FIM customers speak out at the RSA Conference

Security blog Security Squared just posted an in-depth piece about how First American Title is using FIM for identity management of 13,000+ employees. 

The author met with First American's Cameron Cosgrove and Scott Weir yesterday, here at the RSA Conference in San Francisco.  Here's the full text.

Microsoft Forefront Identity Manager User Cuts Costs, Improves Compliance, Lays Convergence Foundation

First American Title Insurance Company creates audit trails, improves productivity with role- and criteria- based identity management and user provisioning

Microsoft yesterday announced at 2010 RSA Conference the official release of its Forefront Identity Manager, an identity and access management tool designed to work across heterogeneous systems, including card management systems.

Brendan Foley, director of product management in the identity and security business group at Microsoft, briefed Security Squared about that announcement, We'll have more in coming days about Forefront Identity Manager (FIM), especially its use of claims-based assertions, its ability to synchronize identities across disparate sources and how it integrates with strong authentication methods and their support systems.

For now, we'll let users tell the FIM story: At the briefing, we also spoke with First American Title Insurance Company, in the persons of Cameron Cosgrove, vice president, infrastructure; and Scott Weir, IT manager, desktop architecture group. They talked about their experiences with using FIM for role- and criteria-based identity and access management.

The convergence angle: Cosgrove and Weir discuss associating First American Title employees with identities rather than IP addresses--and the identities are built on roles and criteria that conceivably could include physical access rights. Further, those physical permissions could be correlated with data access rights, and both might vary with an employee's location on any given day, with FIM provisioning and deprovisioning in the background on the fly. As Weir says below, employees always have access to the resources they need, while First American has a clear audit trail for compliance.

Also of convergence interest: Cosgrove and Weir are evaluating multifactor authentication solutions at RSA to complement their logical access solution. Multifactor or strong authentication schemes are a natural intersection between the logical and physical identity worlds.

What follows is a transcript of our conversation at the RSA Conference Tuesday, edited for clarity.
*****
Cameron Cosgrove, First American Title: Our industry is real estate, and our fundamental business is property title insurance, helping people transact their real estate business. We are a global company, and we have a footprint of about 13,500 employees in the United States [and] we have deployed FIM to all 13,500.

One of the first challenges we wanted to address is the provisioning of users and deprovisioning. With 13,000 people all across the U.S., we are serving markets that are large and small, so we have large offices and small offices in the U.S. Employees need access to the system quickly--or when they leave, we need to de-provision quickly. Prior to FIM, we were doing that manually through HR requests, tickets going into our help desk. It would probably require a day or two days of elapsed time to complete by the time we would gather all the pertinent information about the new employee.

When they got de-provisioned, it was the same process--again, time consuming and sometimes subject to errors.

With FIM, we have fundamentally redesigned the way we provisioned people. Before FIM, when we provisioned someone like yourself, we'd say, okay, Sharon Watson has access to that resource, that chair, that drive, that's what you have. What FIM has enabled us to do is put a lot of process and structure around that which we can automate.
 
For example, we can now create roles and groups and criteria, and we can automate the provisioning based on that. We can create a marketing group; within that group, we can create marketing associate vs. marketing manager vs. marketing executive [roles]. We can then provision by role exactly what they need as part of the group they are a member of. In addition to that, we can establish unique things that they need for their role, and then the criteria allows us to know that they are in this state, this county, this office, this is their manager, so we can automate provisioning of anything that is relevant to those criteria.

We are synchronizing our HR system using FIM to Active Directory, so any time someone moves in the company, whether they move locations, cost centers, managers or change jobs, FIM will automatically associate that with the new provisioning that they need to have and de-provisioned what they don't need to have. So what used to take two days--[now takes] two seconds.

We think we are probably going to be able to redeploy at least one FTE from what we do now to other things because we are automating this.

Defining Roles
Sharon J. Watson, Security Squared

: How laborious was it to figure out what the policies should be?  I'm thinking in terms of [definitions], such as managers need access to what kind of application...

Cosgrove: That was a lot of work. I think Scott spent a couple of months, not doing any technology, just going through the company culture, trying to build consensus on these rules definitions. That was probably the biggest challenge we faced in the adoption of the technology. Implementing the tool is relatively easy compared to shifting the entire culture around these fundamental definitions, to first of all, do we all agree that these are the right roles? Then, do we agree that these are the accesses they should have?

