proper security procedures and policies. In many cases, companies find out about their glitches when they pay the heavy price of losing valuable data and equipment, or losing funds through embezzlement. Remember, too, that when an employee leaves a company, all the spaces and tools that were issued need to be re-appropriated and their accounts need to be immediately deprovisioned. Who hasn't heard of instances where accounts are still active and being used long after an employee departs from the firm? Some of the most costly industrial espionage and largest funds transfers have taken place not because of hackers, but because a departed employee still had legitimate network access.

For these reasons and more, identity management has become a major concern in companies, especially since they have became dependent on digital data. Most companies have spent a great deal of time, effort, and money on controlling user identity. That, in part, accounts for the current popularity and growth of identity management software.

Realizing the benefits of automation, enterprises have been consistently automating a variety of processes since computers were adopted in business. In the 1990s, enterprises began automating human resources information, giving rise to SAP and PeopleSoftHR applications.

Provisioning Software
Identity management has been delegated to a category of software known as provisioning solutions. Provisioning is proving effective at replacing costly manual actions with an automated system that decreases human error and security breaches and prevents identity abuse. Privileges can be extended to both employees and other users, and the software also takes into account platform and application diversity that in turn allows companies to tie different platforms and applications together without conforming to one type.

Provisioning software can automate many common IT tasks including creating, maintaining and deleting accounts, managing passwords, disabling e-mail accounts, changing the entitlement on smart cards and configuring PBXs. It appears to be ideal for network systems, and some vendors offer out-of-the-box provisioning connectors to specific routers, firewalls and other security hardware and software. While account provisioning software generally concentrates on access control, determined not by who the individual is but rather by previously established access rules, the software also has the ability to deal with group delegations and users whose roles are not fully defined. This means that security administrators are able to apply company security policies, which results in tighter access restriction than determining access solely by user groups (which is the method used by an active directory or a lightweight directory access protocol?LDAP).

Most often users aren't fully cognizant of the terms and distinctions between roles and rules, but if you question them you'll find that all agree that the decision-makers in their firms talk continually about job function. The result is that the job functions generally represent individuals' roles that have to be converted into electronic rules. Those in turn must be capable of being defined by technology.

Account provisioning software provides a means of tying account management to the entire group of automated workflow processes. Most account management software companies attempt to create ?hooks? or connectors into the company's password management software, human resource software, and other user management software. In this way entire user accounts can be created and maintained. Generally, the account provisioning software works real-time 24/7/365, so that provisioning and deprovisioning takes place at the touch of a button when needed. Additionally, because of the ease and speed with which provisioning can be accomplished, companies find they are able to eliminate granting superuser privileges to employees, which secures the network still further.

The federal government is cracking down on many issues including privacy and complete and accurate audit trails. Current federal regulations, including the Gramm-Leach-Bliley, the Patriot Act, and HIPPA force companies to look closely at their needs and what regulations are central to their organizations. Following an intensive review, companies must select and implement the tools that are best suited to provide compliance in regard to the privacy of customer, employee and partner information. Non-compliance brings not only heavy fines, but also possible shutdown by the government.

Linking Resources and Connectivity
Consolidating multiple existing sources of user data takes a lot of manpower, time, monitoring and money when done manually. That's exactly what companies are trying to avoid. Generally companies that use legacy software or specialized human resource software keep the data where it currently is stored in the software database. Companies don't consolidate their information sources. It's too much trouble and it's too expensive. Instead, companies put everything into another database where they can keep it synchronized more effectively. This saves a lot of effort and is more cost effective. It can still be a major headache if you have to manually create the pointers and connectors and do the timely updates.

Additionally, it's not unusual for different departments to use different software. This may be due to time-frame parameters based on when the departments were created, mergers and acquisitions or management structure. It would be time and cost prohibitive and a workplace nightmare to change all software to the same type. With account provisioning software, the software from different departments can be utilized cohesively and provide user access and functionality across departments and locations.

Only a few years ago there was talk of having a central data repository and getting rid of ones that existed in remote geographic areas. Then came the Y2K scare, the World Trade Center disaster and the resurgence of interest and action in business continuity planning, which resulted in data being kept in multiple locations and tied together through LDAP and other software, such as account provisioning. The positive side of this is that while all the data is available and linked, if some disaster does occur in one location, only data at that location is damaged or destroyed and other locations can be re-linked around the damage.

