HVL Home
Roadmap
   
 

IDENTITY MANAGEMENT ROADMAP

  
 

AN IDENTITY ROADMAP WILL PROVIDE:

  • A business case for deploying an enterprise identity management architecture
  • An updated security strategy to address emering and existing enterprise attacks such as trojans, rootkit attacks and malware contained within email (read "Battling botnets and rootkits: a  layered identity strategy"
  • A plan for using stronger authentication in targeted high risk systems, applications or information repositories (read "Network Access Control Security Strategy 2006")
  • Guidance for deploying a SOA (Service Orientated Architecture) and document of business benefits
  • A strategy for deploying identity federation with customers, business partners, research partners or vendors addressing the legal and implementation requirements and costs
  • A means by which you can reduce regulatory compliance costs
  • A review that identifies what infrastructure components your business will require
  • Guidelines for keeping you identity consulting costs down
  • A strategy and plan for deploying or expanding single sign on
  • An identity infrastructure disaster recovery and high availability plan

YOU NEED AN IDENTITY MANAGEMENT ROADMAP!

 My name is Guy Huntington. I’m an independent identity management consultant who has lead several large Fortune 500 identity projects including Boeing, Capital One and Kaiser Permanente.  I specialize in creating tailored enterprise identity management roadmaps.

There is no silver bullet for identity management!  IDENTITY MANAGEMENT IS A PROCESS NOT A PRODUCT.  Therefore, before getting involved with product vendors, you need to do your homework.  

THE BENEFITS OF AN IDENTITY MANAGEMENT ROADMAP:

  • SAVE hundreds of thousands or millions of dollars in unanticipated costs
  • SYNCHRONIZE with your lines of business goals
  • ANTICIPATE implementation challenges and therefore prevent your project from going over it's time lines
  • PROVIDE an enterprise identity and security architecture 
  • MITIGATE enterprise risks of a successful malware attack
  • PREPARE and defend a business case for identity management
  • CREATE a high level web services/SOA plan
  • OUTLINE  ball-park implementation costs
  • DETERMINE enterprise resource requirements
  • RECOMMEND identity data governance practices
  • DEFINE identity infrastructure service level agreements, disaster recovery and high level availability requirements

 EXAMPLES OF AN IDENTITY MANAGEMENT ROADMAP:

 User Registration

Identity management starts with your user identity registration process to validate identities before you enter them into your systems.  What are your registration processes for each type of user in your enterprise?  For example, are you background checking your janitors (they are now an attack threat using hardware keyboard loggers - Read "Why your use of id and password is likely a joke")? 

Authoritative Identity Sources

Identity management requires authoritative sources for each identity type (employees, contractors, temps, consultants, customers, business partners, vendors, etc).  The enterprise needs to determine enterprise level identity attributes and then confirm which application and business owner is responsible for them.

Business Processes for Authoritative Identity Sources

It also depends on the business processes supporting the authoritative sources.  If the processes are poor, then the identity data is likely poor.  As a result, the security systems relying upon the information is weak.  Often times, business process re-engineering and identity data cleanup are required.

 Provisioning Processes

Identity management also requires good user provisioning processes.  The provisioning products can handle most normal business processes within an enterprise.  However, before you begin a project, you need to examine the existing processes and look for areas where potential problems exist and design around it for the implementation phase.  A key area to look at is how do you provision and de-provision business partners, vendors and customers.  These are often problematic to solve.

 Network Access Control Points

A good identity management process has excellent network access control points.  What are your business and technical processes for determining whether the device the user is trying to enter the network with has all the necessary patch updates?  What is the user network privileges coming into the enterprise off a hand held device or cell phone versus the same user logging on inside the enterprise?

Enterprise Risk Assessment

What’s your enterprise risk assessment?  The process of identity management requires a graded set of enterprise risk assessment for each network, system, application, information data store, site, building and room. With this in hand, you can then plot out the enterprise security layers using identity authentication strength.   

