Deloitte warns of dangers of unmanaged login accounts – need to clean them up

In a recently released article on their website titled Unmanaged corporate login accounts are a significant source of risk, Andreas Faruki, Partner and Identity Management Lead for Deloitte Canada states:

“Most companies report that scrubbing old accounts requires a massive, long-term, manual effort, while still leaving 10% to 20% of the problem”

I urge you to read the details here.

Deloitte has done some significant fundamental research and analysis of real world enterprise identity data to verify the scope and nature of this problem. They are way ahead of the game in understanding the real issues and how to deal with them.

The main conclusions are:

• The risks of unmanaged login accounts are real
• These identity management risks affect all industry sectors
• Removing old login accounts is essential to robust identity management

Most importantly, Deloitte has build a service offering to solve this problem for large enterprises. I urge you to get in touch with them to explore it more.

(disclosure: The Deloitte solution uses components that I have had a hand in developing)

If you can’t trust your identity data foundation, you can’t trust your identity systems

Phil Becker, Editor of Digital ID World, and deep thinker on network identity offers some keen insights in his series The Coming Third Wave of Identity ( Parts: 1, 2, 3, 4). In the conclusion Phil points out the distinction between the management and use of identity data:

One of the more difficult things for people to gain clarity about in their understanding of identity management, is the separation of the management of identity data itself, and the actual leveraging and use of that data to accomplish various network application and data focused missions such as access control, provisioning, data protection, policy enforcement, etc.

He highlights the importance of the identity data foundation and the difficulty of getting a set of well managed data (emphasis mine):

..today the emerging identity third wave is producing more and more products that seek to leverage identity for a wide variety of purposes. But to be successful, they must rely on a well-managed network of identity data, and obtaining that is a major task in itself.

It turns out that this first step is the hardest one, as it brings to light all of a company’s processes around on-boarding and off-boarding both employees and contract personnel, along with processes around promotion, internal job changes, transfers within the organization, management changes, acquisition integration, outsourcing, etc.

He then points out that we have deluded ourselves in the past about how the problem will be solved by this or that technology:

It is this part of identity management that was long been thought to be “solved by a good directory”, but which has been seen to be a far more networked problem than that. (Although the rise of Active Directory in many companies promises a reprise of this difficult learning curve for many companies.)

So far, so good but, I have a problem with the following statement:

… resulting product evolution has been finding ways to create a well managed identity data set without radically disrupting and altering existing company processes. It is here that technologies such as identity virtualization, synchronization, delegation of management via workflow, etc. come into play.

Initially, the well managed identity data was used to feed such things (as) web access control..

I have two major challenges to this statement. Let me explain.

Read the rest of this entry »

GUIDs, CUPIDs, and TRUIDs – making connections

When we talk about matching login accounts to people, groups and systems across multiple silos, we need a reliable mechanism to maintain the connection – a unique identifier. When you are dealing with Enterprise Identity Matching, it is important that you have a unique identifier that will have the appropriate scope to do the job. Using employee number will not do the trick. Let’s look at the details.

Read the rest of this entry »

What is Enterprise Identity Matching

(This is a first pass definition. I will refine this over time and update the definition on this page)

The Problem

Within enterprises, people have multiple access credentials ( mostly user-name and password ). This is particularly true of organizations that have a number of legacy systems, which have been build over the past many years with no concern for the Internet or even working with each other. Each will have a separate credential.

Over time employees will accumulate many different credentials, some which they no longer need, or no longer should have given their current role with the company. Worse yet, when people leave the organizations, often their access remains. This is primarily due to the fact that many are the champion of provisioning new access but, no-one is the champion of de-provisioning.

The result is a large number of active credentials (about 20%) in most organizations are NOT traceable to a person. Simply, they cannot answer the question: “who does this credential belong to”. This fact undermines identity management and compliance activities in most large organizations and is a significant source of risk for organizations and those that they serve … which is about all of us.

The Solution: Enterprise Identity Matching

Enterprise Identity Management is the combination of tools and processes an organization uses to investigate and unambiguously match all their active access credentials to a person, group, or system.

It is my tenet that this problem is pervasive and significant in large organizations. The solution is non-trivial. I also believe that by better understanding the true nature of the problem and using purpose built tools and techniques, this problem can be overcome with a modest investment of time and money. This blog is focused on the exploration of this problem and possible solutions.