As the idea of maintaining multiple data stores and linking them together has grown popular with large system management vendors like IBM and Computer Associates, competition has grown with a slew of provisioning startups like Business Layers and Courion. The goal of all of these vendors and their products is to provide better control of access and movement of users both inside and outside the company.

Not every vendor starts from scratch. IBM acquired ID management software Access360, which integrates with 70 vendors, and tied it to its Tivoli portfolio, which manages both access and privacy. The strength of the product lies in IBM's ability to link multiple security and non-security tasks being run simultaneously within an enterprise.

But companies are finding that there's room and a growing popularity for the smaller vendors that help companies that have mixed products already in-house. With the help of these smaller vendors, companies can integrate with their provisioning software instead of making complete replacements with something new. Business Layers and Courion both have links to other software vendors that provide tremendous flexibility and growth opportunity.

The Reason for the Growing Market
It makes sense that companies would want to automate identity management, since human errors occur regardless of how careful individuals are when entering and deleting information into systems. Automation also eliminates the cost associated with paying an employee to enter and delete data.

As companies strive to stay lean, it's common for them to use employees on different projects, and as they are reassigned, their need for and access to resources change. Account provisioning software appears to be the solution to handle these actions.

Part of the user satisfaction problem with account management has always been that users with separate passwords for multiple applications tend to write the passwords down and leave them accessible because they simply forget which one is which. This is especially prevalent when the company institutes the mandatory ?Change Password? rule every 30 days. It's hard to be original, creative and secure and remember numerous passwords and system log-ins, especially when they change every 30 days.

Provisioning provides a way to link systems while providing one password?the long sought-after single sign-on. This, in addition to simplifying user access and increasing security, also shrinks the administrative costs of monitoring the rules and rights access for different and divergent systems. Provisioning software also provides clear and recognizable auditing and a tangible ROI.

The Future of Account Provisioning
There appears to be a bright future for account provisioning. Already popular for tying diverse platforms and applications together in-house, it is now expanding to tying platforms and applications from different companies via the Internet.

The Internet Business Services Initiative (IBSI) is an industry association promoting the development and use of Web-native business solutions. In 2001 the IBSI launched a ?proof-of-concept? implementation of its first standard to streamline interoperability among Internet business services. This standard was known as the IBSI ITML Provisioning Specification, and was released to general industry to allow secure account information to be shared among services.

The standard defines secure interoperability standards for sharing user data among Web-based business-to-business services so that customers will not have to enter the same information multiple times?that is, every time they subscribe to a new service or change their user permission levels. The IBSI felt that the ITML Provisioning Specification was important in enhancing integration among online software companies. The specification was the basis for permitting customers to have access to accounts at all of their subscribed software services. This type of access makes online applications convenient and flexible.

Naturally, the ITML Provisioning Specification is the first in a series of planned technical recommendations by the IBSI. Other subjects to be addressed are single sign-on and technical guidelines for issues not yet addressed by other standards groups. The purpose is to rapidly establish a commonly accepted integration path for services.

The original provisioning specification is based on an industry-standard XML protocol for provisioning users and companies across multiple Internet businesses and integration platforms.

Building on that specification, Netegrity Inc. and Business Layers recently demonstrated the industry's first XML-based solution for identity management known as Services Provisioning Markup Language (SPML). The language was specifically developed to address the challenges associated with complex resource provisioning for inter-organizational business transactions. According to the companies, SPML is designed to leverage Web services to archive secure, federated user resource allocation to maximize exiting IT resources, reduce administrative costs, and enhance security. Business Layers will be responsible for submitting the original provisioning specification to the Organization for the Advancement of Structured Information (OASIS).

It's a commonly accepted idea that companies want to streamline workflow processes, improve user ease-of-use, strengthen access restriction and identity management, and save money, simultaneously. Account provisioning software appears to be the solution for achieving all of these things while tying together different platforms and applications within a company without necessitating costly and time-consuming migration.

Overall, the automation of account creation, modification, maintenance and deletion through provisioning software dramatically decreases the amount of human effort and consequently human error in the processes, while providing constant availability and eliminating security loopholes.

D.E. Levine, CISSP, CFE, FBCI, CPS is a regular contributor to ST&D and co-author of several security books. She can be can be reached by e-mail at