Modernizing Authentication — What It Takes to Transform Secure Access
Pressure to demonstrate information security value will increase users' focus on metrics and highlight the need for unified security administration over the next year, according to the META Group. This, in turn, will spur further integration among activities surrounding threat management, intrusion detection, policy audits, vulnerability assessments, and forensic tests.
Vendors in enterprise single-point administration, Web single sign-on, delegated administration, and administration process workflow are all expanding into this broader security administration space, which META Group calls automated user administration. Each of these separate disciplines addresses part of the security administration process, but does not address true "ease-of-use" administration because users must manually integrate the solutions.
META Group sees automated security administration solving both technological and process issues. It predicts that by 2005, users will be able to address the security administration process and execution through automated workflow products. BMC currently has the upper hand in providing a complete solution, according to META Group, but will struggle working with its legacy products. This gives privately held newcomers including Access360, Courion, and Oblix, an opportunity to benefit from this trend by offering new solutions.
According to META Group, many security audits continue to uncover a classic security hole - hundreds of accounts belonging to long-departed employees. Some Global 2000 IT organizations have attempted to implement various user administration tools to help ameliorate some of the problems caused, but META Group says most tools currently solve only pieces of the puzzle (for example, cover few platforms or simply delegate administration). Due to the scope of the problem, META Group thinks the internal user administration process is generally worse than the external process, but rapid growth in externalized applications could eventually confound external user management in a similar manner.
In META Group's opinion, several previously disparate administration functions are now coming together and helping users cope with the process, specifically administration infrastructure (user store/metadirectory and rules, for example) and administration workflow (including self-service, delegated interfaces and application interfaces). META Group notes that vendors from different markets, including enterprise single-point administration (SPA), Web single sign-on (WSSO), administration workflow, and delegated administration, are starting to vie for the user administration budget. Although this area of administration is becoming integrated from a technology prospective, highly automated user administration is not yet available.
META Group expects competitive price pressure to contribute to market consolidation and functional integration by 2005. This automated function will largely be the domain of the operations group and the help desk, with the security group involved only in policy, process design, and auditing. In the meantime (2001 to 2003), META Group expects Global 2000 organizations seeking to improve user administration capabilities to look to tactical improvements such as administration process streamlining (via the help desk or another in-house workflow tool), password synchronization, and automated password.
There are two major areas of focus in automated administration, as follows.
Administration infrastructure: Includes components that store user and account information and also reach out to target systems or applications (such as NT, Unix, OS/390 and Oracle) and make account/access changes. This usually includes a centralized console as well.
Administration workflow and interfaces: Describes various methods to automate front-end request handling and approvals, to leverage administration infrastructure and integrate with other processes (such as hiring and customer enrollment), or to extend to other people (the help desk, external business partners and end users). Examples of interfaces include PeopleSoft integration, self-service password reset and account request, junior administrator or help desk limited-function consoles, and native help desk plug-ins.
META Group points to a variety of vendors in the administration workflow space. They include the functionally broad, but enterprise-focused, single-point administration players (including BMC, Systor/Schumann, Access360 and Tivoli); the Windows 2000/NT and NetWare-centric delegated administration vendors (such as NetIQ, BindView and Quest); the administration workflow/self-service players (Courion, Oblix, Blockade); and the externally focused/Web-centric WSSO vendors (Netegrity, Securant, Tivoli).
SPA vendors, specifically BMC, have most of the requisite functions for automated user administration, but META Group says integration, ease of use, and cost-effectiveness remain roadblocks. Successful deployments often take 12 to 18 months, cost upwards of $1 million and require substantial modifications to interfaces. Licensing models will be necessary to extend delegation beyond the enterprise, according to META Group.
META Group expects leading delegated administration vendors (such as NetIQ and BindView), driven by improved administration granularity in Windows 2000, to branch out from their NT roots to support a few additional platforms, but not to offer full enterprise coverage. These tools will be valued for their ease of use and low cost.
Also, META Group thinks administration workflow/self-service vendors (particularly Courion) will begin to position directly against the SPA vendors, backfilling on administration infrastructure while selling the value of integrated workflow. Finally, META Group notes WSSO vendors will become increasingly externally focused - partnering with and staving off direct competition with SPA tools as long as possible, while continuing to refine interfaces (for example, improve off-the-shelf graphical user interfaces, develop secure self-service, incorporate more complex trust models) and push function and delegation granularity into their administration offerings.
The mechanics of user administration have the potential to be invisible by 2005, according to META Group. But to get there, organizations should define the user administration process consistently, automate key workflows, delegate as efficiency dictates, and cautiously proceed with large-scale administration tools, such as single-point administration. Although automated user administration currently is expensive, in META Group's opinion, it positively impacts security and customer service, for both internal and external customers.
This story was excerpted from META FACts, a newsletter published by META Group and FAC/Equities, a division of First Albany. Matt Barzowskas is a vice president and Michael Prospero is an associate with FAC/Equities. Barzowskas can be reached at email@example.com or (617) 228-3512. Prospero can be reached at firstname.lastname@example.org or (617) 288-3112.