Security management

White paper

Develop effective user management to demonstrate

compliance efforts and achieve business value.

September 2008
Develop effective user management to demonstrate compliance efforts and achieve business value.
2

Overview
Contents Organizations are faced with the challenge of demonstrating compliance
while providing accurate, timely information to more users across more envi-
2 Overview
ronments than ever before — and to do all this while reducing overhead,
3 Understand the challenges of user
increasing productivity and expanding the number and variety of information
management
services across the enterprise.
4 Develop a strategic approach that
delivers quick value
Supporting a strategic approach, IBM solutions can help organizations
6 Expand user management and bridge
successfully develop and expand user management solutions from the depart-
IT with lines of business
mental level to enterprise-wide implementations. In support of their specific
10 Discover enterprise-wide security and
compliance, business and technical requirements, organizations can use IBM
compliance solutions from IBM
Tivoli® Identity Manager software and other IBM offerings to:
12 Alcatel-Lucent customer experience
13 Conclusion
• Automate, manage and audit the life cycle of user access rights across the IT infrastructure.
14 For more information
• Define and manage centralized authentication, access and audit policies.
15 About Tivoli software from IBM
• Enable single sign-on (SSO) across security domains.
• Provide centralized log management and event correlation.

With IBM, organizations can develop comprehensive solutions to help gain

visibility into business continuity risks, achieve control over utilization of
sensitive business assets and automate a variety of processes for managing
access to critical assets and data.
Develop effective user management to demonstrate compliance efforts and achieve business value.
3
Highlights
Organizations should develop a common user
management solution implemented across
the enterprise, including authentication,
authorization and network traffic monitoring,
backed by comprehensive audit and reporting
capabilities
Understand the challenges of user management
Doing two things at once is hard enough. For today’s organizations, the chal-
lenge is to accomplish three, four or more things — any one of which might
appear to be in conflict with the others.
On the one hand, organizations need to demonstrate compliance by control-
ling and monitoring access to sensitive information. On the other hand, they
need to stay competitive by providing access to more information than ever
before to more users and different types of users, including employees, cus-
tomers, business partners and suppliers. At the same time, they need to find
new and better ways to reduce administrative costs and improve productivity
through automation, user self-service and other innovative capabilities.
Compliance remains a critical issue for many organizations. To help demon-
strate compliance, organizations should develop a common user management
solution implemented across the enterprise. This solution should include
authentication, authorization and network traffic monitoring, backed by
comprehensive audit and reporting capabilities. User management should
also support the full life cycle of user identity, from the efficient onboarding
of new users to their final retirement and the elimination of unidentified or
“orphan” accounts.
Develop effective user management to demonstrate compliance efforts and achieve business value.
4

User management solutions should be implemented to provide timely updates.

Organizations should create user accounts efficiently to allow new hires —
or employees with new roles — to be productive as soon as possible without
waiting days for their accounts to be created. Conversely, when users are
offboarded, their accounts and privileges should be retired immediately to
help avoid potential security exposures from disgruntled employees who were
terminated. And when an employee changes jobs or takes on new duties,
account access should be reviewed and privileges removed that are no longer
required. In order to provide timely updates to handle these user life-cycle
events, a user management solution should be implemented.

Organizations also have to deal with the rising cost of user management
administration, including account provisioning and deprovisioning, recertifica-
tion of access rights, help-desk calls, password resets and other administrative
tasks, many of which are still manual-based. These costs can add up quickly
and will only increase as the number of users and services continues to grow
and IT infrastructures become larger and more complex.

