Identity management

By John Lamb

Security in many companies is failing to keep pace with the scale and complexity of safeguarding highly interconnected systems, with the result that as much as 75 per cent of all security breaches are internal; the result of breakdowns in basic precautions such as deleting out-of-date accounts.

Despite the emergence of a range of identity-management technologies that automate the process of checking who people are and what information they are authorised to access, many large organisations still rely on help desks to issue passwords and access privileges.

Manual security systems are notoriously slow and prone to human error. Delays in clearing new users, changing the privileges of existing ones and scrubbing out the details of people who have left an organisation not only reduce productivity, but also open up security loopholes.

For instance, one of the biggest headaches for security administrators is ensuring that orphan accounts – accounts that are no longer needed – are deleted in a timely fashion. There are plenty of examples of employees who have resigned or been dismissed who have subsequently been able to use their access privileges to wreak havoc on their former employers.

Help desks find it very difficult to manage the increasing numbers of people who need to access corporate systems.

Not only insiders, but, with the growth of e-business, many outsiders as well, whose access needs to be carefully patrolled. Changes caused by mergers, acquisitions, reorganisations and downsizings just add to the workload.

The growing number of systems in each organisation brings additional complications. With numerous passwords to remember, security becomes increasingly burdensome for users. Password-related calls to a help desk can easily amount to one third of all queries. No wonder employees fall back on the tried and tested method of sticking passwords on their monitors.

Managing access levels for many different systems is an extra overhead especially when managers want ever more detailed privileges that can extend to blocking particular fields on a single screen.

It doesn’t have to be like this, identity-management technology – which consists of a range of techniques for automating most aspects of security – has the potential to relieve much of the burden by streamlining the process of accessing information resources.

Among the advantages of automation is that security becomes quicker and more consistent, which is especially important at a time when regulators are cracking down on corporate governance by insisting that key information is not only kept securely, but in a prescribed manner. New regimes such as Sarbanes-Oxley can only be administered with the help of IT.

Identity management systems allow an organisation to enforce security policies by creating workflow processes that cannot be circumvented. For instance, when someone wants access to additional files, the system will take care of getting appropriate authorisation.

Gone are the days when it was possible to phone up an administrator and ask him or her to extend a password from 90 days to an indefinite period. With identity management the system dictates the procedures and immediately flags up any breach of company policy.

A typical identity-management system holds a directory of users and their privileges. It handles all the steps in setting up an account and, just as importantly, closing it. Systems usually include a self-service password-reset feature, enabling a user to change their password and unlock system access without making a help-desk call. Resetting can be done via a standard browser, with users authenticated by a number of questions they alone would know the answer to.

Automating this aspect of security has important cost implications. The expense of supporting security via a help desk can be almost entirely eliminated. A large organisation fielding two to three thousand calls per month can reduce them to two or three.

Not surprisingly, suppliers are bullish when it comes to return on investment. They claim a system can pay for itself in just nine months in a large organisation. Then there is the convenience factor: the speed of making changes goes up, productivity improves, self-help makes security easier and company policies are enforced without having to check everything.

Identity-management systems enable organisations to adopt much improved methods of securing systems. Single sign on, for example, eliminates the password headache by making it possible for users to access different systems from a single log-on.

The days of the static password may also be numbered, replaced with a range of techniques for digitally authenticating and authorising users. Security minded companies are investing in alternatives such as digital certificates, one-time tokens, smart cards and biometric techniques that measure unique human characteristics.

These technologies provide surer methods of keeping tabs on users, especially in highly networked organisations that may be catering for users accessing corporate systems using wireless technologies. IBM, for instance, has equipped its latest ThinkPad T42 notebook with a fingerprint scanner to ensure that the right person is on the other end of the line.

Automation is vital to operating these encryption-based security systems.

Digital certificates, for example, need to be securely passed from one computer to another. This can be done using a technique called public-key encryption, which involves two keys: a private one and a public one. The public key is used to identify the sender of a message and has to be used in conjunction with the private key to decode a message. In effect, the public key is a digital signature.

Security has become a major issue in the business world, particularly as more and more business is conducted electronically; only with effective tools can senior managers be sure that the vital information on which their enterprise depends is safely under lock and key.