WHITE PAPER: IDENTITY MANAGEMENT

User Provisioning: The Business Imperative

SEPTEMBER 2009

Table of Contents
Executive Summary
SECTION 1

2 Provisioning Challenges for Todays IT Departments 4 The Need for a Comprehensive Provisioning Solution 5 The Benefits of a Comprehensive Provisioning Solution 7

SECTION 2

SECTION 3

SECTION 4

Conclusions
ABOUT CA

Back Cover

Copyright 2009 CA. All rights reserved. All trademarks, trade names, service marks and logos referenced herein belong to their respective companies. This document is for your informational purposes only. To the extent permitted by applicable law, CA provides this document As Is without warranty of any kind, including, without limitation, any implied warranties of merchantability or fitness for a particular purpose, or noninfringement. In no event will CA be liable for any loss or damage, direct or indirect, from the use of this document including, without limitation, lost profits, business interruption, goodwill or lost data, even if CA is expressly advised of such damages.

Executive Summary
Challenge
The challenges facing those who manage and support IT users have never been greater than they are in the current business environment. Todays IT manager needs to consider that organizations have employees joining and leaving at a rapid rate, and that current employees rarely remain in one position within the organization for any extended period of time. They continually are changing roles and responsibilities and working crossfunctionally within the organization, and as such, entitlements need to be provisioned, updated and documented in a dynamic manner that reflects the new realities. Similarly, a constantly changing cast of non-employee usersbusiness partners, suppliers, vendors and customersregularly need to access and utilize an organizations data and resources. Making the job even more difficult is the looming specter of regulatory and organization-mandated compliance and reporting protocols.

Opportunity
While improvised or manually provisioning users was once a way to ensure that each received the proper rights and access, the sheer speed in the increase in users and updates, along with the diversity of users, requires sophisticated and comprehensive provisioning tools. This same volume of activity makes the documentation required by internal and external auditors virtually impossible without robust and repeatable processes and capabilities. The IT department has the opportunity to address growing administrative costs by streamlining, automating and documenting the user provisioning process while making sure that group and individual rights are kept current and accurate, enabling all users to better perform their jobs.

Benefits
Using provisioning tools with dynamic, scalable capabilities and flexible functionality creates several tangible benefits to the IT department and the organization in general. By utilizing user self-service options, fine-grained entitlement functions and supporting diverse platforms, IT managers can reduce costs, improve service, better manage risk, and meet the business needs of the enterprise through integration with other software and applications. A successful security management strategy helps ensure continuous business operations by minimizing risk at virtually every level of the organization. Because IT budgets are always tight, a successful security management system also can help IT stay within budgetary constraints and increase operational efficiencies.

WHITE PAPER: IDENTITY MANAGEMENT 1

SECTION 1

Provisioning Challenges for Todays IT Departments

As technology continues to fuel growth in organizations of all shapes and sizes, even the most dedicated and talented IT teams face challenges from the population explosion among their user communities. More users require more access to more applications than ever before. In the past, adding new employees and updating passwords were considered time consuming tasks, but not particularly mission critical to the entire organization. However, the changing dynamics of the mobile, global economy, and increased scrutiny by internal and external auditors, have dramatically increased the challenges facing todays IT department in the area of user provisioning. Today, IT managers face a myriad of challenges to creating and maintaining user identities, including: An employee base that can grow or shrink virtually overnight Employees who are constantly changing functions, or working cross-functionally within the organization Temporary contracted and outsourced employees Vendors and partners who need access to your applications Customers who need access to your products and services Compliance with internal corporate policy and external regulations The Dynamic Workforce The size, shape and makeup of an organizations workforce have never been more dynamic. From a macroeconomic perspective, factors such as globalization, the growth of outsourcing, the continued shift to knowledge-based employment, and even population fluctuations and the aging workforce affect the potential makeup of an organizations user population. On a more micro level, the reality of workforce migration is playing a significant role in reshaping the workforce in most industries. The addition or departure of users on a regular basis is clear evidence that organizations no longer remain one size for extended periods of time. Mergers and acquisitions, layoffs and shutdowns, outsourced job functions and entire divisions moving overseas, all mean that there can be significant changes to many users in a very short period of time. Where once it theoretically was possible to plan for new employees to be added on the first Monday of the month (or terminated on the last), that predictability has been replaced by a need to have a large group of new employees in the Beijing office online by next Thursday. Without powerful provisioning tools this need would become a major obstacle to productivity. The Challenge Within: Employee Movement and Promotions Now that we have established that the employee base is constantly in flux, we need to address another challenge: the changing nature of the individual employee. Modern employees change job functions within an organization significantly more than they have in the past. As organizations strive to reduce turnover rates and keep employees from job-hopping, one of the benefits most are touting is mobility within the organization.

