View stunning SlideShares in full-screen with the new iOS app!Introducing SlideShare for AndroidExplore all your favorite topics in the SlideShare appGet the SlideShare app to Save for Later — even offline
View stunning SlideShares in full-screen with the new Android app!View stunning SlideShares in full-screen with the new iOS app!
Active Directory Account Provisioning A lower cost and faster alternative to Identity ManagementContents June 1, 2004Introduction: ..........................3 With 29% of total annual IT time spent updating user accountUser Account Creation Today3 information , organizations are struggling to find an economical Account Changes 4 solution to reduce the expense and resources required to manage the user account lifecycle.1 Active Directory account Account Expirations 5 provisioning takes advantage of the fact that the majority of Multiple Data Stores 5 account management activities occur in Active Directory, and focuses on streamlining these activities to get quickest time toIdentity Management.............6 value. Dream BigStart Small 8 This white paper explains how organizations can use the NetIQ Active Directory account provisioning solution to extend ActiveLeveraging Your Active Directory and address the majority of their user account lifecycleDirectory Investment .............9 needs. It explains how an organization can combine the NetIQ off-the-shelf products to address key account managementThe NetIQ Solution ..............10 issues, while laying the ground work for a complete user account lifecycle management solution. This flexible approach allowsCustomer examples..............12 organizations to implement Active Directory accountConclusion ............................13 provisioning in steps, as they have budget, and provides immediate ROI on account management projects. Besides reviewing the information in this paper, NetIQ encourages you to visit our web site at www.netiq.com for more details.
Introduction: Remember thirty years ago, when Human Resources was called Personnel and the human resource data store was a dark file room filled with gray metal file cabinets? In those days, if an organization was computerized, it had a single information system running a small number of applications. When new people joined the organization, Personnel created a new file folder and added it to the appropriate file cabinet. If the new employee needed regular access to the information system, the information systems manager would create an account and logon for the specified application. If the new employee only needed occasional access, he might share a “guest” account with the rest of the organization. Back then, the process to create user accounts and logons was usually a manual one, with paper forms and approvals. Since the systems administrators were the ones creating accounts, as well as doing all the other administrative tasks, it might take a week or so for the new account to be created. It was also relatively simple to keep track of who had access to which applications, since the number of applications was limited and few people had access to them.User Account Creation Today These days, most employees will have access to several systems and applications, each with its own account and logon information. To put the problem in perspective, according to Computerworld, in 1995 IT departments supported an average of 25 applications per user and by 2001 that number had grown to 100 – 200.2 META research shows that organizations with revenues over $500 million typically have more than 75 applications, databases, and systems that require authentication.3 The amount of work to create all the necessary accounts on these different systems has grown exponentially. Even with today’s more advanced processes and systems, new employees still have to wait to get access to the systems they need. In a recent study by Stanford and Hong Kong universities of 200 Global 2000 companies, 48% of companies reported taking more than two days to provide a new hire with access to all the systems they need, and 10% reported taking more than two weeks.4 With many employees’ jobs directly related to interfacing with computer systems, delays in setting up new user accounts costs organizations directly in lost productivity and employee downtime. Even though new account creation can involve critical areas like enterprise security and touches many different systems and applications, new user account requests are frequently done in an informal manner. They are submitted manually on outdated forms, sent on paper through interoffice mail, phoned into the help desk, mentioned off- handedly in passing, or emailed to various locations for approvals and authorizations, all before even entering the IT work queue. This ad hoc approvals and notification process frequently slows down the new account creation and causes many of the delays reported in research. This type of distributed process can create security issues since there is no central authority overseeing which systems new accounts are being granted access to. With multiple people setting up new accounts, policies and naming conventions are also difficult to enforce. Active Directory Account Provisioning 3
Account Changes As if new account creations were not enough to worry about, employee data is always changing. Employees change cell phone numbers, addresses, last names, titles, extensions, and office numbers. They can also change departments, organizational levels, business units, and locations. All of these changes need to be reflected in the user account information, but some of these changes also impact access to systems and applications. For example, an employee moving from New York to Boston will need accounts on the Boston mail server, but may no longer need access to the New York file server. In the case of promotions, employees who may have only had read access to certain data may now need the ability to make modifications, or may now need access to additional data. Figuring out the system ramifications of each of the changes is time consuming and difficult. Frequently IT organizations identify and enable access to the key systems involved in a change, like email, but wait for the affected employee to make access requests for the other systems. Unfortunately, this reactive approach increases downtime and can negatively affect employee productivity. Keeping track of these changes so that all users have the access they need, and only the access they need, is an-going challenge for many IT organizations. Figure 1. Efficiently managing the user account lifecycle can reduce help desk calls and account administration costs, while improving user productivity and security. Active Directory Account Provisioning 4
Account Expirations As forward thinking IT managers frequently point out, at some point every employee leaves the organization. When employees leave, all of their access points need to be identified and disabled to prevent possible security problems. Every second an account is not deactivated, creates a window hackers and disgruntled ex-employees can use to gain unauthorized access to your systems. Even though most IT managers recognize this threat, according to the Stanford Hong Kong study 43% of companies surveyed take more than two days to disable user access and 15% take more than two weeks.5 Two weeks is an enormous amount of time to leave your system vulnerable. Even more concerning is the fact many organizations do not disable all the accounts associated with a user. In fact, according to IDC expired user accounts make up approximately 60% of all accounts in corporate systems6. The difficulty of keeping track of what each employee has access to, is likely the culprit of these expired user accounts. But regardless of the reason, expired user accounts present a serious security concern. From an economic standpoint, expired user accounts are also expensive. Many software applications charge license fees based on the number of user accounts in an environment, but are unable to distinguish between active and inactive accounts. In addition, inactive accounts are expensive to manage as they increase the time required to perform any account management activity. The clear drivers that are pushing organizations to address the user account management problem are identifying and disabling expired user accounts and removing the associated security vulnerabilities and administrative expenses.Multiple Data Stores Adding yet another layer of complexity on the issue of user account management is the fact that organizations have multiple data stores. META Group research shows that organizations with revenues greater than $500 million typically have around 68 internal and 12 external data stores. META also shows that 75% of internal users are contained in multiple data stores.7 This means that when you need to make a change an employee’s information or access rights, you have to make that change in multiple places. Coordinating and managing changes across multiple data stores is expensive. Every time an employee changes departments or a new employee is added, an IT resource has to manually enter redundant data in approximately four different applications or systems—8 assuming the IT resource has access to all the different data stores. Frequently these data repositories are independently owned, managed by different departments or business units and updates have to be coordinated manually or over e-mail. Active Directory Account Provisioning 5
It is easy to see how the time and expense can accumulate even when making the simplest changes. In addition, making changes in different places also increases the likelihood of inaccuracies and inconsistencies across the data. With employees having account data in multiple locations, it becomes very likely that a change is made in one data repository and not in another, which leads to problems of data accuracy and consistency. According to META, 11% of employees will experience a user access rights issue and 7% an incorrect personal information issue each month9. Unfortunately it is frequently the over burdened IT organization that has to identify and correct all these issues. The daily flow of user account changes is overwhelming many IT organizations. Industry estimates put 29% of total IT time spent modifying user account information annually10. In an effort to cope with the increasing administrative demands of managing user account changes, many IT organizations have pushed account maintenance off to lower level administrators and help desk personnel. No matter who does the actual account creation, the process itself is time-consuming and repetitive. Data has to be gathered from multiple sources, entered multiple times in varying formats into different access directories, and a rote set of tasks has to be performed. Multiple data stores increase the difficulty of figuring out who has access to which resource. There is no obvious way to associate one person with all of their access accounts in a multiple data store environment. Organizations may not be aware of many potential security concerns, like a sales rep who used to be in accounting and still has access to the billing system. With privacy regulations introduced with HIPPA, it has become essential for many organizations to know exactly who has access to which data, at all time. Multiple data stores also increase the probability that when an employee leaves the organization that some of the access points associated with that employee will not be identified and disabled. As mentioned earlier, these orphan accounts present a real security threat.Identity Management Identity management solutions are frequently proposed as a solution to the escalating demands of account provisioning. The attraction of these solutions is they offer integrated management of user identities, which facilitates seamless interaction between individuals and the machines essential to eBusiness11. These solutions, however, manage more than the lifecycle of user accounts. Identity management solutions verify the credentials and manage the access rights of employees, business partners, suppliers, contractors, and customers. They can extend across all electronic resources in an organization and can identify who is accessing what, where they are located, what group they belong to, what applications and operations systems they can use, and once in them, what they are allowed to see and do. Active Directory Account Provisioning 6
Identity management solutions, though extremely powerful, are also expensive anddifficult to implement. These solutions involve multiple systems, on disparate platforms,with complex authentication and security protocols. Since they link identity attributes,policies, and preferences not only behind a corporate firewall but also over the Web, theyrequire the input and consensus from many different groups, both inside and outside ofthe organization, to be successful. Organizations launching an identity managementsolution have to address issues like integrating disparate business processes, regulatoryrestrictions on personal data, and agreeing upon unsettled standards. Gartner notes thatidentity management is a multiyear project, and that not all projects will achieve ROI inless than a year. They contend that understanding the current workflows and the dataarchitecture needed for identity management increases the complexity of these projectsand can make them seem overwhelming to many organizations12.Figure 2. Identity management solutions manage identities and access to systemsand extend beyond the organizational firewall.For organizations with extended e-business relationships with partners, suppliers,contractors, and customers, where verifying the person is exactly who they say they are,and granting access to specific systems based on the verified identities, identitymanagement solutions are critical and can offer incredible economic benefits. Gartnerestimates that a company with 10,000 employees can save $3.5 million over three years,and see 295% return on their investment.13Smaller organizations, and organizations that do not extensively share electronic systemswith partners, suppliers, or customers, though, often find it difficult to justify the time andupfront expense associated with identity management solutions. These organizations arestill required to support an increasing number of applications and experience much of thesame pain of user account management. They are looking for a less expensive, lesscomplex, easier to implement, and quicker time to value solution that addresses theirimmediate needs and allows them, once they have those under control, to expand to theother systems in the enterprise. Active Directory Account Provisioning 7
Dream Big, Start Small Rather than trying to do everything all at once, many organizations are working on smaller projects that they can eventually unite into a larger identity management solution. This approach reduces the upfront costs and allows organizations to add features and capabilities as they have budget, while reaping immediate benefits from the parts they implement. Figure 3. The more systems involved in a solution the more complex the project becomes and the longer the time to value. The preponderance of Active Directory accounts provides a high value area where substantial returns can be realized in a fraction of the time and expense of a complete identity management solution. For organizations interested in pursuing this type of strategy there are a few tried and true approaches to ensure success14. • Prioritize: Identify the functions and capabilities that will have the most immediate impact on your business and, if possible, start with those. By hitting high value items first, you are ensuring a faster return on your investment. • Work in phases: Even with the priorities, divide them into smaller projects. Smaller, finite phases are easier to plan and implement, and less likely to suffer from project scope “creep”. You can use the ROI from the completed phases to justify the subsequent phases. • Develop a long-term vision: Once you have identified priorities, organize them into an overall vision. The long-term vision will provide a context for understanding how the smaller projects interrelate and provide a framework for making project decisions. • Use standards based infrastructures: If you conform to industry standards then it is easier to build on your solutions in the future, and you are less likely to run into incompatibilities and obsolescence issues. Also, standards make it easier for business partners outside your environment to work with what you develop. Active Directory Account Provisioning 8
Leveraging Your Active Directory Investment User account lifecycle management is easy to break into smaller projects that can be prioritized and deployed in phases. With the right long-term plan, an organization can divide their user account lifecycle management project into small quantifiable objectives, such as reducing the time required to create new accounts or reducing the time required to identify and disable inactive accounts. Though small, such objectives can deliver an immediate ROI. The first step to solving user account management is consolidating user account information into a central data repository that you can manage with a consistent set of access methods and policies. The good news is that with the predominance of the Windows networking infrastructure, most organizations already have a central data store implemented in their environment—Active Directory. Active Directory is a directory service based upon the Lightweight Directory Access Protocol (LDAP), which stores user information and access rights. Using widely understood standards, Active Directory supports Windows security and authentication protocols, which makes it easy to build interoperable solutions on Active Directory is an ideal user account information repository with over 300 attributes that combine uniquely to build a user account. Active Directory also supports schema extensions, which add an incredible amount of power and flexibility to the type of solutions you can define. Since Active Directory is already installed, and uniquely equipped to handle user account and access data, it is an ideal cornerstone for a quick time to value user account lifecycle management solution. From an IT manager’s perspective, it is also completely within the control of the IT department, which eliminates much of the complexity associated with cross-functional Identity Management projects.Active Directory Account Provisioning Solutions Active Directory account provisioning is basic identity management for Active Directory user accounts. Active Directory account provisioning takes advantage of the fact that the majority of account management activities occur in Active Directory, and focuses on streamlining these activities to get quickest time to value. Active Directory account provisioning uses the reach of Active Directory to introduce a structured environment for user account administration, and to coordinate account management and related security policies across the enterprise. As a result, Active Directory becomes the centralized data repository for managing user account information and access rights to IT resources and assets. Active Directory Account Provisioning 9
To create an Active Directory account provisioning solution, organizations are faced with the decision of whether to build or buy. If they build it, cobbling together the tools provided with Active Directory and linking them to different process with scripts or code, they can get exactly what they need. This approach, though, is rather risky since scripts and custom code are difficult to maintain Active Directory Account and suffer from compatibility and Provisioning Enables interoperability issues. In addition, custom Organizations to : projects like this can be costly and difficult to manage Implement self-service solutions for password resets, Exchange Another option is to purchase off-the-shelf distribution lists, and white pages tools. The difficulty with this approach is information finding exactly what is needed, especially Implement HR driven user account since every organization manages account udpates creation, modifications, and deletions Incorporate workflows and approvals differently. Given the scope of user account into account updates management, it is unlikely there is one Coordinate Exchange mailboxes solution that will do everything required. administration with user account Trying to build a unified solution using administration unrelated tools is also a challenge. Even Automate home share and disk tools based on industry standards frequently quotas with account creations run into incompatibility issues that can threaten the success of the entire project.The NetIQ Active Directory Account ProvisioningSolution NetIQ, a leader in security management, offers an Active Directory account provisioning solution that allows organizations to meet their immediate Active Directory account management needs with point of pain solutions, while at the same time lay the groundwork for future user account lifecycle management solutions. NetIQ provides off- the-shelf products to address key account management issues that can also be easily combined together to build more complete account lifecycle management solutions. The NetIQ approach allows organizations to implement Active Directory account provisioning in steps, as they have budget. Active Directory Account Provisioning 10
Out-of-the box, NetIQ’s products automate and streamline many user accountadministration tasks, such as creating a home share at the same time a new user accountis created. They further reduce IT administrative workload by providing a secure methodto distribute user account administration tasks across the organization. These productsalso support a wide spectrum of open, extensible standards including Active DirectoryService Interfaces (ADSI) and Windows Terminal Server (WTS).One of the features that sets NetIQ products apart from other user account managementsolutions is the seamless integration of policy enforcement with directory updates. NetIQproducts make it easy to define and enforce policies and conventions that ensure theintegrity, consistency, and completeness of Active Directory data. These products alsoprovide comprehensive auditing and reporting. They log all administrative actions andcreate an easy-to-follow audit trail. From these logs, customers can track administrativeactions over time to establish correlations, create performance metrics, and enable ROIanalysis.Figure 4. NetIQ Active Directory account provisioning allows organizations toautomate multi-step business workflows while enforcing security policies.NetIQ products include easy-to-use automation capabilities that simplify complex multi-step business workflows. Leveraging NetIQ automation, organizations can update ActiveDirectory automatically using HR data to grant access rights to new employees and movehome directories automatically when an employee’s site location changes. Automatingwork flows reduces mistakes and ensures that all steps are completed. It also reduces thetime and resources required to make user account changes. NetIQ products can also beused to extend beyond Active Directory to other applications and databases to furtherstreamline account management tasks.NetIQ’s Active Directory account provisioning allows organizations to tailor a solution tomeet specific business needs. The product installs quickly. Within hours, organizationscan implement account management solutions that can have an immediate effect on theirbottom line, such as self-service password reset. Organizations can integrate their HRdata with Active Directory so that as they add a user account in the HR system, theActive Directory account, home share, disk quota, Exchange mailbox, and groupmemberships are all created automatically. In addition to the products being quick toinstall and featuring a quick time to value, organizations only pay for what they needwhen they are ready to use it. Active Directory Account Provisioning 11
Customer examples of NetIQ Active DirectoryAccount Provisioning Solutions NetIQ customers have implemented a wide range of Active Directory account provisioning solutions. From simple self-service password resets to full HR integration, customers have used NetIQ products to solve their user account administration problems. Customers have implemented a combination of the following strategies: • Delegate – empower help desk personnel and non-system administrators to do the manual account management tasks in a secure and controlled environment. Delegation moves the function closer to the end user, improving response time and customer satisfaction, while reducing IT’s involvement in routine administrative tasks. • End user self-service – allow end users to directly interact with selected elements of their account data. Implementing self-service makes end users responsible for keeping specific data current, such as phone numbers and addresses. • Automation – have systems perform as many account management tasks as possible. Automation not only increases productivity but it also ensures consistent application of policies. Below are some user account lifecycle issues organizations identified and resolved using NetIQ solutions. IT resources overwhelmed IT resources at a financial institution were overwhelmed with simple account management tasks and were not able to focus on more strategic IT projects. The NetIQ solution implemented secure delegation, which allowed this organization to safely distribute account administration to departmental administrators and help desk personnel, freeing up 80% of IT resources for higher value IT projects. Account updates taking too long The turn around time for account updates and account additions at a large insurance institution was over a week and was costing the organization in lost productivity. The NetIQ solution combined self-service and automation to create an automated web form for account updates and account additions that allowed employees and their managers with appropriate access, to directly update Active Directory information. The updates were instantaneous, which eliminated downtime. They were also subject to organization naming conventions and policies, which protected the consistency of the Active Directory information, and were able to be safely performed by non-IT resources, which freed up IT resources for other projects. Active Directory Account Provisioning 12
Security concerns An oil company with offices distributed around the world was concerned about security issues caused by orphaned user accounts and needed to meet stricter auditing requirements. The NetIQ solution automated network auditing and enabled the organization to quickly identify hundreds of orphaned accounts across their entire network and disable them. The detailed logging and reporting allowed the company to meet their audit requirements. Account updates too expensive A pharmaceutical company needed to reduce the cost of maintaining user account information and improve the turn around time for changes. The NetIQ solution reduced the account maintenance turnaround time and expense by automating Active Directory account updates from the HR database. Every night, the process collected all the new employees in the HR database and created Active Directory accounts with home directories, Exchange mailboxes, and even basic group memberships, allowing new employees to be immediately productive. It also collected selected employee updates, such as department and telephone, and made those changes to the Active Directory accounts. For employees marked terminated in the HR database, the solution disabled all access accounts, preventing possible security threats.Conclusion User account lifecycle management is an expensive and time-consuming undertaking. It can absorb all available IT resources and prevent other more strategic IT projects from getting the time and attention they deserve. With the ever-increasing number of applications and data stores enterprises introduce into their environment, the problems around user account management are only going to grow and demand more time and IT resources. Organizations seeking a solution to the escalating IT resource requirements for user account lifecycle management are frequently drawn to Identity Management solutions, which promise integrated management of user identities and seamless interaction between individuals and a variety of applications. These solutions however, extend beyond the organization to include external partners, suppliers, and customers and can be expensive and time consuming to implement. Many organizations cannot justify the upfront cost and long implementation cycles required to develop and deploy an identity management solution. Active Directory account provisioning is a viable solution for these organizations. Active Directory Account Provisioning 13
Active Directory account provisioning leverages an organization’s investment in Active Directory. This approach takes advantage of the fact that the majority of account management activities occur in Active Directory, and focuses on streamlining these activities to get quickest time to value. Active Directory becomes the centralized data repository for managing user account information and access rights to IT resources and assets. Active Directory account provisioning allows organizations to reap a large percentage of the cost savings and increased security promised by full-blown identity management solutions, but at a fraction of the time and expense. NetIQ offers powerful Active Directory account provisioning solutions that feature secure delegation, policy enforcement, auditing, and extensive automation capabilities. NetIQ provides off-the-shelf products that meet immediate user account management needs. These products can also be combined together to create user account lifecycle management solutions. The NetIQ enabled Active Directory account provisioning is incredibly flexible, allowing organizations to quickly build a solution that meets both their requirements and their budget, while allowing them to easily add functionality in the future. NetIQ Active Directory account provisioning maximizes an organization’s investment in Active Directory and reduces the cost and expense of user account management.1 META Group White paper, August 2002 “The Value of Identity Management”2 Computerworld, July 09,2001 “Want to Save Some Money? Automate Password Resets”, Pimm Fox3 META Group White paper, August 2002, “The Value of Identity Management”4 Exploring Secure Identity Management in Global Enterprises, Stanford University and Hong KongUniversity of Science and Technology, March 200355 Exploring Secure Identity Management in Global Enterprises, March 2003, Stanford University andHong Kong University of Science and Technology6 IDC Viewpoint, March 2003, “Identity Management, Integrating People Process and Machines”, DavidSenf.7 META Group White paper, August 2002 “The Value of Identity Management”8 Exploring Secure Identity Management in Global Enterprises, March 2003, Stanford University and HongKong University of Science and Technology,9 META Group White paper, August 2002 “The Value of Identity Management”10 META Group White paper, August 2002 “The Value of Identity Management”11 IDC, March 7, 2003, “Identity Management: Securing Your e-Business Future”, David Senf12 Gartner and Price Watherhouse Coopers, 2001, “Identity Management – The business context ofsecurity”13 Asia Computer Weekly, March 2003, “Identity Management market at a Crossroads”, Queenie Ng14 Computerworld, July 14, 2003, “ Know Thy Users : Identity Management Done Right”, DeborahRadcliff Active Directory Account Provisioning 14