Steve Devoti might be a technologist at heart, but it was the cunning salesman lurking inside him that proved so beneficial to planning and managing a successful identity management rollout.
Devoti, the architecture manager for IT services at CUNA Mutual Group in Madison, Wis., says the project to provide single sign-on, user self-service and provisioning succeeded because it achieved company-wide appeal. "The stakeholders connected to us because we can protect applications that they own," he says.
Identity services, which grow from user data stored in a directory, are seen as keys for securing networks and controlling user privileges. They include access management, metadirectory, password management and other software.
Devoti and his colleagues convinced everyone in the company - as well as the CIOs at the 10,000 member credit unions that subscribe to CUNA's financial services - to sign off on the security and administrative benefits of identity management. Then they delivered the goods, starting in January of this year and completing the basic infrastructure in six months and the more complex features in nine months.
Sounds simple enough, but it required a major change in IT attitude.
"With infrastructure, IT is not in the habit of talking to its end customers, but with identity management the issues are in how you communicate it, how you sell it, how you market the benefits to the end customers," Devoti says. "This really has to be a common services layer within your organization. You don't want to build one of these for each discrete group."
That's because a corporation of 20,000 employees will spend two to three years and between US$2 million and $4 million to build an identity management service to lock down access control and help meet regulatory compliance demands, according to Pervez Goiporia, practice leader for electronic security at Mphasis, which provides IT consulting and business-process outsourcing services.
While Devoti would not reveal what CUNA spent, he says every penny was a wise investment.
CUNA has 5,000 employees and 70,000 credit union staff that access secured applications through CUNA's identity management system, which includes a directory, and Web access management and provisioning software.
The system allows CUNA to authorize its 10,000-member credit unions to manage the identity and access rights of its own employees.
With little knowledge of how to build the identity system, CUNA brought in consultants who helped scope the project and mentor the IT staff. Once IT staff members understood the possibilities and benefits, they educated the rest of the company.
CUNA started with IT liaisons it has in each of its internal business groups. Those advisers began to sell each group on the benefits of identity management. CUNA then put together a committee with representation from each group, and the project began to take shape.
Integrators say that is a crucial step for future success.
"Unless you form this core team, you have a recipe for disaster," Mphasis' Goiporia says. "You will run into a lot of data consistency and integration issues. And they are going to come fairly soon in the process."
Goiporia says identity management is not really a project but more of a program that will run two to three years before it is fully integrated into core business processes.
Finding the place to start is key.
"If you have compliance pressure, then you might want to focus on what helps you do audits faster and more accurately," he says. "In a customer-facing scenario, something like single sign-on or strong authentication would be a better value."
He says one of the biggest problems companies face is intimidation from the scope of an identity management infrastructure.
"There is this danger of paralysis from wanting to know the full picture but shirking back from it when you discover the size of commitments it needs," Goiporia says.
Because of that, he says he sees more identity decisions being made by compliance officers, chief security officers and even CFOs.
"You have to create balance across the whole organization," CUNA's Devoti says. "We did not create a return on investment, we created a list of benefits."
One benefit was that self-service and delegated administration meant CUNA could add tens of thousands of users without adding a single full-time employee on the nine-person help desk. Another was a commitment to standards, which will ensure future expansion of the infrastructure and deeper integration with partners.
Once CUNA hammered out its model, which took a team of 20 nearly three months, it went to work getting the CIOs from the member credit unions on board with promises of tighter security and quicker access. "We made it an option for them, but we knew that we needed high adoption rates to be successful," Devoti says.
The identity infrastructure then began to come together in phases, a methodical stair-step approach that is key to demonstrating tangible results and assurance of future funding, Devoti says.
Within six months, CUNA built a single enterprise directory using Microsoft Corp.'s Active Directory and then augmented that with access management software from Oblix. Next, CUNA added other Oblix Inc.-based services such as provisioning, which automatically creates and deletes accounts based on a set of policies. Mphasis' Goiporia says the phased approach is a good one but that users should be wary of details that can derail the best-laid plans.
"Performance testing and data scrubbing are often unexpected costs and are never visualized as a single point of failure," Goiporia says. "More than the costs, these can be last-minute roadblocks to going into deployment."