This section describes the business problem that provisioning systems attempt to address. It describes classes of tools available to manage systems access, and the strategy taken by policy-based provisioning tools.
The business problem
Modern organizations, and in particular large enterprises with tens of thousands of users, are deploying an increasingly wide array of IT infrastructure. This infrastructure is accessed not only by employees, but also by contractors, partners, and in some cases even competitors.
As the amount of IT infrastructure and the number and diversity of people who must access it grows, it has become apparent that traditional tools and processes to manage security are breaking down. When security administration breaks down, companies fail to:
- provision users with systems access in a timely manner, or
- correctly define access, or
- terminate access when it is no longer required.
These failures lead to serious business costs: reduced efficiency, delayed business results and vulnerability to internal and external security attacks.
Most information systems manage access to data and processes by identifying users, and controlling what these users can do.
The access control in information systems is normally broken down into three distinct parts:
- User identification, with login IDs, employee numbers, etc.
- User authentication, with passwords, security tokens, biometric identification, challenge/response data or a combination of these.
- User authorization, with access-control lists, group membership, roles, etc.
Systems with security controls normally come with their own tools to manage these three kinds of data. For example, Windows NT networks use the "User Manager" GUI, Unix systems administrators edit passwd files, Oracle DBAs manage access by issuing SQL commands, and SAP administrators control access with SAPgui.
These tools are point solutions. The proliferation of such tools, the number of administrators required to operate them, and the number of business systems owners who must grant approval to use systems, and trigger deletion of accounts is where enterprises have problems. There are simply too many people involved in what should be a simple task: grant access today, and delete it tomorrow.
Software vendors have stepped forward with tools to streamline cross-systems management. These technologies include:
- Meta directories, which monitor changes to user definitions on
one or more systems, and propagate those changes to other
- Centralized administration consoles, which allow a security
single administrator to manage access to multiple systems.
- Workflow systems, used to track requests for systems access,
forward them to authorizers, collect results and in some cases
automatically provision access when ready.
- Policy-based, or automatic provisioning systems, as described below.
One approach that has been promoted to resolve this administration bottleneck is called Policy-Based Provisioning. With Policy-Based Provisioning, organizations maintain the following data:
- A complete and up-to-date representation of the organization in an on-line directory (for example, an LDAP directory).
- A set of business roles, each of which represents some defined collection of access to systems resources.
- Policies that connect positions in the corporate organizations, through their location in the directory and/or other attributes, to business roles and their associated systems access.
If this data can be maintained efficiently, then as employees, contractors and external business entities move through an organization, they can be automatically granted appropriate access to new resources, and their existing access to unneeded resources can be automatically terminated.
The objective of policy-based provisioning is to make this administration process fast, accurate and reliable.
Theory and reality
This section describes some of the practical difficulties in implementing a policy-based provisioning system in a large organization.
Standards and diversity
In practice, large organizations do not have well-defined roles that cover most staff. Employees and contractors typically have evolving responsibilities, and over time these evolving roles approach a "one role per person" model.
This raises a serious problem for a policy-based provisioning system:
- It is not practical to define as many roles as there are people -- that would simply degenerate into manual administration.
- It is difficult or impossible to define a "reasonably small" set of roles with sufficient coverage that it is feasible to assign every person in the organization to just one or two roles.
If this problem cannot be addressed, a policy-based provisioning project will fail during deployment. The implementing team will simply get bogged down trying to define all the relevant types of roles.
A moving target
If a policy-based provisioning project can overcome the initial problem of identifying a sufficient set of roles and assigning all users to these roles, it must still contend with the fact that both role definitions and rules used to assign people to roles are highly dynamic.
Companies change their business strategy with increasing frequency. They make rapid changes in direction, making corporate acquisitions, divestitures, mergers, reorganizations, etc. Each of these events triggers a massive change to the configuration of a policy-based provisioning system.
Moreover, even small business changes, such as extending the responsibility of a department, or even adding new tasks to a single individual, require that suitable roles be defined -- so that they can be assigned to the appropriate staff. These changes to role definitions and policy rules mean that a significant number of people have to be engaged, full-time, to manage the policy-based provisioning system.
Configuration cost, administration and return on investment
The complexity of role definition and the allocation of users to roles means that initial deployment of a policy-based provisioning system in an enterprise with 10,000 or more users can literally take years to complete.
The difficulty of maintaining a correct set of role definitions and policy rules means that ongoing administration requires several full-time, dedicated administrators just to keep the system correctly configured.
Both of these costs are significant, and reduce or eliminate any cost savings that might have been realized through the automated provisioning process itself.