What Is It?
One way to think about identity management is by imagining an
enormous blueprint of an office building. It shows the rooms into which
each person who works in the building can enter. The blueprint also
shows what kind of key each person would need to open the door to get
into that room, and what that person can do once they are there.
A computer network is like the building, and each room represents a
file, database or application on that network. The employees working in
the building are the users. The keys are the privileges that the system
administrator hands out to each person who works on the network,
providing access to a file, database or application. The keys also
determine what they can do while accessing a specific file or
application.
Like building security, identity management is the most essential
form of information protection that agencies use. Yet, it also is among
the information security practices that are least used or properly
implemented.
More Than Just a Password
Identity management is more than simply permitting a user to log on;
it controls what that user can do, similar to putting boundaries on
where a person can go once in a building. A systems administrator
assigns a credential of some sort, usually a number, to a worker. That
number allows the employee or contractor access to the network and
determines what resources can be accessed. It also can flag the
administrator (through a monitoring tool) if the user somehow gains
access to forbidden areas, or if the user is performing actions that
may indicate an attempt to gain entry to prohibited areas.
Requiring a username and password - whether to pass through a
firewall, to log on to a virtual private network or to open an
application - is identity management in its minimal form. At a more
sophisticated level, it incorporates biometrics (such as hand,
fingerprint or iris scans) to identify a user, to approve or deny
access (known as provisioning and deprovisioning) to resources, and to
deliver custom services (such as training materials and e-mails) based
on users' roles in an organization.
Identity management provides managers a custom view of the IT
environment for each user, determined mostly by job function and
security concerns.
Why Should I Care?
For the government, interest in identity management increased after
President Bush issued Homeland Security Presidential Directive 12 in
2004. It requires agencies to issue credentials to all federal
employees and contractors by October 2008. Cards will contain an
embedded microchip on which is stored personal information including
biometric data, such as fingerprints. Employees and contractors will
use the card to gain access to federal buildings and computer networks.
They provide a standard for identification and access, which agencies
can use to link into more comprehensive identity management.
Identity management also has increased in importance as networks
come under more attacks. In November, former CIA official Andrew
Palowitch said government and private systems had experienced 37,000
security breaches in 2007. "America is under widespread attack in
cyberspace," he said.
One of the most notorious examples of the potential harm that can
result without identity management occurred in February 2001 when the
FBI arrested one of its own veteran counterintelligence agents, Robert
Philip Hanssen. He gave more than 6,000 pages of documents containing
classified information to Russia and the former Soviet Union. He
downloaded most of it from the bureau's computers. Controlling access
to certain files makes it harder for insiders like Hanssen, or outside
hackers, to steal sensitive information.
Without proper security processes and technologies, users can wander
through networks virtually unimpeded. Employees, as well as hackers,
can slip into files and databases to peer into and steal sensitive
information. To protect this information, agencies will spend almost
$350 million on identity and access management technology in 2008,
according to INPUT, a Reston, Va.-based research firm.
Identity management also provides benefits beyond security,
improving business processes and information sharing. For example, a
centralized system that gives employees and contractors access to
networks also allows an organization's human resources sector to create
e-mail and Voice over Internet Protocol accounts in a matter of
minutes. In addition, a single sign-on capability that is linked to an
e-government application allows citizens to protect personal
information when accessing agency services online.
If managed well, IM better secures information that agencies share,
because it gives the information owners more assurance that it will not
be accessed by unauthorized users. Theoretically, the credentials
attached to an employee could extend across government, transforming
federal systems into an enormous information grid. But for now,
incompatible systems and a lack of standards make widespread
information sharing difficult. For example, agencies may define Top
Secret security clearances differently, so a systems administrator is
unable to specify in a user's profile an identifying code that all
federal networks can understand that shows what files the user may
access.
The Latest on Identity Management
Despite the risks of unauthorized users electronically grabbing
private or sensitive information, many agencies have yet to install an
identity management tool. The reason: It's complicated. To begin
implementing IM on its networks, an agency's IT shop typically conducts
an inventory of systems to determine what information it stores, where
it is stored and how the right to access that information is assigned
for each application. Many are legacy systems or run on proprietary
programs built by the agency. That makes it difficult or impossible to
reprogram the systems or applications to interact with a commercial IM
tool.
In addition, an identity management program requires more work for
what is typically an already overworked IT office. Agencies have to
develop a central database to maintain identities, manage the access
rights for every user on the network and enforce a strict policy for
how that database will be managed.
Those obstacles may help explain why the Government Accountability
Office has found that agencies still are unable to properly secure
systems with IM tools. In an April 2007 report, GAO concluded that the
FBI continued to have major security weaknesses in its critical
computer networks, including failing to properly identify and
authenticate users or consistently configure network devices and
services to prevent unauthorized access. In September 2007, GAO found
that the Veterans Affairs Department, which reported two high-profile
security breaches in 2006, had not fully completed 20 of 22 IT security
recommendations that its inspector general made a year prior. VA failed
to adequately restrict access to data, networks and facilities or to
ensure that only authorized changes and updates to computer programs
were made, according to the report.
The Information Systems Security Line of Business, the
e-authentication presidential initiative and the 2002 Federal
Information Security Management Act provide hints about how to control
access once users are logged in, but agencies must determine the best
approach to meet their own requirements.
How Do I Get Started?
Perhaps most important in any successful IM strategy is to
consolidate access controls. Traditionally, controls exist at the level
of a software application. But security experts say that
application-based controls create a fragmented environment that is a
nightmare to manage and can open numerous doors for unauthorized users.
Trying to control access for each application is particularly
problematic for legacy systems, which tend to have many vulnerabilities
and flaws because the agency has not been able to test it on a large
scale as private software companies can do.
A centralized approach to IM allows agencies to automate and
accelerate the process. Typically, credentials can be maintained in a
computer's directory service, such as Microsoft Windows Active
Directory. That provides a single place to create or modify accounts,
and to approve or revoke access to business applications.
Beyond the technology, agencies need policies for ensuring that user
accounts are handled properly. Consistent monitoring of how resources
are accessed by employees and contractors might be the only way to
detect improper behavior. And many agencies do not have a process in
place to remove access when someone leaves an agency or team.
Agencies also need to ensure that employees and contractors are
properly trained on security procedures. The Centers for Medicare and
Medicaid Services, which is a part of the Health and Human Services
Department, requires all users to participate in computer-based
training when they are first issued a user ID and then again every year
when their IDs are certified.
The center also has an Information Security Program policy that
governs operation and safeguarding of systems; a Business Partners
System Security Manual, which addresses security for those in the
private sector; and it issues program memos that provide day-to-day
operating instructions, policies and procedures.
Sponsored by UNISYS
We know that modernizing your IT isn't just a necessary evil.
Accomplish your mission faster, better, and more securely with
technology, systems integration, consulting, and outsourcing from
Unisys. How much more could you squeeze out of you budget?
Find out with our IT Modernization Payback Calculator that helps you
see how much you could save it you could free the power of your IT.
Or, take a look at our best practice guides and set your IT free!
Click here to learn more now