The Alabama Medicaid Agency was handling identity credential management in a decentralized, manual way. It was taking two IT staff members two hours a day to provision and deprovision users, with the possibility that systems might host outdated, erroneous, or inconsistent identity information. As part of a broader technology upgrade, the agency adopted Microsoft Identity Lifecycle Manager 2007, and expects to cut the time spent on identity management by 75 percent. With this solution, the agency also has increased the consistency of identity information across systems, boosted the security of its data and its compliance with privacy regulations such as HIPAA, and provided a flexible foundation for the continued growth of the identity management system to encompass more agencies in state government.
The Alabama Medicaid Agency is responsible for administering federal Medicaid assistance to more than one million people. Its annual budget makes it one of the larger agencies in the state government. Seven hundred agency employees work from offices spread across Alabama.
Operating on a Legacy Computing System
The agency was operating on a legacy Novell NetWare computing system and wanted a broad overhaul that would optimize the core infrastructure and the tools employees use to communicate and collaborate. To do so, it turned to InfraScience, a Microsoft Gold Certified Partner. The company showed the agency a complete technology road map, and then implemented a migration to the Windows Server 2003 operating system. (A migration to Windows Server 2008 is now planned.) That move made it possible for the agency to modernize its e-mail messaging system with Microsoft Exchange Server 2007 and to adopt Microsoft Office SharePoint Server 2007 for collaboration.
With employees making more use of the network and its resources than ever before, optimizing the management of identity credentials became increasingly important. Credentialing was handled in a decentralized and manual way. Though the agency had adopted Windows Server Active Directory Domain Services, the same user data was manually entered into the help-desk system, the mainframe, the Human Resources system, the resource allocation system, and several others.
Living with the Pain Points
This manual data entry kept two IT employees busy several hours per day, provisioning new users, deprovisioning users, and making changes or updates to existing user accounts. The IT department required three days’ notice to accommodate the process of adding new employees. Beyond the time and money absorbed by this manual effort was the potential for erroneous data entry and inconsistent information from system to system. The property inventory system, for example, might show an employee with a given set of computer and other resources, while the IT department that actually provided the equipment might show the employee with a different set.
Deprovisioning users who had left the agency had its own challenges. The IT department deprovisioned users based on notification from Human Resources. That notification had to come in a timely way to ensure that former employees were removed from the system promptly, without the opportunity to gain inappropriate access to network resources. In addition to the reasons any organization would want to guard against inappropriate access, the agency had additional concerns as a public sector organization and as one subject to the U.S. Health Insurance Portability and Accountability Act (HIPAA) governing the privacy of healthcare information.
By early 2009, the agency and InfraScience had implemented the operating system, communication, and collaboration portions of the technology road map upon which they had agreed. The agency was now ready to address the next step in that plan: the deployment of an identity lifecycle management solution that would handle the initial provisioning of users and extend to upgrades and changes in authorization all the way through to users’ eventual deprovisioning. Consistent with its broader move to embrace Microsoft technologies, the agency accepted the InfraScience recommendation that it adopt Microsoft Identity Lifecycle Manager 2007.
Implementing the Solution in Phases
||We know that all systems being served by Identity Lifecycle Manager 2007 have the same identity information, and that all information is up-to-date.
Associate Director, Network and Systems Support, Alabama Medicaid Agency
Identity Lifecycle Manager provides an integrated and comprehensive solution for managing the entire life cycle of user identities and their associated credentials. It provides synchronization, user provisioning and deprovisioning, and certificate and password management in a single program that works across systems running both the Windows operating system and other systems, including those from other vendors.
InfraScience and the Alabama Medicaid Agency are implementing Microsoft Identity Lifecycle Manager 2007 at the agency in phases. The first phase included both autoprovisioning and synchronization of credentials, and was completed in mid-2009. Deprovisioning of credentials will come next. “InfraScience was instrumental in the design and installation of our Identity Lifecycle Manager deployment,” says Lesia Todd-Williams, Associate Director, Network and Systems Support, Alabama Medicaid Agency. “It was especially helpful in expediting the creation of user accounts and synchronizing users with their assigned IT equipment and resources.”
Provisioning Users, Synchronizing Credentials
Provisioning starts with the help-desk system, where users are entered and a job ticket generated so that the user receives a computer and other technical resources. Data entered into the help-desk system on new employees is accessed by Identity Lifecycle Manager 2007 every half hour and propagated in other target systems: Active Directory, Human Resources systems, the Medicaid Help Desk system, and several Microsoft SQL Server–driven business applications.
When IT personnel complete the Active Directory accounts for new employees, they do so using the prepopulated personal data provided by Identity Lifecycle Manager 2007, such as name, address, and phone number. The IT personnel need to add only information specific to Active Directory, such as associating the employee with an organizational unit to provide role-based rights to network resources.
Synchronization of credentials also takes place on a half-hour basis. Updates to an employee’s accounts—for example, a name or address change in the Human Resources system—is accessed by Identity Lifecycle Manager 2007 and automatically updated in the other systems, such as Active Directory.
