I M ANA M I W HI T E
PA PE R
Unleas h th e Powe r of Ac ti ve D ire c to r y G ro u p s
S ep tem b e r 2008 - K . M c G ee / Ne ta is LLC
5099 Pre ston Ave. L iver more, C A 9455 1 . Tel : 925-371-3000 Fax: 92 5-3 71 -3001 . www. i man am i. co m Copyright Š Imanami 2008
Introduction The Basics The past decade has brought an unprecedented increase in the degree to which technology drives business growth. While each new IT capability spawns additional profit opportunities, new risks are created as well. A decade ago, precious few Internet users worried about safeguarding their digital persona. Yet today these same information consumers might openly question an organization's security policies, demand to see its information life-cycle handbook, or bring to the negotiating table demands for greater assurances regarding corporate use of "personal data".
Digital Identities The concept of a persona, a unique identity that describes a system consumer, has given rise to a new challenge for enterprises of all sizes: identity management. Broadly stated, identity management (IdM) is the process of identifying authorized consumers of a system and its information outputs based on comparing the unique properties of the consumer with an established set of access permissions. IdM metadata generally includes the following: Who you are (for instance, a name, username, handle, etc.) Your role (for instance, title, level/class/grade, organization, etc.) Your privileges (the activities that you are allowed to perform) Your access rights (the resources and objects that accept your requests or orders) While this information is fundamental and critical, it is often maddeningly difficult to collect and manage in anything but the smallest of organizations. Part of this results from the broad scope of the IdM domain. Typical components of an enterprise IdM solution include: Authentication - validating an assertion to a particular identity Single Sign-On (SSO) - an umbrella technology that grants access to all of an organization's systems based on one, global user identity token Password Management - a collection of services that automate and manage the process of issuing, renewing, and revoking "user secrets" such as passwords Provisioning - an administrative service that establishes and manages individual user accounts in each of an organization's systems and applications Several large vendors and consulting companies have laid claim to the identity management area, but real success stories can be hard to find. "Every one of my peers is working on his IdM platform" stated one CIO of a financial services firm, "but I don't think anyone is satisfied with it".
Challenges to IdM Progress
"..The concept of a persona, an unique identity that describes a system consumer, has given rise to a new challenge for enterprises of all sizes: identity management..."
IdM complexity results from a mismatch of perspectives, according to Robert Haaverson, CEO & CTO of Imanami Corporation (Livermore, CA). "End users, understandably, tend to think about IdM as a program effort - something that's ongoing and builds organizational expertise over time. Vendors tend to be thinking a bit more about products and services," says Haaverson. Additionally, the subject domain is not trivial. "It's very hard for a given organization to have all the skills to really implement an IdM program that flies," notes Haaverson. "Most firms that have been around for awhile have at least one 'IT skeleton' in the closet." Things like legacy platforms and applications, undocumented customizations, or poorly written service contracts can introduce months of delays or cripple functionality to the point of rendering the program effort pointless. IdM initiatives then become a double-edged sword for today's CIO. Every morning new headlines spotlight the latest digital identity theft or unauthorized access to critical systems, while real, practical progress toward effective IdM remains blocked by systemic challenges.
1 Copyright Š Imanami 2008
"..there is a simple, straight-forward way to
How to Go Forward
proceed based on
Fortunately, for many organizations there is a simple, straight-forward way to proceed based on leveraging a technology that over 90% of all organizations already use: the group structure in the firm's security directory. "People give me a blank stare when I first mention groups," notes Haaverson. "Groups have been around for so long I think we tend to look past the potential they have for addressing today's problems". Indeed, few IT executives view groups and group management as a core service of effective IdM. Yet, properly implemented, managed groups offer the prospects of real service improvement, stronger security, and more robust communications - tangible benefits to any enterprise.
leveraging a technology that over 90% of all organizations already use: the group structure in the firm's security directory.."
