Strengthen Access Control with Enterprise Identity-Management Architecture


Hui Zhu
Microsoft Corporation

April 2007

Summary: Without robust identity management, we can never be confident of our security. (4 printed pages)


Access and Identity Management: A Case Study
Identity Management
Implementing an Automated Identity-Management Solution
Architecting an Integrated Identity-Management Infrastructure
Returning to Our Case Study
Lessons Learned and Takeaways
Critical-Thinking Questions

Access and Identity Management: A Case Study

"It couldn't be," Josh thought as he looked at the screen. Only a person within the company would have the rights or the access to delete that file. And yet, there it was; the file was deleted. Even though the file did not contain critical user data and the backup was available to recover the file, the problem could have been catastrophic if other critical data files had been deleted.

Upon closer investigation, Josh found a couple of so-called "ghost accounts," which are accounts within an IT system that remain active when the user has already left the company. He realized that the culprit could have been any one of a dozen ex-employees who still had access to the application server through these ghost accounts.

As Josh tried to explain the dilemma to his supervisor, he found himself explaining something that should not have happened in the first place. Josh was then asked to find out how this could happen and come up with a solution to prevent such an incident from happening again.


This is a common problem. It is well understood that identity management (IdM) is a major security challenge for most organizations. An identity-management system has many dimensions and uncertainties. Nevertheless, organizations are now faced with a complex set of security challenges, as they are asked to comply with government regulations, protect customer information, protect intellectual properties, and so on. Designing and implementing a good identity-management system is not a simple undertaking; there are plenty of pitfalls.

Josh talked to Edwin, the administrator of the application who was supposed to have deleted those accounts. Josh was surprised to hear that Edwin had not received any requests to disable or remove the accounts. Even though Edwin had known that the users had left the company, he still could not delete their accounts without proper authorization. He had talked to HR personnel and to the users' managers, but no one was willing to assume the responsibility for making such a request. Josh was totally confused. He thought that there was no way he could solve this problem with the knowledge and experience that he currently had at his disposal. So, he decided to spend some time researching an answer to this problem. He began with the basic question: "What is identity management?"

Identity Management

Identity management (IdM) is a comprehensive set of processes that enable the secure access of end users to a broad range of internal and external IT systems, control the digital identity of those users, and manage information about those identities. In general, digital identities comprise electronic records that represent network principals, including people, machines, devices, applications, and services [Burton Group Research Overview 2003]. Another definition is: Identity management comprises the set of business processes (and supporting infrastructure) that enable the creation, maintenance, and use of digital identities within a legal and policy context [EDUCAUSE Quarterly 2003].

IdM plays an important role in an information system. Companies often have a broad variety of systems and platforms. Their users' digital identities are spread over their IT infrastructure, yet are not necessarily synchronized across all systems and applications. Many companies often invest a good amount of effort to implement and support IdM processes, but fail to receive the desired results. Every so often, "ghost accounts" continue to appear, when employees leave and their accounts remain intact for quite some time. Those are the challenges that are faced by the implementers of IdM. An effective IdM system should be able to tackle problems such as this, thus relieving the workload of system administrators. The resulting increase in efficiency should yield considerable cost savings and risk reduction.

What Is the Problem?

The cause of the "ghost-account" problem is a gap between the user-resignation management process and the user IdM process. Both processes might be great as stand-alone processes, but they lack integration. This is a common problem with many IdM systems. An IT architect can spend a lot of time on the technical front, but overlook the supporting business processes. An IdM infrastructure should include a technical solution, as well as supporting business processes to enable seamless identity life-cycle management.

For this to happen, an IT architect must fully understand the identity life-cycle processes in the company's context, before looking into a potential automated IdM solution that can bring value to the architecture. The key point is not to purchase a solution that can solve all IdM issues, but to put technology and processes together to enable seamless identity life-cycle management.

Designing Seamless Identity Life-Cycle Management

The identity life cycle consists of account provisioning, maintenance, and de-provisioning. Account provisioning is the act of providing users with the appropriate level of access to resources that are necessary to do their jobs. Account maintenance refers both to keeping user-identity information up-to-date and to the maintenance of the appropriate levels of access to resources that are needed to conduct business effectively. Account de-provisioning refers to the deactivation of user accounts when users are no longer affiliated with the company. As companies rely more heavily on computerized systems to run their businesses, they are experiencing an increased difficulty in efficiently managing user identities at each of these three stages of the identity life cycle.

Supporting Processes Are Key

As IT architects, we always think about the technology that can help automate tasks. We really must take this one-step further: How do we make the technology work the way in which we need it to work? An IdM solution itself will not solve all identity issues; it must be combined with supporting processes to handle the identity life cycle better. Without supporting processes, an identity-management solution will only be able to handle a digital identity, but fail to capture the changes in the identity.