Develop a strategic approach that delivers quick value

Proven strategies can help organizations address the challenges of deploying
user management solutions that are compliant, efficient, scalable and cost-
effective. The perception that user provisioning deployments are long and
cumbersome holds merit when not planned accordingly. However, what is
often missed is that quick, significant value can be derived without the need
to provision users. With compliance as the critical business driver behind user
management deployments, a quick first step to value can be achieved through
reconciliation, recertification and reporting.
Develop effective user management to demonstrate compliance efforts and achieve business value.
5
Highlights
Tivoli Identity Manager capabilities offer
both small-to-midsize and large enterprises
the opportunity to retrieve quick value while
establishing a footprint for user provisioning
and role management
By centrally reconciling accounts on target systems, organizations can quickly
identify orphan and/or dormant accounts. This enables organizations to
get an immediate view of potential security exposures. After cleaning up
the accounts to ensure that they match with valid users, the next step is to
establish a recertification policy to validate the need for the accounts on an
ongoing basis. This recertification policy will also mitigate the proliferation of
orphan and dormant accounts in the future. For example, if a user has moved
on to another position and no longer needs access to their account(s), then
that user’s manager would reject the recertification request and the user’s
account(s) would be automatically suspended or deleted. Finally, organiza-
tions should provide an auditable trail that can help demonstrate compliance
efforts. Delivering reports on each service, orphan accounts, dormant accounts
and a recertification history will enable organizations to show reports to audi-
tors that help describe who has access to what and how they got that access.
Reconciliation, recertification and reporting can deliver a tremendous amount
of value before introducing the need to provision user accounts. A critical fac-
tor in delivering value, however, is the ability to integrate with target systems
so that reconciliation, recertification and reporting can occur. Tivoli Identity
Manager is uniquely positioned to deliver this value for several reasons. First,
Tivoli Identity Manager can provide reconciliation, recertification and report-
ing, as well as a substantial number of target system adapters available out
of the box. Second, should an organization have a custom application, Tivoli
Identity Manger provides a rapid adapter toolkit specifically designed to help
organizations create custom adapters. Third, Tivoli Identity Manager has the
ability to create and manage “manual services” for target systems that may
be managing their user accounts via a spreadsheet. Manual services can be
reconciled by a comma separated values (CSV) file so they can be subject
to approval workflows, recertification policies and reporting. Together these
Tivoli Identity Manager capabilities offer both small-to-midsize and large
enterprises the opportunity to retrieve quick value while establishing a
footprint for user provisioning and role management.
Develop effective user management to demonstrate compliance efforts and achieve business value.
6

Define
Support identity governance,
role and user rights, controls
recertification and reporting
Monitor,
audit, Enroll users and provide
report Enroll user self-service
and
proof
users

Enforce
access
control Issue and
manage user
rights

Issue credentials, automate access

rights and retire accounts

Tivoli Identity Manager and Tivoli Access Manager solutions provide key capabilities ranging from
initial user onboarding to final account retirement.

Expand user management and bridge IT with lines of business

As organizations expand their user management plans to include user pro-
visioning, it is imperative that they understand the context of an identity in
their own business environment. A cross-functional team made up of IT and
business stakeholders should evaluate an organization’s existing business
processes and the management of their users and access rights. Particular
attention should be paid to the frequency and volume of changes to user roles
and access rights. This can help organizations assess the relative benefits of
role-based and request-based user provisioning for their organization.
Develop effective user management to demonstrate compliance efforts and achieve business value.
7

Request-based provisioning becomes more commonplace for organizations

that have a more knowledge-based workforce, such as a law firm or business
consultancy. In these types of organizations, user access rights can change
frequently. Therefore, it is better to have users request new access than to
constantly change their role to reflect a new set of access permissions. Tivoli
Identity Manager has a simple self-service user interface that facilitates
request-based provisioning — for both the end user requesting access and the
approver allowing access. Behind the scenes, Tivoli Identity Manager evaluates
the provisioning policy, and it provisions user access to the business resource.

The Tivoli Identity Manager self-service console lets users manage their passwords and access
to corporate resources.
Develop effective user management to demonstrate compliance efforts and achieve business value.
8
Highlights
Tivoli Identity Manager can provide
organizations with role-based access control
for provisioning and attestation, provisioning
policy simulation to determine the impact
of role changes, and providing a delegated
administration system for the creation and
management of roles
Tivoli Identity Manager also helps bridge IT with lines of business by allowing
end users to request access to one business entitlement (for example, a sales
portal) rather than individual technical permissions (such as “Active Directory
group — UK3g8saleww_R”). These access entitlements streamline the admin-
istrative effort by grouping technical permissions into a reusable asset that is
pluggable into workflows and policies. At the same time, auditing becomes
much more intuitive as access entitlements represent meaningful assets rather
than cryptic technical permissions.
Role-based provisioning, where users are assigned access permissions by their
organizational role, is typically better for organizations where business roles,
and their access rights, do not frequently change — as with bank tellers. The
use of roles can also bridge IT with lines of business as organizational roles
(such as an insurance claims administrator) become tied to application roles (for
example, “ClaimsApplicationCaseWorker”). Together this linkage can provide
visibility into business, effective control of user access permissions and automa-
tion of user management business processes throughout the organization.
Tivoli Identity Manager can provide organizations with role-based access
control for provisioning and attestation, provisioning policy simulation to
determine the impact of role changes, and providing a delegated administra-
tion system for the creation and management of roles. Specifically, Tivoli
Identity Manager offers the ability to define roles statically (where roles are
defined for a set of people) and dynamically (where roles are defined for a set
of people based on attribute information about them, such as employees or
contractors). These roles are often used for automated provisioning workflows.
Reduced administration can also be achieved by having entitlements for mul-
tiple accesses or accounts embodied in a single role.
Develop effective user management to demonstrate compliance efforts and achieve business value.
9

