It used to be that when someone on Cameron Cosgrove's team got a ticket request to provision a new employee with network and application access, the new full-timer would sit on the sidelines for a couple of days while a manual process of email exchanges and phone tag went on in the background.
"There was a lot of back and forth on what they need access to, and checking with access owners on whether they can have the access they were looking for," said Cosgrove, vice president of infrastructure at New York-based First American Title Insurance Co. "It was taking too long to provision -- two days or longer."
That kind of inefficiency was not only impacting productivity, but burdening compliance efforts and overall information security. It's not an uncommon scenario, especially in smaller companies with little in the way of automated user provisioning tools and processes.
Cosgrove found relief in Microsoft Forefront Identity Manager 2010, released this month at RSA Conference 2010. Forefront Identity Manager is the successor of Microsoft Identity Lifecycle Manager 2007; it provides a policy-based management framework for identity information for Windows and non-Windows environments. For First American Title Insurance, Forefront Identity Manager quickly cut identity management user provisioning time.
The rollup to the rollout wasn't as quick. Scott Wier, IT manager, desktop architecture, said the team spent about three months defining roles and mapping those roles to the appropriate network and application resources.
Once roles were established and mapped, that information was dumped into Forefront Identity Manager's rules engine, and centrally, they were able to define roles within groups, email distribution lists and the resources associated with roles. Forefront Identity Manager's capability to synchronize with Active Directory and, in this case, First American Title Insurance's human resources systems, enabled them to take a few seconds to provision new access, rather than a few days.
"We were managing all these moves in real time," Cosgrove said. "It was a huge boost in productivity and improvement to user experience."
Cosgrove said it was a win for security as well as the company could just as quickly deprovision former employees, reducing the exposure that accounts would be left open after an employee left the company -- a compliance violation. Exceptions are also handled through Forefront Identity Manager; a portal enables requests for access exceptions from resource owners.
"The compliance benefits are: One, that you have a consistent set of provisioned users and access rights, and two, you have authorization recorded for all exceptions, which helps with internal compliance and audits," Wier said. "We have the ability to look through the workflow, see who approved the exception request, when and how it was authorized from the resource owner, [which] gives that additional layer of security."
Cosgrove said they plan to use Forefront Identity Manager as an identity hub and eventually hook up other systems to it, such as Oracle. They're already federating authentication and routing off-premise through Cisco's IronPort cloud service for email security.
"Directory synchronization is very easy to implement. We're using it to feed the hub and over time, we're going to add more directories we'll sync with," Cosgrove said. "[Forefront Identity Manager] will be the policy-based rules engine for taking the aggregation of that and having a single source of data in a metadirectory that becomes its own product internally. Other groups will come to us and notice we've aggregated all of this identity information and ask if they can be a consumer of that. We're also seeing user experience benefits in the automated provisioning and self-service portal for password and employee information management."