Managing the digital identity crisis
Roula Khalaf, Editor of the FT, selects her favourite stories in this weekly newsletter.
Once a sleepy IT backwater, identity management has been thrust into the spotlight over the past few years.
More and more companies, alarmed by the escalating incidence of identity theft, have come to understand the importance of protecting the integrity of digital information held about individuals.
According to a recent report prepared by Nemertes Research, the US based research firm, 38 per cent of all enterprises cite identity management as a top-funded security initiative. Looked at another way, as Microsoft, the world’s largest software developer notes, most organisations that Nemertes considers “leading-edge” in security deployment are focusing on identity management today.
Recent figures from industry analyst Morgan Keegan show that the global identity management market is worth about $4.8bn and is estimated to grow to about $10.7bn in 2007.Within those figures, Forrester Research estimates that identity management software is already roughly s $1.5bn annual business growing at nearly 30 percent a year - and for every dollar spent on software, it is estimated that there are five more spent on consulting and other services.
That is good news for companies such as IBM with its Tivoli suite of identity management tools and for Sun Microsystems, another market leader. “Identity management has become a hot topic,” says Sara Gates, Sun Microsystem's vice-president of identity management.
Several factors explain this dramatic change. First, while not directly related, the rash of high-profile “identity theft” cases – particularly those related to big US financial institutions – have sensitised companies to the need to protect their customers’ confidential information more effectively.
Since some of these security breaches involve insiders (typically disgruntled former or current employees) controlling who has access to what information – one important aspect of identity management – has become even more crucial.
Second, the growing complexity of business relationships and particularly the “virtualisation” of companies has made it increasingly important to have in place policies that enable partners to authenticate and manage their employee identities.
“Today, business success is dependant on fast and easy access to information,” notes IBM. “However, the internet-enabled rise of e-business has dramatically increased the scope and number of an organisation's constituencies, making information management, user management, and security management complex and expensive.”
IBM estimates that companies spend as much as $400 a year to manage a single user and up to 40 per cent of helpdesk costs are password related.
Industry experts say that companies spend $100 a year per employee alone on manually creating and resetting passwords. Meanwhile the average company has over 100 different directories in which identity information is stored. IBM estimates that up to 60 per cent of company access profiles are orphaned accounts (for example employees who have left the company or changed jobs) creating serious security gaps. with autonomic technology. Third, many companies face pressure to grow their top line revenues – particularly online – while keeping a lid on costs. In trying to do more with fewer resources, companies are facing the issues of high costs, business inefficiencies, and security exposures.
Meanwhile, IT administrators are tethered to manual security management processes, unable to focus on revenue enhancing initiatives. “ID management software that automates the process and coordinates changes can cut such costs in half,” says Stuart McIrvine, IBM's Director of corporate security strategy.
“Identity management systems are critical for organisations,” adds Bruce Schneier, a leading US security expert. But Mr Schneier, who founded Counterpane Internet Security, a recognised leader in managed security services, adds: “They're less about security and more about process efficiency. When someone moves around in an organisation – gets hired, fired, promoted or goes on vacation – their access to resources changes. Identity management systems allow administrators to deal with their information accesses in one easy place.“
IBM’s Mr McIrvine agrees. ”In today's complex environments with thousands of users and a multitude of databases, applications and systems, automated identity management helps enterprises ensure the right people can access the right applications and infrastructure,” he says. “What never fails to amaze me is just how much this area of technology has grown and changed in such a few short years,” says Sun’s Ms Gates argues that identity management really emerged as an issue at the end of the 1990s when it became clear that networked information and resources were growing at a phenomenal pace – and that the traditional means of providing and controlling access to that information and those resources were simply untenable given the rate of growth.
“It was virtually impossible for companies to keep up using traditional manual methods, not to mention completely unaffordablegiven the labour intensityassociated with manual processes,” she says. All of this was of course complicated by the fact that over the past few years, the emphasis for most corporate IT departments has been doing more with less.The last thing IT directors needed was a big increase in budget or staff to accommodate this need to for more people to have access to more networked resources.
Enter automated identity management, a more efficient and cost-effective way to provide more users with access to more information and applications than ever before. Ms Gates argues that the need for expanded access to more resources has evolved from an internal challenge to one involving more and more users extending far beyond the traditional borders of the enterprise.
“Good identity management solutions, with their focus on automation, were meant to scale,” she says. “The tougher part has been protecting the integrity and security of the information and resources when access to them is far-flung and widespread.” And those challenges come in more than one form. First, securing valuable organisational information ranging from classified government documents to closely guarded trade secrets.
Second, protecting sensitive personal information such as social security numbers, credit card numbers, and bank account information and third, complying with new laws concerning the integrity of information.
“Effective identity management solutions meet these challenges with a vast range of capabilities aimed at not only granting access to people who need it, but also withholding it from people who should not have it,” she says.
In addition, the technology incorporates features to track and report on access activities, providing ongoing protection against security breaches as well as tangible information that can be used to demonstrate compliance with new laws. Ms Gates calls this identity management structure the four A’s – authentication, authorisation, administration and audit.
While she and other security experts view identity management as a crucial tool for managing and mitigating business risk, they also argue that it represents more than simply a cost of doing business. “It enables business opportunities,” she says. Companies that have addressed the challenges of security and compliance can take advantages of the opportunities presented by participating in networked exchanges, collaborations, and partnerships.
