Here's a scenario that's far too familiar. An employee is terminated, but continues to access vital information on corporate servers for days, stealing precious lead lists or worse, acting in the name of the company for personal profit. Meanwhile, a new user joins the company and waits weeks to get access to the right applications.
Even in an expanding economy, no company can afford such productivity losses"nor such risk. Yet very few large enterprises can prevent them. And for many companies, especially multinational ones, the problem is growing worse. As more corporate users turn to Web applications to access corporate data, managing user credentials and authorization has become "a management nightmare," Gartner Research said in a December 2002 report.
Most enterprises still address the provisioning and de-provisioning of users with a motley assortment of disparate tools in multiple locations, inconsistent and unenforceable policies, manual processes, and teams of system administrators. IT and security executives who look critically at provisioning processes and systems recognize their failings and can easily describe a solution: a secure and flexible global-enterprise provisioning system that aligns IT access with overall business goals.
Actually implementing such a system can be a daunting task, but we've done it at Lehman Brothers. We think our success is based on four critical but often overlooked steps:
* Building a solid business case.
* Combining a detailed list of requirements with an on-site proof-of-concept plan.
* Creating a complete user database and set of business rules before beginning development.
* Clearly demonstrating the significant benefits of the system to head off any resistance to adoption.
Lehman Brothers is a top-tier global investment-banking firm with more than 14,000 employees in 42 offices on three continents. Our IT team manages several hundred business applications and tens of thousands of user accounts on a daily basis.
In 2002, we embarked on a project to select and deploy a user-access rights provisioning system to improve security and reduce our IT costs. With previous experience implementing such systems under our belts, our team defined an extensive requirements list and a proof of concept to ensure the best product fit.
After reviewing a number of provisioning vendors, we chose a system from Thor Technologies and began rolling it out in December. To date, we've made it available in three regions"the Americas, Asia, and Europe"providing all 14,000 employees with access to core applications. More than 200 applications will be integrated with the system by the end of this year. When complete, the provisioning system will manage roughly 250,000 IDs.
We estimate that automated provisioning for the major platforms alone saved us 1.3 worker-years in the first four months"96,050 hours in creating accounts and 40,590 in disabling them. The user efficiency and security gains have been of even greater value. We streamlined the request and approval processes, and new users now gain access to applications and become productive far more quickly. We enhanced overall security as well. Consistent business policies are applied to every request; users are automatically de-provisioned when they leave the company; and auditing and reporting capabilities give our management visibility into every aspect of who has access to what. Here's how we did it.
Step 1: Building the business case. We began with the thesis that for large, global organizations like ours, the risks of mismanaging user-access rights"in lost productivity and widespread opportunities for inappropriate access and mischief"were simply too great to ignore. Relying on E-mail requests and manual processes for account setup lowers productivity as new employees wait for appropriate access and then correct errors in their rights and privileges. Problems are compounded as users request new applications and changes in existing applications. New accounts with new user IDs result in confusion over who has access to what. And because no way exists to audit the process, sorting it out can be impossible, which is particularly painful for regulated companies.
When an employee is terminated, the risk is even greater. Terminated employees can continue to access accounts remotely and use them anonymously to steal data. Even companies with clearly documented termination processes are at risk because tracking user accounts manually is so time-consuming.
We decided, therefore, that the only real solution was a deep provisioning system that offers a full range of functionality. This includes automatically setting up, modifying, and terminating accounts for custom, third-party, and Web-based applications on all operating systems, based on a consistent set of business rules.
The system we chose ties account creation and access rights to a user database that tracks and captures the complete request and approval workflow. Requests to the system can be generated by human resources or the users themselves. When an employee is terminated, every associated account is automatically and immediately closed. Most important, account access and rights can be assigned based on a clear and consistent set of business rules aligned with the business goals. We can proceed with the confidence that our business and regulatory policies are always being followed.