To give an example of role-based access control, a user joins a new project

and needs an account on the test system, access to documentation on a file
server and access to the project management database — each with different
access rights based on the user’s role. When the project is completed, access
to these systems can be quickly revoked by removing the person from the
role. If users change jobs, their new roles can automatically remove them from
systems they no longer require. Tivoli Identity Manager also enables organiza-
tions to recertify a user’s need to be a member of a role. This recertification
process enhances security and compliance by revalidating a user’s member-
ship in a particular role.

For organizations seeking extended role administration, role mining and segre-
gation of duties, Tivoli Identity Manager offers integration with several strategic
Ready for Tivoli partners. (Visit http://catalog.lotus.com/wps/portal/topal)

Ready for Tivoli partners

Name Product Solution
SecurIT RoleManager Extended role-based access
control capabilities for Tivoli
Identity Manager
SailPoint Compliance IQ Identity risk management
Aveksa Aveksa Compliance Manager Enterprise access governance
and Role Manager
Eurekify Enterprise Role and Compliance Role and policy life-cycle
Management Suite management
Approva BizRights Intelligent business controls
SAP SAP GRC Intelligent business controls
Develop effective user management to demonstrate compliance efforts and achieve business value.
10

In summary, most organizations fall somewhere between role-based and

Highlights request-based provisioning, and they take a hybrid approach to leverage the
benefits of both models. At one end, the ongoing operational labor associated
with request-based provisioning can be too cumbersome for some organiza-
tions — yet it is quick to implement. At the other end, the time and effort
required to set up a fully developed organizational role structure and associ-
ated policies for role-based provisioning can be too difficult to effectively
execute. However, tremendous value is provided through automation once it
is deployed. There is no right or wrong answer. Rather, an organization should
evaluate what approach works best for them and then establish a phased
approach to deliver value.

When it comes to actual deployment, the best strategy typically is to start with
a small user management solution and then grow larger incrementally. For
example, a single, departmental application can be used as the foundation
for more complex cross-system and cross-application implementations. In the
same way, request-driven user provisioning can be implemented first and then
replaced with role-based provisioning.

Discover enterprise-wide security and compliance solutions from IBM

Every organization should have a complete, end-to-end security and compli-
Every organization should have a complete,
end-to-end security and compliance strategy ance strategy in place. That’s where IBM can help, providing an unparalleled
in place range of products, services and other offerings designed to:

• Identify gaps in existing capabilities across people, processes, applications and data.
• Prioritize security initiatives according to business goals and technology requirements.
• Select technology based on specific budgetary goals and ROI requirements.
• Simplify and speed the planning and execution of enterprise-wide security programs.
• Provide repeatable, measurable planning processes.
• Achieve a desired security posture that meets business and compliance requirements.
Develop effective user management to demonstrate compliance efforts and achieve business value.
11
Highlights
Unmanaged access to super-user or “root”
accounts presents organizations with a
significant security risk
A complete description of IBM security and compliance offerings is well
beyond the scope of this white paper, but the following examples indicate
how organizations can easily increase the depth and breadth of their Tivoli
Identity Manager solution.
IBM Tivoli Security Information and Event Manager can help demonstrate
compliance and enhance security by providing log management, real-time
event correlation and user activity monitoring. This helps to streamline
management, control costs and increase IT productivity across a large,
heterogeneous IT infrastructure.
For centralized authentication and authorization, IBM Tivoli Access Manager
for e-business provides an integrated solution for defining and managing
authentication, access and audit policy across a broad range of business ini-
tiatives. Tivoli Access Manager for e-business can help organizations control
management costs and streamline the execution of security policies across
multiple Web and application resources.
IBM Tivoli Access Manager for Operating Systems is designed to block ille-
gal access to business-critical applications, files and platforms. Unmanaged
access to super-user or “root” accounts presents organizations with a signifi-
cant security risk. A policy-based access control solution like Tivoli Access
Manager for Operating Systems helps address these security risks by providing
centralized policy management, enforcement and comprehensive auditing.
Develop effective user management to demonstrate compliance efforts and achieve business value.
12

IBM Tivoli Access Manager for Enterprise Single Sign-On provides simple
authentication capability across diverse applications, data stores and environ-
ments. The product helps automate SSO, enhance security with automatic
password management, and extend audit and reporting capabilities in a quick,
simple-to-deploy solution.