Group Management Redefined Haaverson and his colleagues at Imanami - based on decades of experience in digital security and directory management - have evolved a working set of definitions: Group - a collection of digital identities that (i) models a physical group (such as the employees in a department or students in a class) or (ii) is meant to serve a particular purpose (such as a list of team members or the distribution list of a corporate communication). Group Management - the process of creating, or sponsoring the creation of, groups and the application of comprehensive management services to them over the full group life-cycle. By themselves, groups are so generic as to be almost without value. However, when used by other systems or applications that infer their needs onto the collections, groups can provide great value. For example, most users of email systems understand the benefit of distribution lists as a means to send a single message to multiple parties. However, as Haaverson points out, "having a list of contacts in my email client is great - until someone asks 'Can I use your list?' I'm stuck; there's no easy way to share that information short of cut and paste. However, if that distribution list is actually an email-enabled group in, let's say, Active Directory, then anyone with permissions can benefit from the list." But groups go far beyond email and distribution lists. Groups efficiently provide access-control to both privileges and resources. "That's why Microsoft embeds all of those groups you see in AD," explains Haaverson. "They know - regardless of your industry or footprint - you're going to have domain administrators, so there is an Administrators group; if you buy SQL Server, there is a SQL Administrators group, and so on." Groups ease the burden of provisioning by requiring the access and privileges matrix to be defined once - for the group - while individual accounts requiring those rights inherit them as a function of group membership.
Types of Groups Groups can be usefully categorized into different types. Haaverson and Imanami use the following distinctions: Dynamic - groups whose members can be determined by external attributes or criteria. That is, rules can be defined that, when applied, result in the collection. Examples include a list of prospects in a geographical area or the list of doctors with a particular practice specialty. Arbitrary - groups whose members cannot be determined by any external attributes or criteria. That is, membership is determined solely by the owner or the members. Examples include the members on a project team or a list of individuals invited to a private event.
Arbitrary groups can be further decomposed into static and member-managed groups. Static groups tend to be private collections - lists created by a particular owner for a particular purpose. Membermanaged groups embody the "opt-in/opt-out" model typically encountered in customer service, marketing, advocacy, and professional development environments. In its purest form, the members themselves hold complete control over their participation in a group. Hybrid forms may posit an administrative review over candidate members who have requested to join the group.
2 Copyright Š Imanami 2008
Group Life-Cycle Haaverson also promotes the concept of the group life-cycle, which he notes, is typically a new perspective for most IT practitioners and many vendors. The life-cycle includes the following states: Creation - the formation and initial population of a group Use - the day to day, operational references to the group by systems and applications Expired - a near end-state wherein the group is logically deleted. It reacts to requests and references to it as if it did not exist, but is in fact still recoverable Termination - includes the actual deletion of the group (and possibly its history) after which renewal is impossible
"The basis for the life-cycle is that the group - and the information it embodies, its membershipness if you will - is an asset to the organization," states Haaverson. "And like any asset, it must be managed in order for the organization to extract maximum value. Manually maintaining groups is an incredible waste of time and effort. When a group stops providing value to the organization it should be expired and, eventually terminated. But this can be complex. Blowing away an email group prematurely can cause communication problems in far-flung enterprises that linger for days. Not terminating a dead group is like a forgotten door left wide open for someone to access accounts, change permissions, and do all kinds of bad things." Recognizing this aspect then becomes a key consideration when evaluating group management practices and solutions.
RE
SE
NE
U
LIFECYCLE OF A GROUP
W
CREATE
USE
EXPIRE
DELETE
Challenges Today Group Management Posture Organizations generally fall into one of the following three categories when evaluated on their group management practices:
"..Groups ease the burden of provisioning by requiring the access and privileges matrix to be defined once - for the group.."
Negligent - these organizations do nothing with groups, using no groups or lists other than the default collections included with their systems and applications. They receive no value from group use and expend no cost. It is estimated that as many as three out of four firms fall into this category. IT-Centric - these organizations make effective use of a limited number of groups. Because the IT entity creates and manages the groups - typically without automation - the number of groups and the nesting structure is limited and the cost associated with group management is significant. It's thought that the majority of the firms not in the Negligent category fall into this classification. User-Centric - a few organizations use the "wisdom of crowds" model, wherein groups are created and maintained by the rank and file. Imanami has found these environments to be are characterized by an excessive number of groups, extensive duplication, inconsistent accuracy, and "orphaned groups" (which result when an owner leaves the organization). Costs are distributed and are difficult to measure.