Scott Weir, First American Title: That's absolutely right. The biggest challenge we had was getting consensus from the separate groups out there as to what actually should make up the employee profile. That's where we came up with the fact we needed multiple levels to answer the questions of what job do you do, where do work and who do you do that work for.
Each one of those at a branch level provide certain access but maybe everyone in that entire state needs similar access. As Cameron pointed out, you might have a specific job code like a marketing associate who would have real finite access but then maybe something broader in the marketing role definition [says] this resource needs to be shared by all of marketing. Really quantifying that was the pillar of our work.

Cosgrove: Another area we used FIM to improve is characterized by moving people away from an IP association...associating someone with an IP address to associating them with an identity..being able to surface a profile to the end user that is an aggregation of all the various silos of where we have information about the employee, surface it in a FIM portal so they can see an allover view of all the different ways they have access and the ways we recognize and define them in the company, to their name, the spelling of their name, the home address, their phone number, their work location, their job title, on and on and on. So they can also have input: that's correct, that's not correct. They can self-service update that. Then we have bidirectional updates that can go back to the source system and make that update. Versus today, you have to know that's information that's in [a particular] system, and as a result, most people don't update that. Just keeping phone numbers, cell phone numbers, correct has been a challenge.

One of the things we've deployed is Microsoft Office Communicator, and we use Active Directory as our single source of truthful information. It's reading that, so if I bring up Active Directory and hover over someone's name, now I get up-to-date phone numbers, their office location, things like that. It does improve our ability to stay in touch with people and keep up our employee information.

Streamlining Audit Trail Creation

The other thing it's helped us do: we have compliance requirements, like every company does, and one of the things we've been able to automate is consistent rules for access based on the role and the criteria. Because we have a tool that implements people's access rights against that criteria and that role, we know it's consistent, we know it matches our standard. We didn't have that before. In addition to that, when an auditor wants to review who has access to something....let's say an exception is made. The FIM tool will automate the capture of that approval by pushing a message out to the manager requesting they approve providing access to this resource by this employee. If they say yes, that becomes highly auditable. So it's improved our ability to be audited and streamlined the whole authorization process.

SJW: What kind of credentials do you issue to employees? That's one of my areas of interest--the intersection of these logical and physical security issues and particularly in identity management, knowing the person logging into an application is physically who you think it is. Are you pushing this all the way down to using a smartcard to gain access to facilities, so you know they're in the building and so now they're allowed to get into the network?

Weir: In our industry, given that we're so disparate in how our businesses line up...we've got very small offices that have two or three employees that don't have an office security system. Then we've got campuses in Dallas and Santa Ana that house multiple thousands of employees, [so] what we're really keying around is the classification of the identity itself and using those criteria to make sure they have access to what they need.
 
If there is an exception request, if they do need access to something--we call it the multiple hat syndrome, where we've got a person who works in San Francisco but two days a week they fill the same role and work in San Bernardino. Well, what we can do now is say, HR's provisioned us with the data that says you're in San Francisco, you've matched all the criteria, you have that access, now we'll be able to have an exception level and grant you access in this other office you work in with an approval mechanism. Eventually--and that's one of the things we want to find while we're here--is some of the different ways of multifactor authentication and how it integrates--

Cosgrove: And tie it in. That's on our roadmap to look at. What we've done prior to the physical access is more virtual-based access, so we are able to federate our identities to the cloud. So we've implemented that already with our email backbone, which is hosted in the cloud, then we federate our identities to it through FIM, keep it synchronized so mail gets routed to the right exchange.Greater Productivity
 
The last thing we've done that I would characterize as a pretty big win is group and distribution management. Again, everything ties back to people's roles and their criteria--cost center, office location, that type of thing--so now when we link all of those to distribution lists in Exchange, you get on all the right DLs. The key is keeping those current. Prior to FIM, that was a completely manual effort. People would send in tickets: please update this DL, please add this person, please take this person off. Now it's automated. So when somebody moves to a different location or group or role, they're automatically deprovisioned out of the old DL and provisioned into the new DL.
 
FIM is a very easy-to-use tool. That's why our V.1 implementations let us do things like federate to the cloud but also, with respect to distribution list management, to deploy a portal to our corporate communications group...they can use this portal to create ad hoc DLs on the fly to meet whatever unique communication distribution need and with our Exchange environment, we can actually hide that DL so only they have access to it. But because FIM created it, behind the scenes it's automatically updated so they know the correct people are on it, and they can use that DL to send out whatever they need. That's something they can do on a self-service basis. So from that perspective, it's improving our corporate communications, lowering our cost to do that, because prior to that, we'd have to use different tools and use different request cycles to get it all done.

###