Managing identities

Until recently, identity management was all about reducing the cost of keeping tabs on users and their growing plethora of passwords, IDs, and access rights. But that was before regulatory compliance moved onto the corporate agenda.

By Jacob Stoller

When psychologist Erik Erikson coined the term “identity crisis” in the early ’70s, he never could have imagined that the term “identity” would someday connote something as impersonal as one’s electronic alter ego. Yet in the information age, that is precisely what the term now signifies — an entity consisting, essentially, of one’s login IDs, passwords, and security rights. Recent fears about identity theft reveal just how real this electronic entity has become to people. 

Looking after identities in a safe and efficient manner is a chore that organizations of all sizes are faced with. IDs and passwords have to be stored and monitored, rights have to be assigned according to corporate policies, and users have to be added and deleted in a timely fashion. Then there’s the problem of multiple identities; even in a small organization, a user might have separate logins to the network, email, and databases.  With the proliferation of Web applications, mobile devices and teleworking, this aspect of the problem is growing.     

The weakest link

When done manually, identity management can be a resource drain. For example, forgotten passwords account for the lion’s share of help desk calls in many organizations.  “If we ask users to remember a lot of user names and passwords,” explains Bruce Cowper, security lead for Microsoft Canada, “the probability of them coming back and having a problem — not being able to do their job because they can’t log on — or requiring things like password resets, etc. — becomes a challenge for the business to manage.”

The worst part of manual processes, however is that they are error prone and, therefore, dangerous.  Whether it’s through negligence or overwork, the human link is often the weakest in the security chain.  Everybody has heard stories of a company’s systems being hacked because a fired employee still had access rights to the corporate network, or because a password-weary user resorted to that old favourite “password.”

Identity management has two objectives: creating a system where each employee is associated with a single digital identity and the management of these identities in a safe and secure manner that gives each employee access to the resources he or she needs. The pursuit of these goals used to be driven by economics, but that has changed, explains Idan Shoham, chief technology officer of M-Tech Information Technology, Inc.

“Five years ago the main driver was cost reduction,” Shoham says, “for example by reducing help desk call volume and making a commensurate reduction in head count.  Today, the main business driver is regulatory compliance, which in the identity management space is synonymous with internal controls and IT security.  U.S.-listed corporations worry about Sarbanes-Oxley, Canadian companies worry about PIPEDA privacy protection, financials worry about Gramm-Leach-Bliley, and so forth.”

This change in focus has forced highly-regulated companies to act quickly — the possibility of a jail term is a powerful motivator for CEOs. As well, compliance legislation requires organizations to demonstrate the ability to manage not just data, but business processes.  According to Chris Bauserman, manager of product management, Tivoli Security and compliance products for IBM, this has caused a fundamental change in the way the problem is approached.  “It has become less of an IT-only problem and more of a business problem,” explains Bauserman, “particularly when it comes to the compliance controls around who has access to what and for what business reasons.”

Consequently, independently establishing who gets access to a particular server is no longer sufficient — the user has to be “known” to the application so that the application can provide intelligence as to whether to allow access to certain information under current conditions.  For example, an individual may have access to the corporate financials, but may not be able to see certain files during quarter-end reporting periods.   Providing “smart management” of user rights at this level requires that identities, and the business logic that governs them, flow from application to application.  This kind of integration is one of the toughest chores that IT can undertake.

Vendors like IBM and M-Tech have developed software solutions which address this issue on a global scale, pulling identities together as single entities, and allowing managers to view and manage all aspects of identity management under a single pane of glass.  This makes the business processes highly visible, and gives senior management instant control over policies and permissions.  It also automates the process of reporting to regulators.

Flexibility for smaller companies

Solutions of this sort, however, are not for the faint of heart — they can take years to implement, and with their current price tag, are only feasible for organizations with thousands of users.  For smaller companies, fortunately, there is some breathing room, at least as far as regulators are concerned. “Smaller companies are not scrutinized as much,” explains Vito Nozza, principal consultant at Toronto-based Quartet Consulting Services, “because either they don’t hold the public’s money, or they don’t hold public information — they have a bit of leeway. And if an asset’s only worth a quarter of a million, they don’t expect you to spend a million to protect it.”

The best approach for smaller organizations appears to be to put the global vision of identity management on the back burner, and go for partial solutions that will protect their most important assets while supporting their user access patterns.  “What we’re finding a lot of customers are doing,” explains Cowper, “is stepping back and starting to weigh, ‘well where’s my longer term investment?  Is it within my email or messaging system?  Is it that I perhaps need to extend that same messaging system out to the mobile devices?  Is it that I want to enable people to access these from home or branch offices, or whatever?’ ”

Costs can vary significantly. Organizations with relatively standard environments can utilize “out of the box” tools by vendors such as Quest Software that allow identity information to be synchronized between different platforms. As well, existing tools, such as Microsoft Active Directory, can be leveraged.  “What I’m seeing a lot of small and medium businesses do,” explains Cowper, “is making decisions based on the infrastructure investments that they’ve already made.”

In some environments, however, integration can require a significant investment. “The challenge is that if systems have grown up too organically,” says Cowper, “and you’ve got a database over here with its own user name and password, you’ve got an online system with a different user name and password, and of course the access to your network has yet another, it becomes harder to integrate, but certainly not impossible.”

Cowper notes that, when investing in identity management, organizations shouldn’t merely focus on the consequences of inaction, but should look at the upside. “What I would encourage people to do is think about identity management really as being something that can be a business enabler for them.  When I look at how Canadian businesses can be competitive, both in Canada and outside of Canada, being able to effectively do business with a lot of their external business partners and customers can certainly be a big advantage.”

Jacob Stoller (jacob@stollerstrategies.com) is a Toronto-based independent writer and researcher.  

Top