Enhance organizational security via account reconciliation, recertification and reporting

In a challenging business climate like the one we face today, IT services must generate as much business value as possible. For this reason, many organizations have begun extending those services in new directions—across silos within the organization, certainly, but also outside the organization, to business partners, customers and clients.

When current IT services can be leveraged to strengthen or develop business relationships, increase internal productivity or both, the return on investment they generate will certainly increase and accelerate. This is particularly true when those services can be driven entirely or in part by cost-effective approaches such as automation to minimize the resources of money and time required to create and support them.

Delivering services to more people, however, can also involve theoretically higher business risk. To mitigate that risk, effective and comprehensive security is absolutely essential. Services must be available to only the right people, with the right access privileges; even a minor breach in access protocols can lead to many negative consequences, ranging from service downtime to the unauthorized modification or loss of core business data to the illegal copying of trade secrets.

And a third aspect of this situation comes into play within the area of regulation compliance. In the new millennium, government regulations increasingly specify how organizations must monitor, manage and control access to sensitive data—and they are backed up by government audits. At such a time, it’s crucial not only to have achieved regulation compliance, but also to be able to demonstrate it quickly and easily on demand.

IBM Tivoli Identity Manager delivers simplified compliance and higher security

Directly on point in all these areas is IBM Tivoli Identity Manager—a secure identity management solution driven by customizable policies which helps administrators to easily establish and control user/group access privileges (PDF, 1.1MB) across disparate technologies in even the most complex IT infrastructures. Tivoli Identity Manager empowers organizations to simplify and accelerate the challenging task of managing user rights through the full user identity lifecycle, including all of the logical modifications along the way from cradle (user onboarding) to grave (user retirement and elimination). And once deployed, Tivoli Identity Manager delivers not just higher security, but easier regulation compliance and reporting as well.

As an enterprise-class solution, Tivoli Identity Manager can thus be used as a comprehensive user provisioning tool—creating and defining user identities and access rights on demand, in accordance with security protocols as well as with business goals and strategies. However, the solution also has a substantial value proposition even for organizations with less comprehensive needs. Among these, one of the most obvious is account privilege verification and cleanup.

Consider the case of the typical organization which has many IT services; for each service, there will be associated users, groups and access rights. In an ideal case, that pool of users and groups, and its privileges, would be perfectly aligned with the business requirements at any given time. In the real world, however, misalignment is all too common. As time passes, employees are hired or leave the organization—or simply shift from group to group—and their access rights, which are changed with less than instant speed, become less and less synchronized with their actual business roles.

In a worst-case scenario, this situation can introduce potentially catastrophic situations such as the possibility that staff members who have left the organization still have sufficient privileges to access, copy, change or destroy core business data.

Reconciliation: Be sure your user accounts correspond to appropriate people

Tivoli Identity Manager can be used to address this issue of privilege misalignment in three fundamental ways: reconciliation, recertification and reporting. Leveraged properly, these three approaches can swiftly help organizations to secure their services more effectively, increase user productivity, reduce operational costs and drive compliance initiatives—all of which will ultimately contribute to the business bottom line. And through Tivoli Identity Manager, all of these benefits are also relatively easy to achieve.

The first logical step in privilege cleanup, reconciliation, is essentially the process of verifying the validity of user accounts. The goal is to verify that accounts on all target systems match to appropriate end users—and retire accounts that no longer do, such as the obvious case in which a user has left the organization. Tivoli Identity Manager drives efficient (and cost-efficient) reconciliation through its closed-loop features, which automatically detect access policy violations and repair them where appropriate. Tivoli Identity Manager accomplishes this process by loading and reconciling account data from all designated target systems and then identifying and eliminating (or suspending) orphaned accounts. Because this is an automated process, IT staff members can dedicate their time to more demanding tasks; furthermore, inadvertent human errors (of the type that often lead to account privilege problems in the first place) are also eliminated as a potential problem.

Recertification: Create ongoing oversight for account maintenance

Recertification, the second stage, helps to maintain the validity of accounts and their associated privileges in an ongoing way. At this stage, a recertification policy is created by which relevant organizational managers are required to approve of current account/privileges for staff members on a periodic basis.

In cases where a staff member’s access is no longer suitable, the manager can simply decline to approve the recertification; this will result in automated suspension of the account in question. This human oversight helps by diminishing the window of time in which accounts can be accessed inappropriately, and helps to prevent orphaned accounts from becoming orphaned in the first place. Over time, effective recertification policies can drastically reduce the odds of inappropriate access to core business data.

