IT leaders responsible for identity & access management (IAM) can make the difference between stagnation and progress by leveraging the IAM technologies they already have to achieve shortterm wins, according to Gartner, Inc. Analysts said that there are six ways that existing IAM tools can be leveraged to maximise investment in them.
"Even in a spending crunch, there are still IAM projects and goals that need to be achieved without additional investment," said Perry Carpenter, research director at Gartner. "Some of these can be accomplished via methods and products that organisations already own but maybe haven't considered yet."
The six ways to leverage IAM investments in unexpected ways are:
1. Deploy enterprise single signon (ESSO) as a provisioning map and role 'suggestion' tool.
ESSO data can be analysed to help determine what an organisation's mostused systems and primary user groupings or roles are. It can also deliver insight about external sites employees visit and suggest to IT managers whether they should update proxy rules, revisit policies or conduct awareness activities.
2. Identify graveyard and resurrection pools through user provisioning.
Many mainstream IAM vendors base part of their licensing agreements on the number of users in the corporate directory, but most companies want to keep identity data for as long as possible for ID reuse or auditing even after employees have left the company. To combat paying for unused licence seats, IT directors can use opensource and/or thirdparty directory tools to create an alternative directory for "deprovisioned" identities.
3. Use a virtual directory or lightweight directory access protocol (LDAP) proxy for lowimpact directory migration.
When IT directors need to migrate data between directories, LDAP proxy functionality allows them to place application scripting at the LDAP interface level, enabling justintime directory migration without requiring users to change their current passwords. After the migration is complete, the old directory can be decommissioned, licences discontinued, and the hardware freed up for use in other projects.
4. Rethink any ID consolidation/migration initiatives.
A primary objective of identity consolidation is often auditability of identity data and streamlined administration. However, this can also be achieved through a combination of security information and event management (SIEM) technologies and virtual directories, some of which are free. In addition, in most legacy systems, companies usually have to delete and recreate an account thereby losing any personal preferences/data associated with that previously existing account. IT leaders considering a fullscale identity migration or consolidation project might do better in terms of return on investment (ROI) to migrate only a subset of the environment, abstract authentication where possible, and manage the rest through attrition.
5. Use a virtual directory and/or LDAP proxy to decrease cycle time for application development.
When using a virtual directory and/or LDAP proxy, the user can create common virtual (abstracted) views of multiple data sources. These can include multiple inputs such as other LDAP repositories, relational databases, flat files, web services, and more. So, rather than the developer needing to connect to each of these sources and create an aggregated view, the virtual directory view can serve it up in a preaggregated form and deliver the data in realtime.
6. Use your web proxy as a security awareness tool.
When employees try to access websites that are counter to the company's policy, they typically see a message simply saying that access is forbidden. Instead, web proxies could redirect them to an internal security awareness site for an explanation of why certain sites are blocked to explain and reinforce security policy.
"IAM project funding is increasingly hard to come by and organisations are looking for quick wins to demonstrate IAM's value," said Mr Carpenter. "Many companies already possess the products necessary to build beneficial functionality so thinking creatively about what they already have can save time and money, position the IAM team as a responsible corporate citizen, and foster greater innovation in the organisation."
Gartner analysts will provide more detailed analysis on the future of the IAM industry at the Gartner Identity & Access Management Summit 2010, being held 3-4 March, at the Lancaster London hotel. The Summit will help delegates make the business case for IAM and explain precisely where and how IAM can deliver advantage and why it is worth every penny. In particular, Gartner analysts will provide practical advice on how to minimise expenditure and maximise value. Members of the media can register by contacting Ben Tudor on + 44 (0) 1784 267 738 or at ben.tudor@gartner.com. Additional information is available at www.europe.gartner.com/iam.
You can also follow the event on Twitter at http://twitter.com/... and using #GartnerIAM
"Even in a spending crunch, there are still IAM projects and goals that need to be achieved without additional investment," said Perry Carpenter, research director at Gartner. "Some of these can be accomplished via methods and products that organisations already own but maybe haven't considered yet."
The six ways to leverage IAM investments in unexpected ways are:
1. Deploy enterprise single signon (ESSO) as a provisioning map and role 'suggestion' tool.
ESSO data can be analysed to help determine what an organisation's mostused systems and primary user groupings or roles are. It can also deliver insight about external sites employees visit and suggest to IT managers whether they should update proxy rules, revisit policies or conduct awareness activities.
2. Identify graveyard and resurrection pools through user provisioning.
Many mainstream IAM vendors base part of their licensing agreements on the number of users in the corporate directory, but most companies want to keep identity data for as long as possible for ID reuse or auditing even after employees have left the company. To combat paying for unused licence seats, IT directors can use opensource and/or thirdparty directory tools to create an alternative directory for "deprovisioned" identities.
3. Use a virtual directory or lightweight directory access protocol (LDAP) proxy for lowimpact directory migration.
When IT directors need to migrate data between directories, LDAP proxy functionality allows them to place application scripting at the LDAP interface level, enabling justintime directory migration without requiring users to change their current passwords. After the migration is complete, the old directory can be decommissioned, licences discontinued, and the hardware freed up for use in other projects.
4. Rethink any ID consolidation/migration initiatives.
A primary objective of identity consolidation is often auditability of identity data and streamlined administration. However, this can also be achieved through a combination of security information and event management (SIEM) technologies and virtual directories, some of which are free. In addition, in most legacy systems, companies usually have to delete and recreate an account thereby losing any personal preferences/data associated with that previously existing account. IT leaders considering a fullscale identity migration or consolidation project might do better in terms of return on investment (ROI) to migrate only a subset of the environment, abstract authentication where possible, and manage the rest through attrition.
5. Use a virtual directory and/or LDAP proxy to decrease cycle time for application development.
When using a virtual directory and/or LDAP proxy, the user can create common virtual (abstracted) views of multiple data sources. These can include multiple inputs such as other LDAP repositories, relational databases, flat files, web services, and more. So, rather than the developer needing to connect to each of these sources and create an aggregated view, the virtual directory view can serve it up in a preaggregated form and deliver the data in realtime.
6. Use your web proxy as a security awareness tool.
When employees try to access websites that are counter to the company's policy, they typically see a message simply saying that access is forbidden. Instead, web proxies could redirect them to an internal security awareness site for an explanation of why certain sites are blocked to explain and reinforce security policy.
"IAM project funding is increasingly hard to come by and organisations are looking for quick wins to demonstrate IAM's value," said Mr Carpenter. "Many companies already possess the products necessary to build beneficial functionality so thinking creatively about what they already have can save time and money, position the IAM team as a responsible corporate citizen, and foster greater innovation in the organisation."
Gartner analysts will provide more detailed analysis on the future of the IAM industry at the Gartner Identity & Access Management Summit 2010, being held 3-4 March, at the Lancaster London hotel. The Summit will help delegates make the business case for IAM and explain precisely where and how IAM can deliver advantage and why it is worth every penny. In particular, Gartner analysts will provide practical advice on how to minimise expenditure and maximise value. Members of the media can register by contacting Ben Tudor on + 44 (0) 1784 267 738 or at ben.tudor@gartner.com. Additional information is available at www.europe.gartner.com/iam.
You can also follow the event on Twitter at http://twitter.com/... and using #GartnerIAM