“Our focus in identity management now is on enabling those opportunities and removing any remaining barriers to them,” she says. Both IBM and Sun have created suites of identity management tools designed to address these issues.
Both Sun and IBM have pioneered the concept of federated identity management– or ‘FIM’ considered by some to be linchpin of digital convergence and probably one of the most important new technologies. Federated identity management allows individuals across multiple organisations to use the same user name, password or identification to sign on to the networks of more than one enterprise and conduct online transactions. Sometimes it is also called single sign-on or SSO.
Partners depend on each other to authenticate their respective users and vouch for their access to services.
Effectively, “Identity federation makes identities reusable across traditional organisational boundaries, dramatically expanding the possibilities for networked collaboration,” says Ms Gates.
To be effective companies need to share a common federated identity management system architecture so a group of IT companies led by Sun Microsystems formed the Liberty Alliance. The Alliance set out to define three basic specifications including the Liberty Identity Federation Framework (ID-FF) which allows for a single sign-on, account linkages, anonymity, affiliations and various options for the exchange of metadata. IBM joined the Liberty Alliance in October, “in order to ensure inter-operability,” explains Mr McIrvine. A key component in Microsoft’s agreement with Sun signed last year ensured that the former rivals would co-operate on identity management systems.
Microsoft’s recently announced distributed-identity infrastructure is one of the first fruits of that agreement and highlights the growing momentum behind identity management and the crucial role IT industry leaders see it playing in improving corporate security while facilitating the continued development of e-commerce.
Forget the shotgun, a few clicks can rob the bank
A variety of low tech and more sophisticated scams are fuelling fraudulent crime across the internet and within organisations, writes Ade McCormack.
Marketers would be forgiven for thinking that identity management relates to branding.
In fact it does, but for reasons other than consistent messaging across multiple market channels.
Identity management today is more likely to be associated with protecting any organisation and individuals from identity theft, a growth market for the criminal fraternity.
Picture this: disillusioned by corporate life and its relatively poor working-hours-to-remuneration index, you opt for a career change and consider freelancing as a bank robber.
The traditional approach is to cover your head with low-dernier tights, tool-up with a sawn-off shotgun just in case the security guards get altruistic and, accompanied by a formula one racing driver, you pay a visit to your local bank.
Alternatively, from the comfort of your own home, listening to your favourite music, you log onto the bank’s website and transfer the money to your offshore account.
It would appear that the second option is developing adherents across the spectrum, from playground kudos kids through to globally-organised crime syndicates.
The starting point is to steal an identity. And loss of identity can seriously damage your wallet, whether you are an organisation or an individual.
An organisation can lose its identity in a number of ways, for example:
Pharming – The fraudsters infiltrate your web server and redirect users, who believe they are visiting your online storefront, to a bogus website. This presents you with a serious brand management challenge.
e-Business – The fantasies associated with joined-up businesses dreamt up by over-exuberant business schools during the dotcom era are starting to become reality. More and more organisations are having a purely electronic relationship with suppliers and customers.
Sophisticated fraudsters can infiltrate the security architecture that underpins e-business. Having stolen the identity of your organisation, they can dovetail into your supply chains. From this position of trust they can financially exploit others up and down the chain, or, worse still, introduce faulty goods or information that may cause substantial damage downstream.
Phishing – A low-tech form of pharming in which fraudsters masquerade as your organisation and approach your clients, typically via e-mail, to encourage them to visit their bogus site. Visitors are invited to submit their account details, which in turn typically triggers a siphoning of their account or instant exploitation of their associated debt facilities. This is traumatic for your customers and also damaging for your organisation.
The enemy within – Ex-marines as security guards and firewalls developed using neural techniques blended with mathematical rigour count for nothing if the fraudsters are on your payroll, waltzing through your perimeter security measures unchallenged while posing as loyal employees. This is where the bulk of electronic fraud takes place. Without wanting to demean office cleaners, they represent a soft-entry point for capturing, say, the identity of a user who did not log out before heading home.
Identity theft is a real and present danger for your organisation. It could have a direct and consequential impact on your cash flow. Eventually it will erode the trust levels in your stakeholder community, which will add to your cash flow challenges.
So what should you do? Well, be positive and find an approach that strikes a balance between vigilance and paranoia.
Policy – Staff and clients need to understand the threat and the appropriate precautionary measures. Elimination of passwords emblazoned on post-it notes stuck to the monitor, coupled with a policy of keyboard locking whilst away from the desk would reduce the threat levels in many organisations substantially.
Paper – With the advent of “dumpster diving” the disposal of paper needs to be handled securely. The paperless office represents nirvana, but greater control of what is printed and how it is subsequently managed is worth considering.
Appointing a chief rubbish officer might well be seen as avant garde, though the title might need more thought to avoid attracting the wrong calibre of applicant.
Role management – In many organisations, access rights are like medals, no matter what you do in the future they cannot be taken away from you. So as people move from role to role they accrue access rights as opposed to having them reissued.
People who once worked in the payroll department still having access to salary data is inappropriate. Given the enemy within challenge, this needs to be managed with care.
Clearly the challenge spans many parts of the business and so needs management co-ordination at the highest level.
Identity management in summary is critical to minimising financial fraud and protecting your brand.
If customers cannot be sure you are indeed you, then they may redirect their loyalty to an organisation they can trust.
Ade McCormack (ade@auridian.com) is an IT-value consultant and author of ‘T Demystified - The IT handbook for business professionals’ available via www.auridian.com/book and all good business bookstores.
Comments