Are You Up to Speed on Provisioning Tools?

by Jacqueline Emigh

If user administration is consuming all your time, it's probably time to catch up on the state of the art in provisioning tools.

Provisioning is stirring up both buzz and confusion these days. Just what is provisioning, anyway? Generally speaking, tools in this emerging category automate the creation, maintenance, and deletion of user accounts, passwords, and access rights. Otherwise, tasks like these can take up tons of time for network managers and other IT staff.

Until recently, the biggest reasons to bother with provisioning revolved around streamlining operations and cutting costs, particularly in the area of password administration. At UtiliCorp United, for example, 20 percent of all service desk calls were once related to forgotten or expired passwords. By implementing Courion Corp.'s tools, the utility firm has done away with an estimated 1,000 phone calls per month from frustrated end users.

Increasingly, though, security is emerging as an even more potent driver for provisioning products. "There's been a change in justification," asserts Chris King, an analyst at the Meta Group. When they talk to business decision-makers, more IT folks are citing security, rather than improved service levels, as a rationale for buying the tools, adds King.

For one thing, the massive layoffs of the past year, coupled with security fears about employee disgruntlement, are raising pressures on network managers to shut down accounts of terminated staffers as soon as they get the boot.

"Rapid user turnover leaves orphaned (or "ghost") user accounts and their privileges active, exposing the organization to insider and outsider attacks. (To close the accounts), the same data must be entered manually in many places, and errors are easily made," according to a recent report by Gartner Group.

Moreover, some organizations, such as schools, must create and delete large volumes of user accounts on an ongoing basis. "We have a couple of thousand people come in every fall, and a couple of thousand people leave every spring. It takes a lot of time and effort to get all those accounts generated and maintain them during the year," says Gary Haberman, director of technical resources at Widener University.

Widener is now deploying eProvision Day One, a provisioning system from Business Layers. Before that, though, the university employed two full-time people strictly for creating and maintaining accounts for its Unix and Novell systems.

"There were other problems with this approach beyond just consuming resources. For example, the university couldn't issue individual log-ins to laboratory computers because was no way to generate accounts fast enough. So, generic log-ins, similar to a 'guest' account, were used, making it impossible to determine who was logged in when an incident occurred. These incidents could range from a system crash to a more serious security breach involving access to sensitive files," according to Haberman.

Sensing bright opportunities, vendors are converging on the provisioning arena from all over the map. This adds up to more options for customers. "The value proposition for user provisioning is easy: automated, secure, self-service routines to replace manually intensive, insecure processes fraught with problems," summed up analysts from the Hurwitz Group, in another recent report.

With so many provisioning products hitting the market, though, network managers can find it tough to tell them all apart.

Ancestors of the new generation tended to be point solutions for password management or access rights, for instance. Courion first released a password administration product called Password Courier way back in 1996. After that, though, the vendor added Profile Courier, Certificate Courier, and Account Courier. Courier's tools are now meant to extend identity management all across the "user life cycle," up to and including the user's departure from the organization.

Other smaller software vendors are specializing in provisioning, too. Aside from Courion and Business Layers, these include Access360 and Waveset, for example. Meanwhile, giants like Novell, Computer Associates, and IBM Tivoli are stepping into the fray, as well. Like Courion, some of these other players use the term "identity management" instead of "provisioning," confusing matters for customers even more.

Administrators, though, can differentiate among these tools along several dimensions, industry observers say. To begin with, some products use role-based authentication (RBA), whereas others do not, according to the Meta Group's King.

With role-based products, administrators can assign access rights according to designated roles. Novell and Business Layers are a couple of vendors that enable this approach, for instance.

"The eProvision Day One program provides a way to automatically set up, maintain, and delete (computer accounts) so that everyone gets access to what they need according to their profile - a group of attributes for network rights and e-mail that the university creates for students, faculty, staff, and graduate students," says Widener University's Haberman.

"RBA isn't for everyone, though," King contends. Assignment of roles by administrators can "get sticky," for instance, when the end users are knowledge workers, according to the analyst.

In another point of distinction, some tools take a centralized approach, whereas others support distributed provisioning, as well. Under the distributed approach, an administrator might perform some provisioning responsibilities from the data center, while delegating out other tasks, such as password management. Alternatively, the administrator might decide to delegate all provisioning functions to one or more co-workers.

"Novell is supporting both centralized and distributed provisioning. The user can choose," maintains Joe Skehan, Novell's senior product manager for provisioning.

Provisioning products also differ in terms of degree of integration with outside software products. User account information can be stored in many different places on the network, ranging from LDAP directories to SQL or proprietary databases, for example. At this point, vendors typically use point-to-point connectors and proprietary APIs to link their provisioning tools to third-party software.

According to Skehan, simplified integration is one key reason why Novell is planning multiple provisioning toolkits. Novell's first toolkit, for employee provisioning, comes with connectors to PeopleSoft and SAP HR systems. Already available, the LDAP-based toolkit also supports Exchange, Notes, and GroupWise mail systems, and the NetWare, Windows 2000, and NT network operating systems.

An upcoming toolkit for educational applications, however, will include a driver for the Students Interoperability Framework (SIF), as well as a connector to SCT's Banner software. Codenamed "Gemini" and slated for release later this year, the educational kit is targeted at both the K-12 and university marketplaces.

Skehan adds, though, Novell's toolkits will also differ along two other lines: default policies and end user presentation. "We're going to use a different user interface to show the school environment, as opposed to bosses and employees," he says.

Still, integration can be an extremely complex issue, depending on the nature of the implementation. Novell Consulting, for example, operates a very active provisioning practice for large enterprises, inherited through Novell's acquisition of Cambridge Technology Partners (CTP). Some other consulting firms, such as ePresence, focus exclusively on provisioning.

Down the road, however, integration might get considerably easier, thanks to an emerging standard from OASIS. Last year, the standards group launched a Provisioning Services Technical Committee, which is now developing an XML-based framework called Service Provisioning Markup Language (SPML).

SPML is supposed to define standard ways for exchanging information between multiple provisioning systems, as well as between the provisioning system and the users and resources being managed.

» See All Articles by Columnist Jacqueline Emigh

This article was originally published on Tuesday May 14th 2002