2 WHITE PAPER: IDENTITY MANAGEMENT

Marketing managers transfer into the role of business development; accountants transfer into financial planning and analysis. This is great for human resources, and the organization as a whole benefits from keeping talented people, but it presents a unique set of challenges for the IT department to assign and maintain proper privileges. To do so efficiently and effectively, user provisioning tools must provide a level of fine-grained entitlements that allow for specific functions or rights to be added or removed, as well as some self-administration functions for users and delegated authority to their manager to request and approve additional entitlements and resources. As with any steps in the provisioning process, it is also important to adhere to corporate policy and document changes for future auditing purposes. Do They Work For Us? Outsourcing, Consultants and Contractors As mentioned previously, the movement toward a global workforce and the growing use of contractors has created a scenario where the internal user doesnt necessarily reside in the same office, building, country or even continent as the rest of the organization. These nonemployee workers also require the use of fine-grained entitlement policy setting based on a variety of variables such as length of contract. Partners, Vendors and Other External Users In much the same way non-employee workers need access, the modern work force contains external vendors, partners and suppliers that may be integral to the success of an operation. As an example, consider a supply chain setting, in which there may be several vendors needing access, each with specific requirements and separate entitlements. One vendor may be able to get inventory status at certain times, but not at others. A second vendor may get pricing information, but a third doesnt. Having rights assigned based on roles only, without specific entitlements, may grant each user the same privileges. In our supply chain example, universally providing inventory and pricing information to all vendors near the end of a contract may weaken a negotiating position. The provisioning software must be capable of changing entitlements on the fly, or have automated functions that can adjust these privileges at predetermined times. Compliance Looming over all of the challenges that face todays IT department is the need to continuously remain in compliance. A host of regulations and international standards have created an environment where every step in the provisioning process must be made in accordance with established corporate policy and documented for possible future audit. For a provisioning tool to be useful in this environment it needs to facilitate an approved workflow for all changes, provide appropriate checks and balances before granting entitlements and create an audit trail that will stand up to the most ardent scrutiny. Segregation of Duties Automating the control of policies to define segregation of duties helps enforces compliance policies that prevent multiple users from having certain overlapping privileges, which could lead to fraud or abuse. A provisioning tool's functionality needs to include an auditable process where requests for potentially conflicting duties can be detected to ensure that neither financial controls nor private data are put at risk.

WHITE PAPER: IDENTITY MANAGEMENT 3

For example, you can prohibit users who issue checks from approving checks, or make sure that employees responsible for depositing cash dont have the ability to alter bank statements. While this helps eliminate deliberate collusion and fraud, it also provides a safeguard to detect innocent errors, which while not malicious, could be equally costly.

SECTION 2

The Need for a Comprehensive Provisioning Solution

The IT manager now needs to efficiently add, remove and manage a variety of users (some internal, some external) in a manner that provides them with the entitlements they need to be successful in their work, while remaining compliant with all internal and external regulations. Clearly, manual or improvised provisioning is only an option for managing a small number of users, and many first generation provisioning tools lack the granular functionality, flexibility or dynamic ability to make changes on the flyan absolute necessity to meet all the challenges to the enterprise mentioned in Section One. To affect the type of positive impact that executives throughout the organization expect, the IT manager needs a truly comprehensive provisioning solution. What to Look For In a Comprehensive Provisioning Solution There are several features that one must look for when choosing a provisioning solution. Clearly the ability to automate certain commonly repeated functions, a level of user self-service and interoperability with many third-party systems, arent always an option. But a truly comprehensive solution must meet several additional requirements and be able to satisfy the needs of not just IT but also other stakeholders within the organization.
INTEGRATED WORKFLOW

As part of an organizations compliance and regulatory efforts, integrating workflows allows both the automation and enforcement of entitlement processes. It also allows organizations to establish and specify administration policies for a variety of user communities, both inside and outside the organization.

FINE-GRAINED WORKFLOW APPROVAL

A comprehensive provisioning solution should offer enhanced workflow capabilities that enable fine-grained entitlements based on particular attributes or values. The solution must be able to work with individual business units to establish specific approval processes and approvers, termination policy, modification prerequisites and dependencies.