Supporting processes must be able to capture changes to the user's identity in real life, as well as changes in their digital identity. Changes are the triggering events to kick off the processes. The triggering activity serves as the important link between digital IdM and real-life IdM. Any changes to the identity in real life must be reflected as a digital-identity change. The triggering event could be a new hire joining the company, a staff resignation, a positive change, a promotion, a lay off, and so on. Any change to the identity in real life must be captured by the supporting process to trigger an identity-change request, such as an account change, privilege change, access-profile change, and so on. Proper supporting process should be designed and implemented to facilitate seamless IdM.

To create the supporting process, any changes that will affect the real-life identity, as well as the digital identity, must be identified. These changes will initiate requests to change the identity in the IT systems. HR staff or management should be responsible to make the identity-change request. A paper or electronic form can be used to capture the request. Proper approvals should be obtained from the supervisors, application owners, or HR management to authorize these changes. The IT support team will then make the changes in the IT systems, in accordance with the request. In this way, any identity changes will be captured and reflected in the digital identities that are stored in the IT systems.

To solve the problem mentioned at the beginning of this article, the company should have a resignation-management process that can trigger the user account de-provisioning process in the event of the user leaving, so that those accounts can be removed properly.

Implementing an Automated Identity-Management Solution

Now that we have seamless identity life-cycle management, the internal controls have been improved, and "ghost accounts" will not appear again. However, the supporting processes will increase the burden of an already overloaded IT staff and other supporting functions. To take this one step further: How can we provide a better user experience with IT systems, improve the productivity, and reduce the cost of management, yet have adequate internal controls? Automation is an obvious answer to that question.

An automated IdM solution could help to consolidate and centralize the IdM tasks, and automate them within the IT system. An IdM solution could also help to manage the identity of most, if not all, of a company's systems—for example, Microsoft Active Directory, Linux and UNIX servers, ERP systems, intranet, VPN access, and so on.

Many IdM solutions on the market can help to manage user identities and support management processes, such as user provisioning, de-provisioning, authorization, authentication, password management, auditing, user self-service, central administration, and delegated administration. An IT architect should review their IdM processes, analyze the requirements, and try to identify the most suitable solution that can work seamlessly with the processes. To implement a solution successfully, the architect must inventory all the IT systems and applications that provide authenticated access to the users, review the authentication mechanisms provided by each application, and review the IdM processes for each system. With that information in hand, the architect can start to research an IdM solution that can support their current IT environment.

Architecting an Integrated Identity-Management Infrastructure

With an automated IdM solution and support processes in place, a fully integrated IdM infrastructure can be implemented that will best serve the identity-management needs. By leveraging the capability of IdM, supporting processes can be kept to a bare minimum, to reduce operation costs and improve productivity.

The integrated IdM infrastructure will improve internal controls, increase productivity, ensure compliance, and reduce the cost of support.

Returning to Our Case Study

If Josh's company wanted to retain some level of security, this problem with "ghost accounts" would have to be fixed immediately.

Josh sighed.

The problem could have been worse; if the deleted file had been a critical current-data file without backup, it could have been catastrophic. It was a lesson learned and, fortunately, at not too high a price. The system had to be cleaned up. Josh had to remove all ghost accounts, as well as improve the IdM processes. He spent a couple of months reviewing the process to gain good control over the user IdM. For his next step, he would have to design a complete and integrated IdM solution that would solve the problem totally.

Lessons Learned and Takeaways

Broken processes are major problems in IdM. IdM is critical to ensure the security of a company. While architecting and designing an IdM infrastructure, one should always think of how to manage identities seamlessly—not only from a technical perspective, but also from a business perspective. Technology alone cannot solve the entire problem. However, an automated IdM solution integrated with management processes will be able to provide effective and efficient IdM. The best IdM infrastructure would be a fully integrated and automated solution that combined the supporting processes.

Critical-Thinking Questions

  • What is identity management?
  • How can I implement effective access control of IT resources?
  • What should be considered during the design of the IdM architecture?
  • What manual processes have to be integrated to achieve full control over the IdM life cycle?
  • What can be automated in IdM architecture?
  • What are effective IdM systems?


  • "Enterprise Identity Management: It's About the Business." Burton Group Research Overview 2003. V1. July 2, 2003.
  • "Identity and Access Management and Security in Higher Education." EDUCAUSE Quarterly 2003. Number 4. 2003.
  • Parenty, Thomas J. Digital Defense: What You Should Know About Protecting Your Company's Assets. Boston, MA: Harvard Business School Press, 2003.
  • Windley, Phil. Digital Identity. Cambridge, MA: O'Reilly Media, Inc., 2005.


About the author

Hui Zhu is a consultant with over 10 years of extensive experience in security-architecture design and implementation, security-management systems, and security audit and review in myriad IT environments. Leveraging expertise in both security management and security consulting, Hui has established a proven approach for various security-architecture practices, and has successfully helped clients to manage risk and achieve their security objectives. You can contact Hui at

This article was published in Skyscrapr, an online resource provided by Microsoft. To learn more about architecture and the architectural perspective, please visit