Identity management is a pain in the backside Identity management in the corporate environment is complex - not to mention, at the coalface, a pain in the backside. In the real world in which you work, password resets are one of the most commonly cited causes of help desk stress – and that’s an identity management problem. People leaving the company and still having …
Here, what you're talking about is "access management", "privilege management", or whatever you call it. You don't really care about the employee's name, that's just a convenience, but you do care that his responsibilities map with the access he's granted. This is a "positive" mechanism because you pay him to do that stuff, and a "negative" because it should keep people out who should be kept out. In all but the most draconian secret services' systems the "make it work" bit is the most important, because the more repressive the system the more cumbersome it gets and the more it will get subverted, circumvented, ignored, breached, and so on and so forth.
Before talking technology ("biometrics", "tokens", "id cards", and so on), and even before considering privacy (which is usually and wrongly discarded in a corporate context), it would behoove us to consider just what we're trying to achieve.
Who do we trust, why, what are the consequences if that trust proves misplaced because someone overstepped, or got impersonated and they overstepped, what the damage is and how to contain and repair it. Sometimes it's easier to just repair or replace, sometimes that's quite impossible. I'm saying this because it's a hard problem and the assumptions that underlie it might well turn out to be poor ones, so revisiting how we got here isn't a bad idea.
When VPN made it possible to work from home, our large multinational's verification system for this was outsourced to IBM. We had to submit the company ID card and public ID (passport) to an external office the other side of the city. Foreign nationals had some similar set-up, though I think they could also send scans as faxes.
It worked much better than I expected, the hassle was major but once-only and lasted, till now, 10 years. Other applications, especially those with intranet GUIs, tagged on to the concept. These days I only need an hour per 60 days to upgrade my application passwords - the biggest time-waster being SAP, which wants one password per client.
Ten years ago, at a previous employer, the NT admins convinced management that they needed access to the HR database. Once they got past this hurdle, they were able to write SQL scripts that ran on a daily basis (IIRC) to populate the AD with usernames, email addresses, employment status (delete ex employees and add new ones) and priimary group assignment (by department). This removed one headache, specifically terminating access for former employees. This was done prior to PeopleSoft, and one of the requirements when we implemented PeopleSoft was a daily dump of the same information that the old NT scripts generated.
The one thing that customers (employees) noticed was that every new employee had a login and email address assigned when they started, they no longer had to wait for days to be able to start work. This lowered the stress on hiring managers, and also on the IT helpdesk.
Identity management is complex all right. So complex that when faced with major policy decisions about what products and capabilities to deploy those who are able to make intelligent decisions on whether to invest in CMOs and/or CDS's suddenly lose their resolve and are unable to commit. OK, so maybe their willingness to invest in CMO's and/or CDS's is evidence that they're not as intelligent as we thought. Point is, it's not the engineers and administrators who have stymied adoption of "anything but passwords" authentication technologies in the enterprise. It's the executives who not only control the purse strings, but also set, and presumably support, enterprise security policy. After over a decade of doing IDM, I can't say I really know what the problem is, but my guess is either an inability to focus or the fear of things not grasped.
This piece conflates identity with access management (and further confuses authentication and authorisation). I spend quite a lot of time having to explain the differences to business managers (in order to try and stay true to some shadow of our SOA principles). Unfortunately, I find business managers just point to some monolithic "identityandaccessmanagement" product from whichever vendor might have taken them to dinner, and expect it to plug, play and just work off the shelf (of course, none of them do, and so much time is wasted in educating goldfish).
You enterprises don't know how easy you have it. Universities run AAA systems a hundred time larger. We scoff at your mere 5,000 identities.
Seriously, best practice for AAA happens at unis. And the real work in establishing the identity and authorisation mechanisms you'll be using in business is happening there and at the big social networking websites.
Your assertion that automation is not of much value flies very much in the face of what we have learnt. You complain about password reset, but that is something very easily automated.
As for "under the radar" machines, that's a sign that you've made using your AAA system too hard for casual sysadmins to use.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
