- A TechNote on Unified Communications
- Gary Audin, Delphi, Inc.
Who are you? How does the enterprise identify you and know for sure that you are really you? Do you have multiple identities that must be supported? How many systems and services do you access that require a unique identity?
These questions surround the IT issue of identity management (IdM), the administrative task of identifying individuals and controlling their access to IT resources and services based on established identities. More than just user IDs and passwords, IdM covers a wide range of disciplines, dealing with technology, law (data protection), compliance regulations, law enforcement (identity theft), security, privacy and enterprise organizational structures.
UC Makes IdM More Complex
An issue in IT for years, IdM also becomes a unified communications (UC) challenge as enterprises integrate multiple systems, products and services, each with its own method(s) for determining identity. Within the UC environment, the task is even more complex, because the enterprise likely will have non-interoperable systems that cannot work together for secure IdM. And then there's the user component: users have to remember or write down multiple IDs and passwords. Even if the enterprise has created a single sign-on method, users still must contend with public and other enterprises' identity systems.
As a key form of information access protection, IdM should be implemented with the same emphasis and care as security. This is even more critical as identity theft and illicit access to an organization's resources today are practiced not just by hackers but by cybercriminals as well.
The Elements of Identity Management
The enterprise must deal with IdM from a number of vantage points:
• User access: enough, but not too much. New employees will not be fully productive until they have their account information completed, and existing employees may be restricted until updates or changes have been made to their accounts. Once users are authorized, they require access to many systems, including the network, e-mail, Internet, enterprise resource planning (ERP) system, mainframe and many more. Ex-employees whose access and privileges are not terminated in a timely manner could abuse or misuse the access. Contractors who are enabled for data access are subject to the same issues.
• Administering to minimize vulnerabilities. Administrators for each system, private and public, must perform essentially the same tasks: creating, changing and terminating user accounts. Different systems probably will have partial or contradictory user information, making it difficult to provide services and ensure secure operations, especially for financial transactions. These redundancies and inefficiencies can lead to inconsistencies and boost costs.
Furthermore, there are numerous ways in which administrators can leave the system open to vulnerabilities or attacks. If they create accounts that are not used, an attack might occur without setting off alarms. If new accounts are set up with easy-to-guess passwords or a default password that is never changed, illicit access becomes easier. If users are allowed to retain their access privileges after they change job responsibilities, they will have more privileges than they should.
• Addressing compliance and regulation. Regulations cover customer privacy, business practices and corporate governance, and apply to healthcare and financial institutions, retailers, pharmaceutical firms and publicly traded companies. They require enterprises to be able to track users and their access to systems and data. Specifically, regulations call for the ability to do the following:
All these factors must be consistent, secure, auditable and accurately reported. To make it even more complex, not only are the federal and state governments frequently adding new regulations, but the courts may change a regulation's interpretation at any time.
• Executing a successful implementation. Implementing an IdM system is a complicated process. The typical organization needs to determine and inventory what is presently stored, where it is stored and how access is assigned to each application. If there are multiple systems - some on proprietary legacy platforms, others using commercial tools or services - then some reprogramming may be required to allow the systems to interact.
Crucial to a successful implementation is the creation of a centralized secure IdM database and the definition and policing of database policies. The enterprise must train users and contractors on proper security procedures, and then constantly and consistently monitor their access to applications and data.
These questions surround the IT issue of identity management (IdM), the administrative task of identifying individuals and controlling their access to IT resources and services based on established identities. More than just user IDs and passwords, IdM covers a wide range of disciplines, dealing with technology, law (data protection), compliance regulations, law enforcement (identity theft), security, privacy and enterprise organizational structures.
UC Makes IdM More Complex
An issue in IT for years, IdM also becomes a unified communications (UC) challenge as enterprises integrate multiple systems, products and services, each with its own method(s) for determining identity. Within the UC environment, the task is even more complex, because the enterprise likely will have non-interoperable systems that cannot work together for secure IdM. And then there's the user component: users have to remember or write down multiple IDs and passwords. Even if the enterprise has created a single sign-on method, users still must contend with public and other enterprises' identity systems.
As a key form of information access protection, IdM should be implemented with the same emphasis and care as security. This is even more critical as identity theft and illicit access to an organization's resources today are practiced not just by hackers but by cybercriminals as well.
The Elements of Identity Management
The enterprise must deal with IdM from a number of vantage points:
• User access: enough, but not too much. New employees will not be fully productive until they have their account information completed, and existing employees may be restricted until updates or changes have been made to their accounts. Once users are authorized, they require access to many systems, including the network, e-mail, Internet, enterprise resource planning (ERP) system, mainframe and many more. Ex-employees whose access and privileges are not terminated in a timely manner could abuse or misuse the access. Contractors who are enabled for data access are subject to the same issues.
• Administering to minimize vulnerabilities. Administrators for each system, private and public, must perform essentially the same tasks: creating, changing and terminating user accounts. Different systems probably will have partial or contradictory user information, making it difficult to provide services and ensure secure operations, especially for financial transactions. These redundancies and inefficiencies can lead to inconsistencies and boost costs.
Furthermore, there are numerous ways in which administrators can leave the system open to vulnerabilities or attacks. If they create accounts that are not used, an attack might occur without setting off alarms. If new accounts are set up with easy-to-guess passwords or a default password that is never changed, illicit access becomes easier. If users are allowed to retain their access privileges after they change job responsibilities, they will have more privileges than they should.
• Addressing compliance and regulation. Regulations cover customer privacy, business practices and corporate governance, and apply to healthcare and financial institutions, retailers, pharmaceutical firms and publicly traded companies. They require enterprises to be able to track users and their access to systems and data. Specifically, regulations call for the ability to do the following:
» Authenticate the user in a secure manner
» Control user access, especially to sensitive systems
» Ensure that data access is appropriately granted to the user
» Prove, measure and report on the three points above
All these factors must be consistent, secure, auditable and accurately reported. To make it even more complex, not only are the federal and state governments frequently adding new regulations, but the courts may change a regulation's interpretation at any time.
• Executing a successful implementation. Implementing an IdM system is a complicated process. The typical organization needs to determine and inventory what is presently stored, where it is stored and how access is assigned to each application. If there are multiple systems - some on proprietary legacy platforms, others using commercial tools or services - then some reprogramming may be required to allow the systems to interact.
Crucial to a successful implementation is the creation of a centralized secure IdM database and the definition and policing of database policies. The enterprise must train users and contractors on proper security procedures, and then constantly and consistently monitor their access to applications and data.