National Rural Electric Cooperative Association

Trade Association Enhances Security, Cuts Credential Management Work by 75 Percent

The National Rural Electric Cooperative Association (NRECA) represents the interests of more than 900 rural electric cooperative utilities in the United States. NRECA has 800 employees who provide trade association member services in addition to insurance and financial services for approximately 300,000 plan participants and beneficiaries. To keep data about those members-employees-participants confidential, the NRECA Information Security staff has to closely monitor and control NRECA employee identity credentials, which used to be a largely manual process. With the help of Logic Trends, a Microsoft® Gold Certified Partner, NRECA deployed Microsoft Identity Lifecycle Manager 2007 to automate credential management. With new identity management tools, NRECA has been able to strengthen the protection of business systems, streamline credential management time by 75 percent, and boost employee productivity.

 

Situation

The National Rural Electric Cooperative Association (NRECA) is the national trade association for more than 900 rural electric cooperative utilities in the United States. The association provides national leadership and member assistance through legislative representation before the U.S. Congress and the Executive Branch; representation in legal and regulatory proceedings affecting electric service and the environment; communication; education and consulting for cooperative directors, managers and employees; energy, environmental, and information research and technology; training and conferences; and insurance, employee benefits and financial services. NRECA is based in Arlington, Virginia, and has 800 employees.

Excessive Credential Management Work Sidetracked Staff

Richard Condello, Director of Business Services and Information Security for NRECA, heads up the team that manages identity credentials for the association’s employees. Most of the association’s core business systems run under the Windows Server® 2003 operating system, and NRECA uses the Active Directory® directory service for authenticating and authorizing users. However, NRECA used to use multiple instances of Active Directory across different offices and environments, and each instance was managed independently by a different administrator, which resulted in duplication of user data, data errors, and redundant work.

“Our user lifecycle management processes were driven by a series of human interfaces and processes, electronic messages and forms, and custom scripting,” Condello explains. “These processes were well understood but injected a significant number of ‘touch points’ for Human Resources administrators and security personnel. We wanted to automate many of our credential management chores and standardize the scripting elements into a common server/services interface. This would free up staff time to strengthen our enterprise security infrastructure.”

Similarly, when the NRECA Human Resources (HR) department hired a new employee, an HR administrator entered the individual’s name into the organization’s Oracle HR system. Condello’s Information Security team then had to check three different data sources to avoid user-name duplication in other business systems. The Information Security team also had to manually create user accounts, mailboxes, and other identity-related elements in the various business applications that the employee would need to access. Although the work was always completed before the employee actually started, it could take up to 12 hours to set up a new user with access to needed applications.

Manual Credential Changes Created Security Risks

When an employee left NRECA or changed departments, the Information Security staff had to ensure that the employee no longer had access to confidential member data regarding retirement savings or health plans. De-provisioning users was also a manual process and had to be performed separately in each business system. The team invested substantial effort to ensure that accounts were deleted and not “orphaned” in multiple systems, which could leave business systems vulnerable to unauthorized access.

Routine credential reporting was also a mostly manual process that ate up time and created security risks. The Information Security team used a combination of manual processes and automated data gathering to funnel user-credential data into a database created with Microsoft® Office Access® database software. From this database, the staff created quarterly reports on user authorization and access. Although functional, these processes were time intensive and error prone, leaving the opportunity for orphaned accounts. Plus, this manual audit process consumed a great deal of staff time. “We spent more than 40 hours a quarter creating identity credential reports,” says Jon Naglieri, Senior Application Security Architect for NRECA.

In addition, because the audits were performed only quarterly, any administrative errors may not have been identified until the next quarterly cycle. NRECA wanted to improve its ability to ascertain current authorization and access.

Solution

By mid-2007, NRECA knew that it needed to automate these manual, redundant identity management tasks. Because NRECA is largely a Microsoft software-based operation and familiar with the Microsoft environment, it made sense to look at Microsoft Identity Lifecycle Manager 2007 Feature Pack 1 (FP1). Identity Lifecycle Manager 2007 FP1 provides an integrated and comprehensive solution for managing the entire lifecycle of user identities and their associated credentials. It provides identity synchronization, certificate and password management, and user provisioning in a single solution that works across systems running the Windows® operating system and non-Microsoft systems.

We’ve been able to reduce the 40 hours a quarter spent auditing identity credentials to as few as 10 hours…. This … enables us to spend more time strengthening our security infrastructure. Richard Condello Director of Business Services and Information Security, National Rural Electric Cooperative Association

NRECA turned to Logic Trends, a Microsoft Gold Certified Partner that specializes in identity and access management (IAM) solutions, for assistance in implementing Identity Lifecycle Manager 2007. Logic Trends has created a methodology and training workshops for developing IAM strategy and deploying solutions while maintaining existing data services. “Our methodology encompasses requirements definition, needs discovery, business alignment, risk assessment, vendor-neutral technology assessment, recommendations, and planning, including estimates for cost resources and timelines,” says Andrew Ames, Vice President of Sales and Marketing for Logic Trends. “The resulting strategy and roadmap includes details on cost, resource requirements definition for various user-account scenarios, tasks, project plan, and an architectural specification.”

