Does Your Network See Dead People?

Stop me if you've heard this one: An executive in your company passes away. Weeks later, you discover the dead executive is still accessing your intranet. It turns out that the exec's wife is simply using her late husband's laptop to get online, never realizing that she is signed on to your network under her husband's credentials.

This scenario illustrates the difficulty of ensuring that user accounts are consistently and securely provisioned and deprovisioned. Similar scenarios are common: Of 334 respondents to this month's survey, nearly 65 percent answered yes to the question "If an employee leaves or is fired, could account information still exist in your directories when you remove that person from your systems?"

Provisioning is only one aspect of identity and access management, though, and most readers don't know what the other aspects are. Even the term identity and access management is unclear: Only 29 percent of survey respondents understand the term clearly. Fifty-six percent have some knowledge, and 14 percent don't know anything about it. Knowledge of products in this area is similarly weak—50 percent of respondents aren't knowledgeable about products. Only 22 percent say they use such products, and 17 percent aren't sure whether they use them.

Microsoft's identity and access management products are Identity Integration Feature Pack (IIFP), a free feature of Windows Server 2003, Enterprise Edition; and Microsoft Identity Integration Server (MIIS), an add-on you can purchase for heterogeneous environments. After reviewing information about these products on Microsoft's Web site, readers remained fuzzy about their purpose. One reader simply demanded: "Tell me the top five problems that IIFP and MIIS will solve." I took that demand, readers' questions, and the survey results to Microsoft's product development team and talked with Michael Stephenson (director, product management, Identity and Access) and Andreas Luther (MIIS group program manager).

AD, IIFP, and MIIS
Active Directory (AD) "is the foundation for identity and access management in the Windows Server platform," Michael began. "AD provides the distributed store for identity information and credentials. It also provides access management capabilities. So for instance, when users log on to their Windows desktop, they authenticate against AD using username and password, or smart cards if they want strong authentication."

IIFP and MIIS augment AD's functionality for managing user identity within a network and user access to corporate resources: "IIFP is for customers that have an all-Microsoft environment and may be running multiple AD forests," explained Michael. MIIS is targeted at large enterprises and is a separate product you can purchase. "The primary objective of MIIS," Michael continued, "is to simplify identity lifecycle management across the heterogeneous enterprise."

What does that mean? "In addition to having user information in AD, large organizations typically also have additional systems that maintain information about user accounts," Michael replied. "On average, enterprises store identity in about 63 places. It's difficult to get a single view of a user across these different systems. That's the problem MIIS solves. MIIS extends AD's capabilities: Users wouldn't log on to MIIS; they'd log on to AD. Information about a user wouldn't be changed in MIIS; it would be changed in a host system such as AD or another LDAP directory that it connects to."

Michael concluded, "The main difference between MIIS and IIFP is that MIIS provides management agents for connecting to non-Microsoft stores, such as other LDAP directories, mainframe systems, or ERP systems. Except for the management agents, all the capabilities of IIFP and MIIS are the same."

You're probably still as perplexed as the guy who just wanted to know what five problems IIFP and MIIS solve. Michael listed three main problems: provisioning, synchronizing across different forests or platforms, and process automation and self-service.

Bring Out Your Dead
Provisioning is where the dead-user issue arises. Michael said provisioning encompasses "automating the process of creating and deleting accounts. We call it the hire/fire scenario: You need to make sure users are immediately productive when they come into the organization and that their entitlements end when they leave."

Almost 74 percent of survey respondents said their process for removing former employees from directories is manual. Only 19 percent use scripts; the rest use third-party tools or "other methods". It's easy to see how expired employees might haunt your network.

Michael noted, "With IIFP and MIIS, you can automate things such as creating or deleting user accounts, adding users to groups, and adding accounts on other systems. You define a policy, which you can write in any Visual Studio language, and that policy determines what it takes to provision a user in a different system. Typically, provisioning starts with something like an HR application. When new employees are hired, a record is created for each employee in the HR system. MIIS can pick up on that event, and—based on the policy IT has defined—create the accounts in the different systems so that new employees have access to the things they need to be productive." Likewise, when employees leave, IT policies ensure that their accounts are disabled.

Synchronization
Michael described synchronization as "keeping the information about a user's identity consistent across different repositories—whether that be in a database, a non-Microsoft directory, or other repositories. You need a single view of the user across the enterprise."

Our survey showed that maintaining such consistency is a problem: More than 45 percent of readers store employee information in multiple directories, and nearly 61 percent of those respondents have trouble synchronizing the information across those directories.

Andreas commented that this survey data "was great feedback for us. When we talk to current MIIS customers, we talk to the same market segment—enterprise customers that have a lot of big identity stores. They know that they need to keep all these identity stores in synch. It's the synchronization scenario that's most prevalent with MIIS customers today."

"But from the survey data," Andreas continued, "we get confirmation that there are other aspects of identity and access lifecycle management that are not addressed by just talking to customers who do directory synchronization. Those aspects are around process automation."

Process Automation and Self-Service
I asked Andreas to explain process automation. "Let's say you have a change in an authoritative store," he replied. "Say my title changes in the HR system. Because of the new title, a lot of things need to change in connected directories, based on the business rules IT has defined. For example, my expense limit should be raised in some other databases. You can't automate a process like this with AD alone because AD is how we publish information; it's how clients can get to information; it's how users log on. But AD itself doesn't have any automated triggers that fire other actions if some data changes. When my description in AD changes, it doesn't change anywhere else—I'm not added to a new group, for example. This is the type of process automation that MIIS brings."

A related way that IIFP and MIIS can benefit IT is by enabling self-service, which Michael defines as "pushing some IT or Help desk tasks out to end users. Imagine you have a diverse set of directories and systems. When users log on to AD, they get single sign-on to Microsoft applications and other applications that integrate with AD. But when they need to log on to an application on another system, that becomes a burden for the user and for IT and the Help desk. The more credentials users need to remember, the more they rely on the Help desk and IT to reset passwords, or they write passwords down, creating a security vulnerability." By automating the synchronization process, "MIIS can ensure a user has one username and password across different systems. When users reset their password in one place, MIIS resets it in other locations. Users only have to remember one password. And, using AD, IT can manage the strength and frequency of password changes in a standardized way."

Andreas added, "Sometimes, little things like managing group memberships are a big burden on IT. With the latest release of the MIIS resource kit, we added a sample account-request application to demonstrate how self-service and process automation can relieve some of that burden. Suppose you want to request a user account in AD, for example. You fill out a form. Based on a business rule, our sample application determines who the approver is and sends mail to that person. The approver goes to a Web site and approves or denies the request. This application is a framework for extending or adapting your environment."

Andreas concluded, "The power of managing all your identity stores through automation and business rules is something we haven't addressed well. But your survey data shows that this is a big need for your readers. So we need more examples of useful self-service applications—like group management applications—to demonstrate the value of having business rules driving your deployments."

Not for Everyone
Microsoft has a hard time explaining IIFP and MIIS because the problems they solve are not universal. Small businesses, for example, have little or no need for provisioning and for synchronizing user information across multiple repositories. Let me know if you've found this information useful—even if your network doesn't see dead people.