White Papers Identity Management Best Practices Reasons to Deploy Password Management before User Provisioning
Hitachi ID Facebook Page Hitachi ID Twitter Page Find us on Google+ Hitachi ID YouTube Page

Reasons to Deploy Password Management before User Provisioning

arrowAbstract
Identity management spans technologies including password management, user profile management, user provisioning directories, meta directories, virtual directories and single sign-on (SSO).

Two technologies that are frequently purchased and deployed together are password management and user provisioning. In such projects, one technology must normally be deployed first and act as the technical foundation for the other.

This paper discusses technical and practical considerations that impact the sequence of these two deployments, and concludes that in most cases it is best to begin with password management, and follow up with account management.

Introduction

Identity management spans technologies including password management, user profile management, user provisioning directories, meta directories, virtual directories and single sign-on (SSO).

Two technologies that are frequently purchased and deployed together are password management and user provisioning. In such projects, one technology must normally be deployed first and act as the technical foundation for the other.

This paper discusses technical and practical considerations that impact the sequence of these two deployments, and concludes that in most cases it is best to begin with password management, and follow up with account management.

The remainder of this paper is organized as follows:

Identity management technologies

The following sections describe the basic capabilities that password management and user provisioning solutions may incorporate, respectively.

Password management

Password management systems generally include some subset of the following capabilities:

User provisioning

User provisoining systems generally include some subset of the following capabilities:

Combined solutions

Vendors typically have a rich heritage in either user provisioning or password management, but rarely both.

Some user provisioning vendors have "tacked on" a very simple password management capability for example a simple web-based self-service password reset, where users are authenticated by answering one or two personal questions.

Similarly, some password management vendors have "tacked on" a very simple user provisioning capability for example to create user IDs on just one or two kinds of target systems, with only a very simple user interface.

Technical and business requirements

Password management

Password management systems must meet, at a minimum, both functional and scalability requirements:

Functionality

  1. Manage passwords on all or nearly all systems that users log into.
  2. Synchronize passwords between some or all systems.
  3. Enforce a sufficiently strong password policy.
  4. Allow users to reset their own forgotten passwords (self-service password reset).
  5. Allow help desk analysts to reset forgotten passwords on behalf of callers (assisted password reset).
  6. Integrate with relevant IT infrastructure (e-mail, call tracking systems, web services, corporate directories, etc.)

Scalability

Most users only change their passwords when they are prompted to. In practice, users are prompted to change their passwords when they log in -- normally in the first hour of each day.

This means that password changes, and in particular password synchronization, produces very pronounced peaks in transaction rate.

A simple calculation illustrates the high peak transaction rate that a password synchronization system must handle:

Clearly, password management in general, and password synchronization in particular, requires a solution that is very scalable. It should support multiple servers, high availability, load balancing, server fail-out or fail-over, etc.

User provisioning

User provisioning systems must meet extensive functional requirements, but in practice do not demand extreme scalability.

Functionality

  1. Be able to manage login IDs on all or nearly all systems that users log into.
  2. Be able to streamline account creation with some combination or subset of the following features:
    1. Automated work-flow to submit systems access requests, route them to the appropriate authorizers, accept approvals, and finally create accounts.
    2. Consolidated user administration, so that a single administrator can manage multiple systems in a single step.
    3. Batch load facility, so that multiple accounts can be created at once.
  3. Be able to streamline account termination with some combination or subset of the following features:
    1. Automated work-flow.
    2. Consolidated administration.
    3. Integration with human resources or payroll systems.
  4. Be able to streamline account changes with some combination or subset of the following features:
    1. Automated work-flow.
    2. Consolidated administration.
    3. Integration with human resources or payroll systems.
  5. Integrate with relevant IT infrastructure, such as a corporate directory, HR systems, e-mail systems, call tracking systems, etc.

Scalability

User provisioning is a continuous process, not normally impacted by the kinds of peak activity seen in password management systems.

A simple calculation illustrates the normal transaction rate for a user provisioning system:

It is important to note that while the peak rate of transactions in a user provisioning system is low, the value of each transaction to the organization is typically very high, so this calculation should be taken to clarify scalability requirements, rather than economic value.

Manage passwords before provisioning accounts

Given the above analysis, it is clear that password management systems require a degree of scalability that user provisioning systems do not. In practice, password management systems must be able to field about 100 to 1000 times as many transactions per hour, at peak.

Scalability is not a trivial aspect of system design. It must be designed into the system from the ground up. Architectural features that yield scalability, such as support for load balancing, server fail-out, retrying transactions, and data replication between servers are difficult to implement, and impossible to retrofit.

For this reason, it is important to start an identity management project with password management. If the chosen technology fails to scale adequately, it will fail early in the project, and the remaining time can be effectively spent in finding a new solution.

Projects that begin with user provisioning risk a scalability failure late in the project, when it may be prohibitively difficult or costly to change technologies.

Deployment complexity

Password management projects are significantly shorter than user provisioning projects. As both projects leverage a nearly identical team to implement, it makes sense to validate the ability of the team to execute with a small project -- password management, before attempting a more complex project -- user provisioning.

Password management

Password management systems are relatively simple:

In practice, password management systems can be activated in a large organization in 1-4 months calendar time, and just 5-15 days of billable time.

Once deployed, a password management system starts to yield cost savings to users and the help desk immediately. Password problem rates decline, and password-related help desk call volume and call duration are reduced.

User provisioning

User provisioning systems are more complex to deploy, primarily due to a more far-reaching business process:

This complexity means that the design process can span several months, before a product can be activated.

Once a system is installed and activated, many users in the organization must be trained to use it to request new systems access. Authorizers must be trained to use the system to approve open requests.

The business complexity of a user provisioning system means that normally at least 4-6 months, and in some cases 2-3 years of business process discovery and design precede system activation. During this time, the system yields little or no value to the organization.

Passwords before accounts

Clearly, a simple deployment and short time-to-ROI means that password management should be activated early in an identity management project. Early deployment gives the organization early ROI, and gives the project visibility and credibility that it can leverage to carry out the business process discovery and design required to activate a user provisioning system.

Conclusions

Password management systems must field from 100 to 1000 times as many transactions per hour as user provisioning systems, at peak. It is therefore prudent to commence a deployment of a combined password- and account-management system with the password management component, because scalability problems will be found earlier this way.

User provisioning systems can take from 4 months to 3 years to activate, primarily due to the complex business processes that they replace. In contrast, password management systems can be activated within just 1-4 months. As a result, it makes sense to start a project with password management, in order to start realizing return on investment (ROI) early, and establish project credibility.

References

Hitachi ID Systems is a security products and services company. This document is based on our experience with product deployments.

For further information, refer to our web sites:

Hitachi ID Systems corporate web site http://Hitachi-ID.com/
   
Hitachi ID Password Manager: a total password management system http://Hitachi-ID.com/password-manager/
   
Hitachi ID Identity Manager: an enterprise user administration system http://Hitachi-ID.com/identity-manager/