TABLE-BASED IDENTITY POLICIES A flexible policy model supported by table-based identity policies can help simplify namespace administration for hundreds and thousands of possible attribute values such as Active Directory (AD) groups, SAP roles and RACF groups. In an environment where thousands of access entitlement combinations are required, table-based policies simplify the user life cycle management process by combining role- and rule-based user provisioning. By facilitating automated scheduled tasks, table-based identity policies empower administrators to deploy or make a change to massive user communities with a single push of a button. SCHEDULED TASKS

IT managers must be able to easily define and schedule provisioning activities based on time as well as need. Tasks such as temporary role delegation, termination or activation, should be scheduled and executed with as few manual requirements as possible.

4 WHITE PAPER: IDENTITY MANAGEMENT

USER ADMINISTRATION DELEGATION

By delegating user administration, IT can empower the most appropriate people within the organization (and even those previously-discussed nonemployee users who may exist beyond the firewall) to authorize and assign entitlements that help their team best accomplish its tasks on an on-demand basis. With IT at the center of the command hub, users with proper administrative roles must be able to view and modify access entitlements for users accounts at any given time. This centrally managed process for delegating user administration can improve overall efficiency and is the most cost-effective way to rapidly scale the provisioning process.

PASSWORD MANAGEMENT

Password management services are still the most utilized functions in any provisioning solution. In our compliance driven environment, these services remain among the most important. A comprehensive solution should include self-service, forgotten password support, bidirectional password synchronization, centralized password composition rules, flexible application of password policies, Graphical Identification and Authentication (GINA) support and automated enforcement of periodic password changes. A comprehensive solution will tie entitlement policies into business processes using workflow functionality to ensure that entitlement policies are enforced, while serving as a watchdog to track current entitlements against current and past activity for inconsistency or violation. In addition to segregation of duties, reporting is a key aspect of compliance, as auditors require documentation and auditing of all controls to make sure they are effective and in line with both external regulation and an organizations business policies.

INTEGRATED COMPLIANCE SUPPORT

SUPPORTING DIVERSE IT ENVIRONMENTS

A key factor in the ease of deployment of a user provisioning system is its ability to easily integrate into the organizations IT environment. Solutions that provide out-of-the-box, standards-based and custom integration capabilities, together with the flexibility of integrating into Web applications and portals of customers choosing, go a long way in meeting this purpose. The ability of a solution to integrate with many of the leading hosts/servers (Windows, Linux, Active Directory, SUN Solaris etc), groupware applications (Lotus Notes/Domino, Microsoft Exchange), databases (Oracle, MS SQL, IBM DB/2), authentication systems (RSA Secure ID, Actividentity CMS, Entrust PKI), mainframe systems (IBM RACF DB2 for z/OS, etc) and standards and general interfaces (LDAP, ODBC, SPML, SDK, Universal Feed, Web Service/WSDL, Connector Xpress for RDBMS, etc) can decrease dramatically time to value of system implementation.

SECTION 3

The Benefits of a Comprehensive Provisioning Solution

Compliance Again As stated previously, compliance is the driving force behind the majority of the advances in the EUPA in Europe, AIPA in Italy, Personal Information Protection Act (PIPA) in Japan, Basel II and FSA in the United Kingdom, Sarbanes-Oxley (SOX) and the Gramm-Leach-Bliley Act (GLBA), Health Insurance Portability and Accountability Act (HIPAA), the Federal Financial Institutions Examination Council (FFIEC) in the U.S., are facing regulatory compliance to become a universal C-level issue.