The Alabama Medicaid Agency is finding that even after just the first phase of its Identity Lifecycle Manager 2007 deployment, it has streamlined credential management, a benefit it expects to expand as it continues its deployment. The agency has also enhanced the consistency of its identity data, enhanced system security, and provided a flexible foundation for growth.
Cuts Estimated Credential Management Time by 75 Percent
The agency is in the process of reducing the time that IT personnel spend on credential management. When the Identity Lifecycle Manager 2007 deployment is expanded with deprovisioning capability, the agency will cut the time needed to provision/deprovision employees and to synchronize credentials among systems from two hours to 30 minutes, estimates Todd-Williams.
Some of that time savings will come from supervisors’ ability to implement changes for their employees—for example, to change the name of a newly married employee—a task that formerly required IT implementation.
“When IT staff members don’t have to do the routine functions of credential management, that frees significant time that can be used in more valuable ways,” says Todd-Williams. “We are a public agency, and we are responsible to the public for every dollar we spend. Identity Lifecycle Manager 2007 is helping us to be more efficient about a crucial component of network maintenance. We also run a lean IT operation, which makes time savings especially valuable.”
Boosts Consistency of Data
One of the biggest benefits that the agency derives from Identity Lifecycle Manager 2007, according to Todd-Williams, is greater consistency of data. “In the past, when synchronization was a manual process, it was possible for us to make errors in data entry,” she says. “There was also a problem with the inevitable time lag when moving information from one system to another. The IT system might show that we had moved equipment to or from an employee’s office, for example, but the inventory system might not be notified of the change until later. That sort of issue is eliminated with Identity Lifecycle Manager 2007. We know that all systems being served by Identity Lifecycle Manager 2007 have the same identity information, and that all information is up-to-date.”
Enhances System Security and Compliance
Synchronization of credentials among target systems, and especially the synchronization of updates or changes to those credentials, enhances the security of the agency’s data. Todd-Williams explains: “Because of the sensitivity of our data, and because we are subject to the privacy protections of HIPAA, access to information is strictly on a need-to-know basis. Often, when people change jobs at the agency, the extent of their access to that information changes as well. With Identity Lifecycle Manager 2007, we know that those changes are propagated to other connected systems quickly, and that people have the appropriate level of access to information. That helps to keep us in compliance with HIPAA, too.”
As the agency takes advantage of more capabilities of Identity Lifecycle Manager 2007 in subsequent deployment phases, it will further enhance the security of its data. For example, the addition of automated deprovisioning will make it possible for an employee to be deprovisioned from one system, such as the Human Resources system, and to have Identity Lifecycle Manager 2007 automatically deprovision the employee from all other connected systems. “We can only deprovision an employee when we receive notification from Human Resources,” says Todd-Williams. “With Identity Lifecycle Manager 2007, we will eliminate any delay in deprovisioning, and we put the authority for it where it belongs, with Human Resources.”
Provides Flexible Foundation for Growth
In addition to using broad capabilities of Identity Lifecycle Manager 2007, the agency intends to expand its deployment to cover more systems, such as its mainframe and newly developed line-of-business applications. It also has the option to add capabilities such as certificate life-cycle management.
Todd-Williams also envisions the potential expansion of the Identity Lifecycle Manager 2007 deployment beyond the confines of the Alabama Medicaid Agency to include other state departments and agencies, such as the Department of Public Health and the Department of Human Resources. “There is a big push in state government to coordinate systems so that citizens can go to one Web site, answer some questions, and receive a comprehensive list of the state benefit programs for which they qualify,” she says.
“We brought in Microsoft BizTalk Server 2006 to make it possible for state systems to interoperate,” she continues. “We share a lot of the same clientele with the Departments of Public Health and Human Resources. There’s a great opportunity to use Identity Lifecycle Manager 2007 to coordinate client identities so that an update in one system is automatically propagated to the other systems. We’ve only begun to implement what Identity Lifecycle Manager 2007 can do for us.”
Looking beyond Identity Lifecycle Manager 2007, Todd-Williams says the agency will likely adopt its successor, Microsoft Forefront Identity Manager 2010 when that product is released. The new version will make it possible for the agency to use Web-based workflow and self-service features. It will also provide a way to build and customize identity aggregation and synchronization rules using a Web-based, graphical user interface, rather than through custom coding.
Microsoft Server Product Portfolio
For more information about the Microsoft server product portfolio, go to:
For More Information
For more information about Microsoft products and services, call the Microsoft Sales Information Center at (800) 426-9400. In Canada, call the Microsoft Canada Information Centre at (877) 568-2495. Customers in the United States and Canada who are deaf or hard-of-hearing can reach Microsoft text telephone (TTY/TDD) services at (800) 892-5234. Outside the 50 United States and Canada, please contact your local Microsoft subsidiary. To access information using the World Wide Web, go to:
For more information about InfraScience services, call (866) 485-0815 or visit the Web site at:
For more information about Alabama Medicaid Agency services, call (334) 242-5000 or visit the Web site at: