IBM's Role-Based Identity Management: Access Control Made Agile

One of the most challenging aspects of IT security today is access governance—establishing which employees are authorized to access which resources, and with which privileges, then monitoring and updating those access privileges on an ongoing basis as workers come and go, or change job responsibilities. This is a particularly difficult puzzle to solve for enterprise-class organizations, in which both the employee headcount and range of resources is exceptionally large and unwieldy to administrate.

Consider, for instance, the problems of any user-provisioning approach based on direct assignments. Setting access privileges for each of 10,000 employees for a single application would be hard enough. Multiply that by the number of applications in the infrastructure, and the fact that employee job duties are constantly in a state of flux, and you begin to see that a much more efficient solution is called for.

This situation has led to the rise of role-based access control (RBAC) systems, in which access privileges are established not for each individual employee, but by the role that employee performs, and logical groups of such roles, as based on models developed from current access data. Managing privileges of roles and role groups is much more efficient as a process, helping to improve accuracy and keep user access rights in close alignment with organizational goals, established security policies, and regulatory compliance needs.

Often, though, even this acceleration isn't enough. This is because tremendous amounts of data about user activities and access rights must be collected, cleaned, and normalized to ensure that models will be accurate…but in the time required to do that, so much may have changed in the organization that often the results turn out to be of limited practical value.

That, in turn, leads to problematic integration of the role models with up-and-running applications and business processes. Instead of the new role structure serving business goals, in other words, it can actually impede them.

IBM Tivoli Identity Manager 5.1: Integrated role modeling, mining, and lifecycle management

For this reason, IBM has developed an innovative new module for its identity management solution IBM Tivoli Identity Manager V5.1. This embedded component, IBM Security Role and Policy Modeler, fulfills the promise of role modeling and mining—easier, faster, and more accurate access definition and control—without introducing unwanted complexity or shortcomings common to other solutions.

Tivoli Identity Manager (the overarching identity management solution of which IBM Security Role and Policy Modeler is only a part) provides a business-centric approach to planning, understanding, and modeling the security roles and separation of duty constraints for securing access to critical resources. Because it is business-oriented and scalable, and because it is already built into Tivoli Identity Manager, Security Role and Policy Modeler is more easily applied to even the largest and most complex organizations, with the highest headcounts. Security Role and Policy Modeler also delivers exceptional power and flexibility through a range of innovative features that were carefully designed to bring business managers into the discussion of user access rights and thus streamline the approval of role structures.

Role management is best understood as only one element of an organization’s overall identity management strategy. Role modeling and planning are part of overall security process integration in an organization. Tivoli Identity Manager provides application services that help the organization plan for role-based access requirements and rollout and the day-to-day maintenance of roles and separation of duty constraints. Organizational security needs and requirements are prioritized, implemented, deployed, enforced, and monitored. As an organization or its requirements change, the security process integration cycle continues planning using the feedback from the process.

With Tivoli Identity Manager, new role structures can be created and sent to managers for approval. Based on the responses, these structures can then be adjusted or redesigned to reflect specific needs. The focus at all times is on acceleration: moving through quick, prioritized, and logical stages to arrive at a practical and accurate role structure that will help improve both security and compliance.

That's obviously no simple task, but Tivoli Identity Manager makes it relatively simple to accomplish. In part, this is because in developing Security Role and Policy Modeler, IBM developed an Analytics Catalog—a library of the most commonly used techniques (best practices) used in role modeling and design. This catalog is backed up with a role-mining tool and simulation engine, which help pull together data from the infrastructure and depict how a candidate role structure will likely perform.

Tivoli Identity Manager leverages visual tools and familiar business intelligence techniques to reduce the time and effort to design, manage, and approve roles and role structures for enterprise IT governance. It provides web-based modeling interfaces and reports for owners of business processes and applications so that they can use role-based access control for their employees.

Furthermore, Tivoli Identity Manager leverages key business process management capabilities drawn from the IBM Business Process Manager to address different use cases in role structuring approval and periodic recertification. In contrast, competing alternatives typically offer only specialized workflows that are difficult to adapt, requiring precious time and delivering reduced value as a result.

A clear, simple design that delivers both exceptional power and flexibility

If you're curious to see how Tivoli Identity Manager might actually be applied in a real-world case, consider its capabilities in the context of three common stages in the role-structure creation process: (1) empowering role analysts with simple-choice role-mining, (2) accelerating role-building via best practices, and finally, (3) developing a satisfactory role structure, including validation, to ensure accuracy.

Simple-choice role-mining essentially draws from cleaned and normalized data to create the structure. Here, Security Role and Policy Modeler strengths include a Web-based user interface with a business look and feel, including instant feedback and intuitive search behavior, as well as straightforward choices that also reflect a business perspective. Managers can, with relative ease, make decisions not with a technical focus, but a business focus—helping keep the role structure prioritized for business value, rather than tying it artificially to the IT infrastructure per se. As progress is made, the solution maintains a statistical summary to depict that progress in areas like project definition, scoping, modeling, and mining.

Role-building includes both analytics tools and the analytics catalog—both of which leverage proven best practices—to help managers create roles and role groups that closely reflect the organization's needs, fast. Data can be imported either through a standard CSV file or alternate sources, thanks to the included Tivoli Directory Integrator (which serves as a liaison to those alternate sources). It can also be exported easily to Tivoli Identity Manager for subsequent implementation. The emphasis, as always, is on simplicity and speed, both of which help keep the results in tandem with the fluctuating organization and its diverse, growing IT infrastructure.

Finally, utilization of the role structure is just as practical and fast as its development was; it's even automatic, in some cases. To a significant degree, this comes thanks to the fact that IBM offers many related solutions, and has taken pains to make Tivoli Identity Manager interoperable with them to create different forms of value.

For instance, Tivoli Identity Manager's role structure benefits from the previously mentioned business process management technology, to automatically approve the role structure and recertify access rights where appropriate. This delivers improved security while also minimizing the ongoing time and energy access managers will need to spend on such tasks themselves. Similarly, statistical analysis and reporting are based on technology drawn from IBM's Cognos acquisition. And of course, Tivoli Identity Manager is also interoperable with other members of the IBM Tivoli security portfolio, such as IBM Tivoli Federated Identity Manager, IBM Tivoli Access Manager for eBusiness, and IBM Tivoli Security Information and Event Manager.

Tivoli Identity Manager is, in short, a straightforward, elegant, and powerful tool that customers can use to make rapid progress on what had been an exceptionally complicated and time-consuming job: developing, implementing, and managing a role hierarchy structure. And because Tivoli Identity Manager can be tailored to suit the specific contextual requirements of almost any organization, it's not just simpler and faster than the competition—it's also more flexible.

Given accelerated accurate role models, you'll enjoy many business benefits

If that list of capabilities sounds impressive, consider the following business benefits that emerge as a result:

• Easier, more natural participation of executive management. Tivoli Identity Manager's consistent focus on business needs and business value, and abstraction away from the technical details of the solutions involved, means that business-centric executive leaders can play a more direct role in helping develop an effective and accurate role structure for managing access rights.
• Higher business value from all services. Because services are more likely to be used only by the right people, in the right ways, and for the right period of time, they add more value to the organization—instead of subtracting it by giving unauthorized personnel access to business-critical resources.
• Increased business agility. The faster and more accurately a role structure is developed, and maintained over time, the faster the IT infrastructure can respond to new strategies, and the more empowered employees are to fulfill their job duties—especially if those duties frequently change.
• Lower costs and risks. Thanks to its extensive support for automation when possible, Tivoli Identity Manager can help drive down many forms of operational costs, such as the labor costs that might otherwise have been incurred as a result of ongoing manual management. Subtler costs may fall as well, including costs of the IT infrastructure. IBM solutions, by working in concert, can provide a fully integrated identity and access management solution instead of requiring the organization to purchase different solutions that do limited tasks in isolation. And many business risks—such as the possibility of exposing crucial data or services, and compromising regulation compliance—could be reduced as well.
• Proactive, forward-looking organizational visibility and control that improves over time. Tivoli Identity Manager's analytics and modeling capabilities already help to provide a predictive, proactive way to prevent user access problems from developing—not simply respond to them after the fact, and hope the response was fast enough. Already, its capabilities both draw upon and add to IBM's larger security solution portfolio to deliver on that value proposition not in one way, but in many, all of which help the organization focus on the ultimate metric of IT infrastructures: not asset performance, but business value.

That idea will be pursued to a much greater extent in the near future. As IBM continues to augment its portfolio, and integrate analytics capabilities in new ways, Tivoli Identity Manager will both inform and benefit from that integration. The result will be that IBM's identity and access management portfolio in general will become smarter, more forward-looking, and more efficient than ever, leveraging all identity and access management solutions and data optimally to help drive organizations to a superior business outcome.

• IBM Security
• Tivoli Identity Manager
• Tivoli Identity and Access Manager
• Tivoli Identity and Access Assurance

Recent Articles

• Business Agility as a Factor for Change

  Dec 08

• Gartner Identifies IBM as a Leader in the 2011 Magic Quadrant for Application Performance Management (APM)

  Nov 17

• Pulse 2012: A Portrait of the Smarter Planet, Courtesy of IBM

  Nov 10

• IBM X-Force Reports: Insight to Shield Your Organization

  Nov 03

• Achieve Continuous Compliance via IBM Security Solutions

  Oct 27

• IBM SmartCloud Foundation: Building a Better Cloud

  Oct 13

• Pulse 2012: Business Without Limits

  Oct 06

• IBM SaaS Offering: Service Management from the Cloud

  Sep 22

• Pursue Cloud Strategies Via Modular IBM Entry Points

  Sep 15

• Smarter Storage from IBM: Get Virtualization-Savvy Management

  Sep 01

• Browse full Service Management in Action archive

Revised Passport Advantage agreements bring multiple sets of existing terms together and offer Passport Advantage Express clients the option to migrate to Passport Advantage. Now a single agreement covers IBM Appliances, SaaS offerings, new licenses and Software Subscription and Support – with no entry point requirement for Passport Advantage.

Learn More