Subscribe

Identity management under global spotlight

When it works well, identity management can be a powerful enabler of business processes. When it doesn`t, it can present a serious weak spot.
By Alkesh Patel, Principal consultant of security and privacy services at IBM SA.
Johannesburg, 21 Jul 2006

The movie "Catch Me If You Can" demonstrated how someone could steal identities and profit at others` expense.

In reality, identity theft is the domain of organised criminals and their hacker allies who trade in consumer credit card information and internal company data that flow across millions of Web sites with increasing velocity.

This creates a huge problem for businesses that need to clearly, quickly, and accurately identify and verify system users before giving them access to data or resources. Increasingly, companies are realising that many identity and authentications systems fail to provide adequate security and privacy.

Main drivers

The external drivers for effective identity and access management are clear: regulations and compliance initiatives demand strong controls on identity, authentication and authorisation practices as well as auditing and reporting on the effectiveness of these processes.

At the same time, business models are changing, requiring greater integration of processes and systems between clients, suppliers and other business partners. This in turn results in higher volumes of identities and authentication mechanisms to manage.

From an internal perspective, an effective identity management system can reduce help-desk costs as well as the risk of passwords being exposed while increasing the efficiencies of user lifecycle management.

Demands for strong identity and authentication capabilities are on the rise. While more than 90% of systems currently use passwords as their primary authentication method, biometrics will become the ubiquitous form of authentication in the next five to 10 years.

Key components

Increasingly, companies are realising that many identity and authentications systems fail to provide adequate security and privacy.

Alkesh Patel, Principal consultant of security and privacy services, IBM SA.

Identity management is a process for recognising and monitoring users and granting or restricting their access to business assets or resources. Identity management systems help to automate the functions performed by identity management processes and workflow.

When it works well, identity management can be a powerful enabler of efficient and effective business processes. When it doesn`t, it can present a serious weak spot for an organisation.

There are three key capabilities required for effective identity and access management:

* Identity proofing: validating the claimed identity of a user who is accessing organisation data. Considering the damaging effects of identity theft, it is imperative that strong identity proofing addresses the threats to personal privacy.
* Identity lifecycle management and provisioning: As companies deal with the challenges of regulatory compliance, high employee turnover and trying to do more with fewer resources, effectively managing identities throughout their lifecycle has become very important. The process includes initial enrolment, approvals, provisioning, password management, modification, re-certification, and removal of user IDs, applications, privileges and resource access and credentials.
* Access management: the infrastructure, policies and processes that allow identification, authentication and authorisation of users to ensure that access requests are granted or denied based on privilege rights.

Where to start?

Here is a plan of action to help get the basics in place for secure identity and access management:

First, shut the door on former employees who maintain valid company IDs and passwords. With the high rate of employee turnover it`s not unusual for 20% of company accounts to belong to people who no longer work for the organisation. If these accounts are not terminated, former employees will be able to roam freely inside the enterprise.

Second, a bigger problem is current employees who have unrestricted access to company systems and data unrelated to their job responsibility. Security policy should restrict employee access to pertinent areas of their business. Also, the organisation should be able to monitor this activity and take action where necessary.

Third, recognise that home-grown security codes are highly vulnerable to hacker attack. A hacker can access a public Web site linked to an internal distributed file system and gain access to company and customer files. The fix is to replace patchwork security code with a sophisticated security architecture that closes the access holes between different parts of the business, and provides security controls that match the level of risk to the business, if the data or systems were to be compromised.

In summary, the benefits to the business of effective identity and access management include the following:

* Enable new services with greater assurance of confidentiality and privacy.
* Enable collaboration between employees, partners and clients.
* Greater consumer confidence in using Internet channels for business.
* Lower risk of fraud and theft by protecting against unauthorised access.
* Reduce cost of administration and operations by improving processes.
* Offer accountability and non-repudiation.
* Provide audit trails of user actions.

Share