“The Logic Trends workshop gave us a major head start in mapping out our key identity and access management processes,” Naglieri says. “It gave us a lot of confidence that we had experienced professionals guiding us and sharing best practices.”

NRECA deployed Identity Lifecycle Manager 2007 FP1 in late 2008 and is implementing its functionality in phases. Using master user data from the Oracle HR system, NRECA uses Identity Lifecycle Manager 2007 to synchronize identity attributes with five target business systems, including multiple instances of Active Directory and the NRECA online HR management system. NRECA now has to enter new user accounts, or user-account changes, just once. More importantly, NRECA created an automated application that checks user names for duplication.

So that users can set their passwords in multiple systems at once, NRECA deployed the software’s password synchronization features to connect the organization’s five target business systems and simplify password management. Also, because password synchronization across multiple systems was perceived by users to be a great benefit, NRECA was able to take the opportunity to introduce password complexity at the same time.

Later in 2009, NRECA will implement the Identity Lifecycle Manager 2007 provisioning feature, which will automatically create new-user accounts in all target systems in real time. Automated user provisioning will enable new employees to be productive immediately. Automated user de-provisioning will enable NRECA to ensure that users who leave the organization no longer have access to corporate systems, and eliminate the need for Condello’s staff to manually delete users in multiple systems.

Benefits

By using Microsoft Identity Lifecycle Manager 2007 FP1 to integrate and automate the management of user identities and their associated credentials, NRECA has been able to streamline credential management, strengthen the protection of its business systems, and improve user productivity.

Credential Management Work Streamlined by 75 Percent, Enabling More Time to Strengthen Enterprise Security

Using Identity Lifecycle Manager 2007 to help manage its user credentials, NRECA has been able to reduce the work involved in managing its identity and security infrastructure. For example, the identity synchronization performed by Identity Lifecycle Manager 2007 automated the redundant process of manually entering data into each system, improving the accuracy and timeliness of updates. NRECA has also reduced the process of creating user credentials by approximately 30 minutes for each new or rehired employee, a savings of approximately six hours a month.

“We’ve been able to reduce the 40 hours a quarter spent auditing identity credentials to as few as 10 hours, and we only have these 10 hours because we still have applications that have not been integrated with Identity Lifecycle Manager,” Condello says. “This 75 percent time savings enables us to spend more time strengthening our security infrastructure rather than performing routine record-keeping chores. Plus, we avoid hiring new staff members and contractors to handle the excessive credential management work.”

When NRECA implements user provisioning in Identity Lifecycle Manager 2007, it will realize another 30 percent time savings by eliminating the need to manually create and remove user credentials in multiple business systems. The system will pick up changes and additions made in the central Oracle HR system and automatically propagate them to other key business systems.

Enhanced Protection of Business Systems

Using Identity Lifecycle Manager 2007 to help manage its user credentials, NRECA has been able to increase the accuracy of credential data gathered from key enterprise applications. Identity Lifecycle Manager 2007 receives updates from the corporate HR system every two hours, which gives the Information Security team an up-to-date assessment of currently active user credentials. “For the systems integrated with Identity Lifecycle Manager 2007, we estimate that we’ve reduced our errors associated with employee transfers to almost zero, and by at least 70 percent across all systems,” Naglieri says. “As we introduce provisioning, this will enable employees to be productive on needed applications and will minimize the chance that employees will retain access to applications they shouldn’t have access to.”

Even better, the Information Security staff has been able to reduce the time needed to de-provision employees after they leave NRECA. “Using Identity Lifecycle Manager 2007, we’ve been able to reduce the time for employee deletions by 50 percent and decrease the number of orphaned accounts by 95 percent,” Condello says. “Rapid removal of employee credentials helps ensure that ex-employees do not have access to confidential NRECA business systems after they’ve left the organization.”

The ability to enhance user password complexity across key applications has also helped NRECA safeguard business systems. More-complex passwords are not as easily compromised or defeated.

Improved Employee Productivity

“We have been able to decrease the time for new-employee additions by an estimated 30 percent,” Naglieri says. “This will continue to assist new employees in becoming productive sooner by enabling them to access needed applications with shorter turnaround.”

In addition, because the solution will continue to reduce administrative overhead, the NRECA Information Security staff will be able to translate time savings into an emphasis on other key operational security tasks. NRECA estimates that efficiencies realized through automation could equate to a full-time position.

Microsoft Server Product Portfolio
For more information about the Microsoft server product portfolio, go to:
www.microsoft.com/servers/default.mspx

For more information on Microsoft Identity Lifecycle Manager 2007, go to:
www.microsoft.com/ilm2007

For More Information

For more information about Microsoft products and services, call the Microsoft Sales Information Center at (800) 426-9400. In Canada, call the Microsoft Canada Information Centre at (877) 568-2495. Customers who are deaf or hard-of-hearing can reach Microsoft text telephone (TTY/TDD) services at (800) 892-5234 in the United States or (905) 568-9641 in Canada. Outside the 50 United States and Canada, please contact your local Microsoft subsidiary. To access information using the World Wide Web, go to:
www.microsoft.com

For more information about Logic Trends products and services, call (770) 551-5050 or visit the Web site at:
www.logictrends.com or
www.logictrends.com/solu_iam_strategy.html

For more information about the National Rural Electric Cooperative Association, visit the Web site at:
www.nreca.coop