3
Copyright Š Imanami 2008
Existing Product Options "..But by far the greatest vulnerability from poor group management is unauthorized access to secure resources.."
Organizations also tend to cluster when analyzed with regard to the technology used for groups. Active Directory - firms using Microsoft products often leverage the group features of Active Directory (AD). AD itself ships with dozens of "built-in" groups that are essential to Windows or other Microsoft products. Typical experience in medium to large sized implementations is characterized by directory management that is administratively intense; data entry is largely manual and done by highly compensated IT specialists.
Outlook - less sophisticated organizations may rely solely on the group management capabilities in Microsoft's popular email client, Outlook. Typically, end-users attempt to maintain groups that have been first created by a system administrator, however this practice rarely delivers much benefit. Most end-users fail to recognize "list management" as strategic to the firm, and by concentrating only on email-enabled groups (which is what Outlook's distribution lists are) the organization is robbed of the benefits of using groups to define and control security activities such as access rights and resource permissions. Internally Developed Tools - a few organizations "roll their own" deploying internally developed applications in an effort to reduce or eliminate IT involvement in group management activities. "This is very attractive - at least at first," notes Haaverson. "A good developer will be able to knock out a decent app to create groups and manage members in a couple of days." However, the risk lies with the total cost of ownership; maintenance of such a "one off" application can easily be overlooked or neglected. But the biggest risk concerns the scope of the design. "I've yet to meet a corporate developer that really understands what we mean by Group Lifecycle Management," states Haaverson. "It's the life-cycle steps that follow Creation and Use that are the most important to the organization (meaning a problem with these results in the most expensive disruption) and the hardest to develop. If they knew this upfront, most IT groups wouldn't think of trying to tackle this challenge internally. It's just not their core competency."
Threats to Productivity Haaverson and Imanami professionals have worked with hundreds of organizations, consulting and advising on group management, interfacing to legacy systems, and implementing solutions. What's remarkable, according to Haaverson, is the widespread view that because groups are simple and elemental, they don't require IT attention. "Most IT departments have so many things to focus on, the last thing they want to think about are groups," he observes. "But that's the first step down the path to problems." Mismanaged or unmanaged groups, in and of themselves, aren't the problem; it's what happens to the larger organization as a result. The most obvious issue in sites where an IT-centric posture is taken involves the potential for significant cost of using valuable IT systems staff for group maintenance activities. In one recent case, Haaverson noted that a Fortune 100 telecom provider had dedicated six FTE to group maintenance. "And they were failing," he adds. "The information they needed to succeed was simply too costly to acquire on a timely basis." More subtle problems involve group glut - Haaverson's term for an organization that simply has too many groups - and group hijacking - his reference to unauthorized group use. "In some environments group glut seems inevitable: without an authoritative source, up against typical business deadlines, it's easier to create a new group with the right membership that it is to ensure the right members are in an existing group. That's great in the short term, but doing this over and over creates a nightmare if you ever have to reconcile or collapse all these groups that are near-but-not-exact copies of each other." Group hijacking, on the other hand, involves sending an email to the wrong group or nesting a group inappropriately inside another. "The problems with this go beyond the time wasted by people Replying All to the sender saying 'Take me off this list', and all the replies to the replies," says Haaverson. "You can easily be looking at a harassment claim or other legal issue. And people forget that even today email is still used as a primary delivery channel for enterprise critical information." Assuming that a remote operation has limited bandwidth and server resources, it's easy to see how a "mail storm" of messages resulting from a hijacking could delay essential messages from reaching their intended target for hours or even days.
