Tracking Digital Identities: No Holiday for UPSBy Bob Violino | Posted 2006-12-20 Email Print
Modernizing Authentication — What It Takes to Transform Secure Access
The delivery service expects to hire more than 50,000 seasonal workers. Keeping track of them and their digital identities requires more than a few elves.
For UPS, Christmas comes early.
On Wednesday, Dec. 20, it expects to deliver 21 million packages, up by 6 million, or 40%, from its usual amount. To prepare for the busy season, the company in early November started bringing on 50,000 to 60,000 temporary workers to help sort, load and deliver packages, swelling the ranks of the company, which normally employs about 350,000 in the U.S.
Keeping track of each employee and his or her access to business applications is a major chore for UPS, or any organization with a large number of seasonal or even full-time workers. By using identity management software, however, UPS has automated some processes involved with giving employees a digital identity and a password for access to its corporate portal or other applications. One benefit: The help desk now receives 24,000 calls a year to reset passwords and update employee profiles, a decrease of 16,000, or 40%, from past years when identity management software was not in place.
UPS deployed IBM's Tivoli Identity Manager in November 2004 to provide access to its Enterprise Portal, the site where workers can communicate with other employees, update their personal data such as contact information, and access links to health-care and other benefit sites.
The identity manager, which runs on IBM mid-range systems using the AIX operating system, includes a central, companywide catalog of U.S.-based employees, and details the systems and applications each can access.
Before selecting the software, UPS conducted a market analysis and developed requirements with help from technology research firms, then sent these to several vendors. A key consideration, according to Paul Abels, manager of security policy and strategy: Could the product accommodate the size of the UPS workforce? Citing company policy, he declines to disclose the names of the other vendors considered.
What prompted UPS to make this $1.5 million investment in software, hardware and labor? The company wants to enable employees to change or reset their own passwords when they forget them instead of relying on someone on the tech staff for help. "With hundreds of thousands of employees, if 5% forget their password, that's a lot of calls to the help desk," Abels says.
The project "was justified by [the expected] reduction on help desk costs," he adds. The software is credited with reducing the number of calls related to the access of the portal by 60%, resulting in a labor savings of 120 hours per week for that process alone. If the 120 hours represents three full-time equivalents paid $60,000 a year each, the savings totals $180,000 a year. Abels declined to discuss cost savings with Baseline.
Other benefits: improved security and a better ability to comply with the Sarbanes-Oxley Act, a measure that requires companies to ensure the accuracy of financial statements.
Here's how the UPS identity management system works:
When someone is hired, his name, job title and responsibilities are entered into the company's PeopleSoft human-resources application. Each day, the information from the PeopleSoft application is loaded into the Tivoli Identity Manager, Abels says.
He acknowledges that there were some challenges in getting the identity management system to share information, such as employee names and responsibilities, with the PeopleSoft application and other programs. For example, UPS built an application over two months to extract employee information from PeopleSoft. Then, UPS, working with IBM as a consultant, programmed the software so the personnel records could be inserted into the identity managerwork that took about five months.
Now, when a new driver is hired, information such as his name and role is fed from the HR database to the identity manager, which automatically provides access rights for particular systems and applications.
"There are certain things we want every employee to have access to, such as the employee portal," Abels points out. Otherwise, access is generally determined based on the department a person works in and the job function.
The decision of who gets access to which applications is generally made by department managers. "It's a fairly limited number of applications they get access to automatically," Abels says. UPS continues to fine-tune the IBM software to provide access to systems based on an employee's role and department.
The identity management software is programmed to deny access to servers that house financial data, Abels says. That policy is intended to ensure that UPS complies with Sarbanes-Oxley.
In another benefit tied to Sarbanes-Oxley compliance, UPS uses the software to immediately turn off access when a worker is terminated or voluntarily leaves the company.
The SarbOx law says that "companies must protect the integrity of their financial information," Abels explains. "That is widely interpreted to mean that they need to follow security 'best practices' in protecting this data. Removal of ex-employee access is widely viewed as being a best practice that a company must follow to qualify as exercising due care."
That's because once a person has left the organization (particularly if that person was terminated), the concern for fraud or other misuse of corporate information increases. Abels says: "Again, it is a security 'best practice' to ensure former employees do not have access to corporate information."
Previously, UPS relied on a time-consuming process for granting and denying access. To shut off access to e-mail and other applications for former employees, "We used to have to manually delete [access privileges] in a whole bunch of systems," Abels says. "Much of that takes place automatically now."
Jonathan Penn, principal analyst for identity and security at Forrester Research, says regulatory compliance has been a key driver of identity management for several years. "And you can expect companies will continue to invest in ID management to solve compliance issues for several years to come," he says.
UPS codes the identity manager software so it can be used to provide and take away access to most servers and applications used for a variety of business processes, not just those relating to financial data, new applications and the employee portal.
According to Abels, it's unlikely that the company will ever provision access to all applications automatically: "Some, for example, legacy CICS [Customer Information Control System], which allows employees online access to data through 3270 sessions, and RACF [Resource Access Control Facility], which provides mainframe security, will always require some manual work."
Looking ahead, the company is exploring the use of "federated" identity management, a standards-based approach that enables people to use the same user name, password or other identification to log on to corporate networks.
Is UPS more secure today than it was before using the identity management software? Abels says it is, but declined to disclose the metrics behind how and why.
Mark A. Lobel, a partner at PricewaterhouseCoopers' advisory services group who is not affiliated with the UPS project, says identity management software can make an organization more secure, but its success hinges on more than the software itself. An organization, he says, also needs people and processes to improve security, to make it more efficient and consistent.