Alcatel-Lucent customer experience

Alcatel-Lucent selected Tivoli identity management software to help support
its efforts to increase security measures, improve employee efficiency, reduce
help-desk costs and support compliance initiatives.

“Expectations for real-time access, regulatory compliance, operational cost

optimization and mobility of the workforce are key drivers for streamlining
our user account provisioning processes,” said Elizabeth Hackenson, Alcatel-
Lucent CIO. “IBM’s expertise and software have helped us develop a global
user identity management program, providing us an automated tool to manage
our user accounts while reducing costs.”

The initiative replaces various user provisioning processes with one integrated,
standardized user management system. It provides Alcatel-Lucent with greater
visibility into system-wide user identities, and it also uses automated software
to streamline processes and tasks, thereby lowering IT support costs.
Develop effective user management to demonstrate compliance efforts and achieve business value.
13

Tivoli Identity Manager includes a password self-reset feature that allows users
to reset and synchronize their passwords online. With this one feature alone,
Alcatel-Lucent expects to reduce password-related calls to the IT service desk
by 70 percent and provide increased productivity for both system users and
support staff. Additionally, the new system can automatically close accounts
of employees who have left the company, helping to eliminate related security
risks and improve the data quality of the company directories.

Conclusion
As a recognized leader in identity and access management, Tivoli security
solutions can also be used with a large number of non-IBM enterprise soft-
ware solutions. Providing a broad, scalable solution for centralized security
management, Tivoli Identity Manager software can help:

• Demonstrate compliance across the entire user life cycle with comprehensive auditing and reports
on user access rights and activities.
• Increase ROI by quickly integrating new users and applications.
• Efficiently manage user accounts, access rights and privacy preferences through automation.
• Simplify complexity with consistent security policies and centralized administration.
• Support fully integrated, strategic security across the enterprise.
Develop effective user management to demonstrate compliance efforts and achieve business value.
14

Visibility: Control: Automation:

see your manage your improve your
business business business

With IBM, organizations can develop comprehensive solutions to help gain

visibility into business continuity risks, achieve control over utilization of sen-
sitive business assets and automate a variety of processes for managing access
to critical assets and data.

For more information

To learn more about Tivoli Identity Manager and other IBM solutions for
optimizing security and compliance efforts, contact your IBM representative
or IBM Business Partner, or visit ibm.com/tivoli
Develop effective user management to demonstrate compliance efforts and achieve business value.
15

About Tivoli software from IBM

Tivoli software offers a service management platform for organizations to
deliver quality service by providing visibility, control and automation — visibil-
ity to see and understand the workings of their business; control to effectively
manage their business, and help minimize risk and protect their brand; and
automation to help optimize their business, reduce the cost of operations and
deliver new services more rapidly. Unlike IT-centric service management, Tivoli
software delivers a common foundation for managing, integrating and align-
ing both business and technology requirements. Tivoli software is designed to
quickly address an organization’s most pressing service management needs and
help proactively respond to changing business demands. The Tivoli portfolio is
backed by world-class IBM Services, IBM Support and an active ecosystem of
IBM Business Partners. Tivoli clients and Business Partners can also leverage
each other’s best practices by participating in independently run IBM Tivoli
User Groups around the world — visit www.tivoli-ug.org
© Copyright IBM Corporation 2008

IBM Corporation
Software Group
Route 100
Somers, NY 10589
U.S.A.

Produced in the United States of America

September 2008
All Rights Reserved

IBM, the IBM logo, ibm.com and Tivoli are trademarks

or registered trademarks of International Business
Machines Corporation in the United States, other
countries, or both. If these and other IBM trademarked
terms are marked on their first occurrence in this
information with a trademark symbol (® or ™), these
symbols indicate U.S. registered or common law
trademarks owned by IBM at the time this information
was published. Such trademarks may also be registered
or common law trademarks in other countries. A current
list of IBM trademarks is available on the Web at
“Copyright and trademark information” at ibm.com/
legal/copytrade.shtml

Other company, product and service names may be

trademarks or service marks of others.

Disclaimer: The customer is responsible for ensuring

compliance with legal requirements. It is the customer’s
sole responsibility to obtain advice of competent legal
counsel as to the identification and interpretation of
any relevant laws and regulatory requirements that may
affect the customer’s business and any actions the
reader may have to take to comply with such laws. IBM
does not provide legal advice or represent or warrant
that its services or products will ensure that the customer
is in compliance with any law or regulation.

TIW14013-USEN-00