If the business case for a global-enterprise provisioning system is so strong"and the risks of not having one are so great"then why isn't every company implementing such a system? The obvious answer is money. Deep provisioning systems can be expensive. But money should be an argument for a provisioning system, not against one, because the ROI from such a system can be significant. Gartner notes that identity and access management (IAM) solutions can offer three-year ROI in the triple-digit percent range, mainly through reductions in application development, security administration, and help-desk staffing. Efficiency gains also contribute to financial health in ways that never appear in ROI calculations.
Other companies hesitate because the task of creating a single, consistent set of business rules seems too overwhelming. Again, I'd argue that this is a reason for a system. The more inconsistent and confusing your existing policies and practices, the more you need to resolve the problem. It's important to make clear to all stakeholders that everyone will benefit from greater productivity, dollar savings, reduced effort and frustration, and the elimination of risk.
Step 2: Finding the right solution. Once the business case has been made, it's time to choose a solution. A provisioning platform should be simple, so you can focus on honing the business rules rather than programming an overly complex development platform. At Lehman Brothers, we combined a detailed list of specifications and requirements with an on-site proof of concept.
We took great care in developing the list of requirements, breaking them down into several categories, including integration, work flow, users and authorizers, management, and reporting. We invited four vendors whose provisioning systems appeared to meet our requirements to an on-site proof of concept to demonstrate that their systems would work as promised on a series of test cases. This phase is extremely important as a way of testing solutions in a unique, real-world environment. Lehman provided a set of tasks and gave vendors a week to set up their applications in the on-site lab and integrate them with our test environment, which is based on several of our core operating systems. The series of tests included:
* Detecting a change in employee status in a Lightweight Directory Access Protocol directory from potential-employee status to current-employee status, and then initiating a process that would provision that employee for basic system access.
* Detecting a change in employee status in the same corporate directory from current-employee status to terminated-employee status, initiating a deletion process for all user accounts.
* Demonstrating self-service ease of use and robustness by, for example, letting users execute a partial name search when they don't know the exact name of the application they want to access.
* Integrating user self-service requests with our help-desk software so user requests within the provisioning system are automatically assigned a service ticket number.
We also included a surprise task to see how easily the vendors could modify the applications and to better assess what would be involved in maintaining them. We asked each vendor to take an operating system or application it hadn't prepared for, integrate it, and provision and de-provision accounts on it. Then we rated each system's features and performance and chose the one with the highest overall score.
Step 3: Development. Don't underestimate the amount of enterprise process realignment that a provisioning system may require. We started our development phase with a comprehensive view of the steps involved, including establishing a complete and consistent database of business rules and approval processes designed to ensure that all HR user accounts are based on a complete and consistent data set. Some companies have much of this information already documented; if not, you may find this difficult, especially if you're multinational and have never documented regional differences in your processes.
Next we developed a complete and detailed road map that set realistic deliverables and schedules for the system. The strategy here was to roll out only a few applications at a time to keep the costs in check.
As work on individual applications began, the business analyst's role in developing specific rules became critical. Defining the rules, approval processes, and appropriate application settings for every position in every department in every region is a complex process, and business analysts must understand every nuance before development can begin.
Finally, it was time to begin the actual development"a far more straightforward task than developing the rules. We focused on designing and implementing the user interface, defining the workflow, and creating the connections between the provisioning system and the individual applications.
Step 4: Deployment and beyond. Very few IT initiatives can claim to increase security while also improving business efficiency and enriching the user experience. By eliminating frustrating delays and confusion in providing access to the resources users need to do their jobs, ensuring that business policies are enforced fairly and consistently, and eliminating the risks associated with terminated employees, we think our provisioning system can truly align IT with the business goals of the company.
Tom King is chief information security officer at Lehman Brothers.
This article originally appeared in Optimize magazine, November 2003, Issue 25. For further reading, including the "90-day plan", visit: http://optimizemag.com/issue/025/issues.htm