As technologies have improved and the value of the Internet to business has exploded because of technologies like Java and XML, the abilities of vendors to graphically and accurately represent the status of hardware, network and application components became much more robust.
Detailed maps and schematics replaced basic geometric shapes containing the names of hardware components impacted by outages. These visually rich representations of Information Technology (IT) infrastructures could be found in every sales brochure and were the promise of every software salesman.
In 2004, there are vendors with families of integrated products that can finally deliver on the promise of linking IT infrastructure to business services. This IT-business alignment, or "Business Service Management" results in proper levels of escalation and focused resolution, which vastly improves services delivered. To define BSM in simple terms, a failed router is no longer simply a red icon on a screen full of icons, but due to powerful correlation engines and the ability to monitor virtually every application and the underlying hardware and network components, the failed router now results in notifications to management, administrators, etc. With BSM, these alerts now contain information regarding the business applications, services and even customers affected by the failed router.
Foundational to any organization based on a complex IT infrastructure is identity management and, as such, identity management capabilities should be core in enabling business service management. Identity management is a phrase that is used and misused quite frequently. In an obvious sense, the realization that timely, accurate and secure creation and revocation of user access across the environment is absolutely the first step toward service-related management of an organizations IT infrastructure. If a customer can't login to your external portal and order services from you because they've forgotten their password, that's a business impact of the highest priority.
Identity management solutions have tentacles that reach throughout every part of the organization. Users, both internal and external, have entitlements in databases, mainframes, network operating systems, directories, email systems, custom applications, etc. Identity management solutions ensure that users have the access that they need to every part of the IT infrastructure that they need access to in order to do business.
As organizations deploy BSM solutions, there are key identity management capabilities, or services, that must be in place and monitored in order for an effective business service management strategy to be deployed:
- Password Management Service (PmS) – Enables internal and external users to reset their own passwords/tokens to systems and applications. PmS can positively affect system and application availability through timely internal user access restoration as well as revenue through timely external business partner or customer access restoration. Adverse impacts to any component of this service must be quickly identified, associated to the PmS and escalated to management, administrators and support staff.
- Provisioning Enablement Service (PeS) – Enables automated and self-service entitlement creation, revocation and life cycle management for internal and external users for systems and applications (legacy and Web). Again, positive changes to revenue and internal operations result from reliable and automated entitlement provisioning. Unplanned or extended outages of any component of this service are critical and need to presented as detriments to a service that is integral to the continued delivery of high value business services.
Both of these critical subsets of identity management can be nested under a higher-level identity management service category.
In this example, each icon can change color as any component (hardware, application, network, performance, etc.) comprising the service fails or performs below agreed upon service levels. An effective BSM solution would then allow the relevant technical staff to drill down from the management console into the failed or underperforming IT component. Again, the premise is that the underlying infrastructure management solutions report the errors and the service management correlation engine translates the errors into business service impacts and corrects them or informs the correct people based on the affect on the business.
The concept of business service management encompasses management solutions outside the scope of identity management. The goal of BSM is to seamlessly integrate these management solutions and leverage their capabilities effectively. The integration of identity management services within the overall BSM theme is vital to the successful deployment of a business-focused IT infrastructure management solutions.
The following use case scenarios demonstrate how identity management services can facilitate a BSM implementation.
Use Case #1
• Enterprise Monitoring infrastructure forwards CRM response time metrics to Correlation Engine
• Correlation Engine detects trend leading toward eventual service level violation
• Correlation Engine requests CRM service escalation contacts from Identity Management Service (e.g. sales management, Siebel administration management, etc)
• Identity Management Service queries corporate directories for CRM service owners based on directory attributes and returns information to Correlation engine
• Correlation engine notifies CRM service owners of escalating response times and service level violation possibility
• Correlation engine opens case in Help Desk and routes to Siebel application support
• Correlation engine triggers automated CRM response time diagnosis utilizing the Enterprise monitoring service
End result: relevant parties notified of pending SLA impact, help desk case opened and assigned, automated CRM response time diagnosis initiated
Use Case #2
• Enterprise Audit Service detects flood of failed password change attempts on business critical UNIX file server
• Enterprise Audit Service policy determines possible brute force attack attempt and forwards information to SIM
• SIM determines criticality of brute force attempt based on the services associated with the UNIX file server
• SIM sends instructions to Identity Management Service to revoke the account being used in the brute force attack and to force the account off the domain or local server
• SIM opens case in HelpDesk and routes to server administration owner and the owners of the potentially affected services
The advances realized by systems and application management solution providers have resulted in attainable management solutions that associate an organization's information technology infrastructure components to the company's business strategy and to manage the infrastructure and business seamlessly. Identity and access management solutions have matured and gained in significance outside traditional BSM circles, but now is the time to consider the implications of identity to an organization's ability to deliver world class services.
Gary Holland, CISSP is a security expert with BMC Software.