4
Copyright Š Imanami 2008
But by far the greatest vulnerability from poor group management is unauthorized access to secure resources. "The group dynamic isn't symmetrical," asserts Haaverson. "When you join an organization, is fairly easy for you or your manager to advocate as necessary to get you all the permissions you need to perform your job. But that doesn't happen when you leave or change positions. When that happens, there's no one advocating for your accounts to be closed and your group memberships to be expired, so the doors are sometimes left wide open." The results to an organization of illegal or inappropriate access to critical systems can be disastrous, taking a financial, reputational, and legal toll hugely disproportionate to the root cause: poor identity management. And yet, organizations press on, perhaps not recognizing that the elements of an effective solution already exist.
Solving the Problems As noted above, a keen understanding of the realities of the Group Life Cycle and its management are fundamental to avoiding adverse organizational impacts. But to be useful, that understanding must inform an implementation of a solution that actually delivers results. Haaverson posits four attributes of such a solution as depicted in the figure below. Federate
Synchronize
3
Automate Distribution Lists
4
4
HR
Active Directory
Authoritative Source Self-Service
Security Groups
4 End Users
Help Desk
Admin
Note: the figure depicts the solution in a Microsoft AD environment, but the general nature of the solution does not necessarily differ with respect to the type of directory.
Synchronizing to an Authoritative Source The solution architecture begins with identifying the store (or stores) of information that the organization believes is authoritative. "This can be a real challenge," notes Haaverson. "Some organizations may have to expend a little energy to reconcile different databases in order to compile something they feel is truly accurate and authoritative."
the realities of the Group
Once a source is determined, the solution must support efficient, multi-directional information exchange between the authoritative source and the central technical directory. This immediately results in two key benefits. First, the organization's technical directory (on which most of its key systems depend) is brought into full alignment with the most current organizational data. This immediately improves communication accuracy. Second, organizational data - often "locked" in forms that defy integration - is now made available via the directory for organizational uses that heretofore were deemed infeasible.
Life Cycle and its
Automated Construction of Dynamic Groups
"..a keen understanding of
management are fundamental to avoiding adverse organizational impacts.."
Dynamic groups, it will be recalled, are those that can be derived from applying to the directory rules or queries based on some external attributes or properties. Yet in so many cases firms still attempt to administer these groups manually. An effective group management solution eliminates the manual intervention through automation. Group construction is defined in the form of rules, conditions, and queries that are applied to the directory at a predetermined frequency. The maintenance of the group's membership - the actual adding or removing of accounts - is handled by the system based on the query results.
5
Copyright Š Imanami 2008
"..By monitoring group use, the group management solution
This eliminates the chance of human error in maintenance, releases valuable IT resources for other activities, and places the emphasis where it is most critical: keeping the fundamental attributes of user accounts accurate in the directory instead of maintaining lists and lists of group memberships.
automatically determines when a group is a candidate for expiration.."
Delegation That Works: Self-Service Group Management In all but the smallest organizations the individuals closest to the work know theFederate most about it. This applies to group management, but here's the conundrum: as an organization scales up, it becomes almost impossible for a central authority to feasibly acquire the information necessary to maintain a set of groups with any effectiveness, yet a full-on "power to the people" approach has been shown time and time again as being effective only in creating duplication, error, and confusion. What to do? An effective group management solution offers the best of both worlds. Through a process Haaverson calls self-service, the feet-on-the-street intelligence of group constituents such as end users, help desk engineers, and administrators can be directly applied to the group management process. Qualified endusers can create arbitrary groups directly based on their local knowledge and requirements, selecting from (where appropriate) an array of dynamic groups whose membership is maintained by the group management solution. The solution in effect brokers access to ensure full life-cycle management occurs. This is essential to managing the most complex states of the group life-cycle: expiration and termination. By monitoring group use, the group management solution automatically determines when a group is a candidate for expiration. The group's owner is automatically queried regarding the group's status and is invited to renew it. The group's owner makes the decision about whether to retain or expire the group appropriate behavior because there may be valid reasons for a group's inactivity or the need to retain it for future use. A key aspect of this situation is the experience of end users who access the group while it is in the expired state. "This is critical," asserts Haaverson. "An expired group cannot respond (that is, provide services) as if everything is OK. But on the other hand, instead of just ignoring requests or generating a mail delivery failure message, it ought to communicate that an attempt was made to use an expired group and perhaps this group has value and should be renewed." Further, he adds, the best solutions retain the context and information of the original request and redeliver it once the group has been renewed. Only after repeated queries made to the group's owner go unanswered, will the solution actually proceed with termination of the group. "Think about self-service this way," suggests Haaverson, "end-users are allowed to do what they do best: create and use groups that serve their purposes today. However, there is an intelligent component that automatically ensures that the group life-cycle is adhered to. Nothing is deleted without due consideration, yet groups that are truly obsolete are automatically 'sunsetted' with full disclosure." This approach provides several benefits. Haaverson explains, "First, and perhaps most important, is the ability for the group management process to scale with an organization. You're no longer forced to keep throwing expensive resources [system administrators] at the problem. Second, the directory actually becomes more accurate. Most departments and users respond very well to the responsibility of keeping their own records straight. Third, and this is a benefit that's often missed, because at the end of the day the group life-cycle is still managed by the system, there's the ability to track changes, perform audits, assess trends, and do the sorts of things that any managed system should allow you to do."
