Chapter 1. Business context for Identity and Credential Management 31
In practice, given the likely scale of most RBAC designs, it is necessary to
include costing associated with the collection, cleanup, and analysis of the
existing user and repository data. We strongly recommend that any centralized
identity management solution chosen must be capable of being deployed as a
tool to help with the design of the full RBAC model. While this RBAC design is in
preparation, ROI can be gained from the automation of user provisioning and
workflow processes.
1.5.7 Observations
Most enterprises use a blend of access control models based on the sensitivity of
the information or the level of effort that is required to change the applications.
Ideally, the enterprise must have a predominant access control model, such as
RBAC and use the other access control model to handle exceptions. As a
general rule, use the 80/20 ratio. However, this ratio will vary based on the
enterprise’s business policies and security policies.
1.6 Identity management compared to Meta Directory
Identity management and user provisioning are often lumped together with
directory strategy and also meta directories. This problem arises because most
people have slightly differing definitions of each of these areas, and, in addition,
each OEM vendor selects slightly different feature/function sets to be
implemented within their product or solution, which results in a lot of overlap and
confusion.
Figure 1-4 on page 37 shows how several of the features of both identity
management and directory strategy requirements map onto an idealized set of
products.
Typically, most organizations start with many directories and either a
requirement to reduce operating costs with user provisioning tools or a strategic
vision for a single universal directory/repository, such as x.500 or Microsoft®
Active Directory. These two approaches are typified by teams, such as the
“Strategic Directory Team” or the “User provisioning Project.” Their titles indicate
the direction they are likely to take.
Directory strategy teams are predisposed to recommend single directories
(x.500, RACF, MS Active Directory, and so on) as the solution to an
organization’s needs, while user provisioning teams have a tendency to
recommend tools that are essentially best to address the help desk costs or user
password reset problems.
32 Deployment Guide Series: IBM Tivoli Identity Manager 5.0
Certain organizations even appoint teams of both types. They might or might not
adequately communicate their plans with each other, which can lead, in the worst
cases, to political control battles for the ownership of the space, or at best, in an
agreement not to tackle the areas common to both teams, thus leaving an
unaddressed set of problems.
It is much better if organizations appoint a strategy/project team whose purview
spans both user repositories (directories and Meta Directory strategy) and the
tools needed to manage them effectively and efficiently (user provisioning and
identity management). There needs to be representative from an organization’s
security team appointed to this type of project team.
Table 1-6 and Figure 1-4 on page 37 describe several of the tool sets that you
must consider. Other equipment manufacturer (OEM) products or solutions might
not map exactly to this broad definition set, and organizations might not need to
cover all these areas in one deployment. What is key, however, is that
consideration is given to all of these areas as one integrated project and design
exercise.
Table 1-6 Tools used in identity management and directory areas
Product/solution
type
Notes Advantages Disadvantages
Single directory A single repository
is mandated, for
example, x.500,
RACF®, and
Microsoft Active
Directory.
All users are
defined in one
place, and audit,
user management,
and reporting are
less costly.
Security policies
can be applied in
one place.
A single directory
can require the
purchase of
administration and
management
toolkits.
Many applications
might have to be
rewritten or
customized to
allow
authentication and
authorization
against the
directory.
Chapter 1. Business context for Identity and Credential Management 33
Many directories Normally, the state
of an organization
itself generates the
need to look
strategically at the
problem.
The situation often
has evolved rather
than been
designed and
controlled.
High degree of
flexibility.
Little or no design
effort required.
Costly to manage.
Subject to
management by
mood.
Difficult to audit
and apply a
security policy.
More subject to
human error.
Longer
provisioning time
scales resulting in
decreased user
productivity.
Less secure
because of
orphaned
accounts.
Product/solution
type
Notes Advantages Disadvantages

Get Deployment Guide Series: IBM Tivoli Identity Manager 5.0 now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.