Transaction Authentication

Most of the identity management products currently don’t have transaction authentication.  What’s this?  It’s a tool that monitors highly risk applications for things like IP addresses the user is coming in from, their computer hardware, the time of day they are trying to access the application, what they want to do versus their traditional usage, etc.  Even if the user successfully authenticates, the transaction authentication software may stop the user, flag management or begin to ask the user a lot more questions.  Are you even thinking about this? 

Web Services and SOA

What are your XML and web service security policies?  How do they relate to identities?  Do you have graded security policies based on risk?  Are you protecting yourself against XML attacks?  How  do your web services tie into the line of business processes?

 Identity Data Governance

What are your identity data governance policies?  What is your identity infrastructure high availability requirements?  What are your actual response times versus the ones in a document somewhere

 Security Processes

Before you begin to deploy systems like single sign on, you must understand that overall security is only as good as the weakest link.  You need to consider a layered defense strategy (read Network Access Control Security Strategy 2006).  Then you can identify the weak links and prepare a security architecture that will mitigate the risks.  From this will come the budget and implementation requirements.

ARE YOU EVEN CONSIDERING ANY OF THIS? YOU NEED TO LAY OUT A PLAN BEFORE BEGINNING YOUR JOURNEY!

HOW CAN I HELP?


In four to eight weeks time I can produce a tailored identity roadmap for your enterprise that answers all the above questions.  At the end, I provide you with a thick binder and lots of electronic documents outlining:

    1. Authoritative identity sources for each identity type

    2. Enterprise identity attributes for each identity type

    3. Enterprise directory strategy

    4. Document the business processes for each identity type (creation, modification, termination and archiving)

    5. High level enterprise risk assessment.

    6. Document existing authentication systems

    7. Review existing network security

    8. Outline potential security weak spots

    9. Recommend an identity architecture

    10. Recommend the security architecture as it relates to identity

    11. Recommend a web services architecture

    12. Prepare high level business cases for infrastructure changes

    13. Recommend infrastructure changes for directories, identities, provisioning, regulatory compliance, security, web services, identity registration, authentication, authorization and audit

    14. Recommend budgets tailored to your enterprise needs, resources, political will, existing consulting partners, etc.

    15. Recommend outsourcing options if required.

    16. Recommend identity data governance model

    17. Recommend high availability requirements

With this in hand, you are ready to approach vendors, consultants and business partners from a knowledgeable perspective. You will have firm requirements, budgetary estimates and project time lines tailored to your enterprise. 

I will also educate you in advance of potential pitfalls to help you avoid:

    • Project over budgets
    • Publicly embarrassing security holes
    • Time delays in delivering the project
    • Under delivering on management expectations

WHY DO I SAY FOUR TO EIGHT WEEKS?

The time varies for each enterprise.  If the enterprise has all the people I need to see and, it has all the information I need to see and, there are no business units which are separate doing their own thing re identities and security, it is likely I can deliver the roadmap in four to five weeks.  More complicated enterprises take longer or, if people are not available to meet with me, then the project drags out.

 WHAT'S THE COST?

My rate is $195/hour plus expenses.  Therefore, for a four week engagement, the consulting time costs are approximately $31,000 plus expenses.  An eight week project is $64k plus expenses.

I'M YOUR INSURANCE!

The cost of an average identity management project is software in the hundreds of thousands of dollars plus implementation costs usually 2-5 times software costs. Therefore, before spending several hundred thousand to several million dollars, why not buy some insurance by having me come in and alert you to potential hidden costs, time delays, unexpected legal costs and political resistance.

THAT SOUNDS INTERESTING. HOW DO I CONTACT YOU?

Guy Huntington

Huntington Ventures Ltd.

www.authenticationworld.com

guy.huntington@authenticationworld.com

1-604-921-6797

Where can I learn more about you?

 www.authenticationworld.com .  On AuthenticationWorld  I have placed numerous recent papers including:

…and much more. The site contains more information about me as well as an authentication blog I write and a RSS threat news feed.

 At www.hvl.net/papers.htm there are numerous papers I’ve written on business process re-engineering using identity management, BPEL, and DRM. 

 I look forward to hearing from you!

Regards,

 Guy Huntington

Return to HVL Home