Fortunately, Tivoli Identity Manager allows administrators to easily create recertification policies of just this type. Through its included, straightforward wizards and templates, it is possible to create policies with a minimum of effort which are nevertheless appropriately customized to suit the business need. For instance, assume that for a given project, access to a given database should be allowed to all employees in a logical group. Tivoli Identity Manager can be configured to prompt that group’s manager every two weeks (or at any other suitable interval) to confirm that every member in the group should still have that level of access. And Tivoli Identity Manager also includes a Web-based graphic workflow designer that can be used to model more complex business processes, should that be necessary.

Reporting: Demonstrate compliance with government regulations

Finally, the reporting stage is used to generate an auditable trail of all changes pertinent to security policies, accounts and user access privileges in the context of government regulations. By documenting account histories, and demonstrating how changes to those accounts took place over time with respect to job duties and requirements, organizations can satisfy an auditor that regulation compliance has been achieved.

Here, too, Tivoli Identity Manager has been designed to simplify and accelerate a complex task with powerful, configurable features. Consider, for instance, the solution’s read-only mode for auditors, which allows them access to pertinent data without giving them the ability to change it. Tivoli Identity Manager also includes a suite of compliance reports to address many common scenarios, and when that suite proves insufficient, administrators can simply develop their own reports using the customizable report builder (either from scratch or by using one of the included reports as a starting point). And to demonstrate how even the most trusted insiders are acting in compliance with government regulations, Tivoli Identity Manager also integrates with IBM Tivoli Compliance Insight Manager—a tool for transparently monitoring user activity in the context of security policies—to develop special audit reports for that purpose.

Connecting with the complex IT infrastructure

All of these key functions—reconciliation, recertification and reporting—are available with Tivoli Identity Manager right out of the box. A casual observer might wonder how this is possible, since obviously, today’s complex IT infrastructures commonly include many different systems and applications which manage user/group access privilege data in custom ways.

Anticipating this, however, IBM Tivoli has bundled Tivoli Identity Manager with a large number of adapters—essentially, logical mechanisms that serve as a liaison between Tivoli Identity Manager and various applications or services on target systems, through which Tivoli Identity Manager can obtain the necessary information about users, groups and privileges it needs to perform its analyses.

What if one or more custom applications, developed within the organization, should be deployed in the IT infrastructure? Normally, one might expect accessing their user/groups access data to be a problem, since clearly Tivoli Identity Manager won’t be able to interface with custom applications by default due to the lack of an appropriate adapter. Fortunately, in this case, Tivoli Identity Manager does include a toolkit specifically designed to help organizations create a suitable adapter, quickly and easily, and thus allow Tivoli Identity Manager to interoperate with the broadest possible range of target systems.

Lastly, some organizations use a relatively ad hoc approach to user privilege/access management on certain systems—to wit, a spreadsheet, in which data is entered manually—and this, too, represents a scenario in which Tivoli Identity Manager might be expected to run into problems. Fortunately, manual services of this type can also be reconciled by the solution, due to the fact that it can read and interpret comma-separated values files (CSV files). Once the data has been obtained, Tivoli Identity Manager can apply the benefits of its reconciliation, recertification and reporting features even in this special case.

• Tivoli Identity Manager overview
• White paper on obtaining effective user management with IBM Tivoli solutions (1.1MB)

Recent Articles

• Industrialize IT: Streamline workflows, processes for repeatable, scalable and consistent results

  Dec 11

• Integrate entry point: Align operations and business for optimal impact

  Dec 04

• Global by design: IBM's business resiliency approach

  Nov 20

• Optimize telecom fault and performance management with IBM

  Nov 13

• Protect: Service management entry point to safeguarding assets and enhancing business resilience

  Nov 06

• The Aircell challenge: Delivering a full range of Internet services on airplanes

  Oct 30

• Monitor entry point: Enhance service management through superior visibility and tracking

  Oct 23

• IBM Service Management Jams: Bringing you the best in service management thought leadership

  Oct 16

• Pulse 2009: Experience service management as IBM leads the way

  Oct 09

• Optimize IT performance through optimized decision-making

  Oct 02

• Service life cycles play a critical role in modern service management

  Sep 25

• Discover entry point: One powerful way to begin service management implementations

  Sep 18

Weekly interactive Webcasts on the hottest Service Management topics.

Check out a new JAM every Tuesday!

Bigger and Better in Las Vegas, February 8-12, 2009

• Learn more and register
• Join the Pulse community