WHITE PAPER: IDENTITY MANAGEMENT 5

When the auditors ask, IT must be able to easily create and provide reports that track any or all entitlements provisioned, including the time, reason and persons who approved and provisioned them. Likewise, they must also demonstrate when users were deprovisioned following the end of a contract or termination. A comprehensive provisioning solution provides IT with the auditing capabilities and robust documentation to stand up to the scrutiny of even the most stringent of these requirements. Cost Savings/ROI: Do More With Less There are many tangible ways to measure the ROI of a provisioning solution, but perhaps none is more compelling than the password reset function. Industry reports show that between 30% 40% of help desk calls are password related. Add in the cost of help desk support and the frequency of use, the average network user can cost as much as $250 per year. In an organization with 1,200 employees that number can reach $300,000 annually.1 Factor in the additional non-employee users and partners/vendors who may be on your network, and the potential lost productivity of both your IT staff and those locked-out end users, and the value of having a simple and self-administered password service suddenly becomes a lot more attractive. On a larger scale, enabling your employees, partners (and in some cases customers) to access the applications they require is the first step to improving business processes. In turn this helps increase bottom-line organizational efficiency while meeting your business imperatives. Not All PR is Good PR One of the less easily quantified benefits of a robust provisioning solution is the value of keeping your organizations name out of the scandal pages. Recent high profile security breaches have revealed faulty and even negligent provisioning (and deprovisioning) practices by some previously trusted brand names. Potentially disastrous headlines may reside with a recently laid-off human resources employee with a current password for personal employee information, a former vendor with access to supply chain purchasing data or an unscrupulous former contract worker with access to research and development data. Any loss of public confidence in your policies and procedures can lead to loss of management confidence in your people, and loss of shareholder confidence in your performance. Proper provisioning policies and documentation can help keep blemishes from your organizations public image and keep your management, customers and shareholders satisfied. Roles and Rules: Making Sure People Get Only What They Need With the growing number and types of users requiring access to critical applications, the line between privileged and unprivileged user is not always clear. A comprehensive provisioning solution will allow you to keep better control of all your users, documenting who requested and authorized entitlements and privileges and why they did so. By implementing a workflowbased policy for approvals, you can ensure that users get what they need to do their jobs effectively and efficiently, within the boundaries of the corporate policies.

1 Source: Password Management: Gateway to Managing Identities, CA Inc., May 2007

6 WHITE PAPER: IDENTITY MANAGEMENT

In an extreme example, a mid-level accounting manager is terminated at 9:15 a.m. on a Monday morning. Human Resources asks him to turn over his ID, and Security escorts him out of the building. But can you be sure that his access to sensitive corporate data has been restricted? That same day, the IT manager who was sent the termination request late Friday night has a dentist appointment and doesnt arrive until 11:15 a.m. Even a two-hour lag time could provide a disgruntled and recently dismissed employee ample time to breach the integrity of potentially sensitive information. Automating the process and instilling safeguards with workflow-based policies and delegated administration capability can prevent such a situation. A clear audit trail can prove it. Happy Users = Improved Operational Efficiency Beyond avoiding abuse at the hands of disgruntled former employees, keeping your good employees happy must be the end goal of any IT function. Granting users simple and timely access to the information and applications they need to do their jobs correctly (without giving them more access rights than they actually need) is perhaps the second most important function (behind compliance) that an IT manager can provide using a comprehensive provisioning solution.

SECTION 4

Conclusions
The challenges facing IT managers as they go about the task of provisioning new and existing users are numerous and have been well documented here and elsewhere. Using a comprehensive, centralized and automated provisioning system can help solve several of these issues by helping to reduce IT costs, increase IT staff and end user productivity, mitigate risk and help comply with regulatory and corporate governance standards. Return on investment can be realized on an accounting basis through cost savings achieved by eliminating or greatly reducing repeatable manual tasks such as password resets and multiple new user adds or deletes. Economic advantages are realized through increased productivity, as users receive access to what they need to accomplish their tasks more easily and more quickly. Of course, the entire organization benefits from remaining compliant with federal regulations and avoiding front page level breaches in security stemming from inadequate policies and protocol. Finally, as mentioned before, the true benefit that makes a comprehensive automated provisioning solution a must for any organization is the ability to easily produce an accurate and comprehensive audit trail. Manual provisioning is no longer viable when you take into account these requirements. In addition to meeting the organizations compliance requirements, the audit functions can be used for business resource planning and security management. When looking for a solution to address the user provisioning imperatives of your enterprise, make sure that it improves security, meets regulatory compliance and corporate governance, automates repeatable processes and allows easy management of control and security policies such as those related to segregation of duties or fine-grained entitlements.

WHITE PAPER: IDENTITY MANAGEMENT 7

Additionally, the solution should be capable of ensuring that users and entitlements are properly managed, IT systems are kept under control and personal data is kept privatethree major tenets of IT in relation to government regulations such as SOX, HIPAA and GLBA. The speed and ease with which employees, customers and business partners can access critical applications and systems have a direct impact on helping them to do their jobs, improve their satisfaction and productivity and increase the speed of value creation.

8 WHITE PAPER: IDENTITY MANAGEMENT

CA, one of the worlds largest information technology (IT) management software companies, unifies and simplifies complex IT management across the enterprise for greater business results. With our Enterprise IT Management vision, solutions and expertise, we help customers effectively govern, manage and secure IT.

WP05IAM01E MP321200907