How We Got Here: Reporting In most organizations groups are invisible, but vital objects. Used heavily everyday, they may be one of the most dynamically changing element of the technology infrastructure. But few IT groups have even the most minimal insight to group maintenance activity. And its usually not until an embarrassing public error that anyone thinks to ask "How did our group data get so messed up?" A group management solution that is truly comprehensive provides information and insight to monitor and analyze the Group Lifecycle. Because an appropriate measure of central directory administration is retained, and the fundamental group constructions process is automated, it's possible to record all of the significant life-cycle events for every group.
6 Copyright Š Imanami 2008
Bottom Line Benefits Understanding the Group Lifecycle and implementing the four essential attributes in a group management solution brings tangible benefits to the organization. Haaverson and Imanami summarize them as follows: Information accuracy is improved which sharpens targeting of communications and builds/maintains a perception of excellence Information availability is increased which allows new or current program sponsors to provide new value to their initiatives Federate
Information security is bolstered which reduces the organizations vulnerability footprint Information overhead is reduced which allows scarce organizational resources such as system administrators to be retasked to higher value projects Yet at the same time, experience has shown that group management implementations - being a subset of the entire identity management domain - remain practical and doable for most enterprises.
Building Effective Group Management Practices How can an organization, already juggling many critical priorities, move toward improvement in managing its group and directory resources. Haaverson suggests laying the proper foundation.
Positioning "Remember that groups are common infrastructure, and that nobody gets excited about infrastructure unless it's broken. Therefore, your vision statement really needs to speak to customer service improvements, communication control and accuracy, new employee productivity, and things like that."
Education and Awareness Next he suggests spending time educating key technical staff to think beyond security roles and embrace the Group Lifecycle concept. A practical technique for this is to perform targeted post-mortems of recent or infamous IT service issues with an eye to how group management could have help to avoid the breakdown. Use the four attributes of effective group management solutions to isolate and assess areas of weakness in how the organization currently handles group participation and provisioning. Identify what technology or technologies the organization is using in its current group management processes. "I've seen it over and over again," notes Haaverson, "people initially tell me 'Oh, we don't worry about group management' but once they really look at it, they find that they should." Investigate the market to review group management product options suitable for your organization's technology base. Haaverson advises against in-house initiatives. "I would really urge IT managers to take the long view. Think about solutions that can scale with your growth and that will continue to add value long after the original developer has moved on. A group management solution is an investment in IT best practices, not a quick fix."
Incremental Implementation Too many identity management projects are stillborn due to massive scope and complexity. A valuable attribute of group management programs is the ability to begin with a manageable number of groups in order to show quick benefits and provide a way for the organization to learn. Because the basic processes are the same without regard to the number of groups under management, scaling an implementation once it has been proven is far less daunting. Real bottom line benefits that can be quickly achieved, a built-in means to control scope and complexity of an implementation, and technology solutions applied to objects already in critical use on the organization (groups and the directory), combine to yield a risk/return ration that should be of interest to any IT executive committed to service improvement. The only question is: when are you going to get with the group?
7 Copyright Š Imanami 2008