The Ins and Outs of Identity Management

By Courtney Macavinta

October marked the U.S. Department of Homeland Security's deadline for the federal government to start using smart cards to better manage the access to buildings and computers of millions of employees and contractors. But finding a more reliable way to check employee IDs when they enter a federal building or log on to a remote server isn't only on the government's to-do list. Organizations around the world are undertaking initiatives to improve so-called identity access management (IAM).

Identity management is about verifying that people are who they say they are. It's also crucial for many industries that are required by law to audit access and modifications to digital records. IAM breaks down into two major categories, says Mark Diodati, an identity and privacy strategies analyst for the Burton Group, an IT research group in Midvale, Utah: physical and logical. In other words, it's not always enough to verify an employee's identity at the front gates. To really improve security and auditing, a company's IT system also needs to know what permissions the person has to access desktops, databases, or servers across the enterprise -- the logic aspect.

In the identity management arena, Diodati says, "enterprises are trying to go after physical and logical convergence to have a holistic view of the employees. There's this idea of having a single identity across these realms -- a device that the user carries, a Swiss army knife [of sorts], that will get them into the physical world and access to resources in the logical world."

Yet, when it comes to IAM projects, assigning roles to employees can be an especially daunting task. To successfully implement an ID management system, Diodati, along with Ray Wagner, Gartner research vice president in information security and co-author of the report Identity Management: The Do's and Don'ts, offer these strategies:

Strategy No. 1: Take inventory For starters, Wagner says, organizations should "do an assessment of their current ID management and access practices. Is it delivering on service-level agreements? Are there inefficiencies they need to fix?" CIOs can help lead a process to determine where IAM needs to be incorporated and which systems are of the highest priority. Inventory also needs to be taken to determine where employee profile information is already stored or utilized for IAM.

Strategy No. 2: Start small Analysts agree that there is no need to rip out and replace current systems or to try to integrate all applications into the IAM system at once. The goal should be to minimize complexity wherever possible. Gartner recommends "selecting a small set of high-impact resources as initial targets, and creating a repeatable process integrated into both the IAM project life cycle and the application development life cycle/project life cycle process for integrating new resources associated with future projects." And it's important to get senior-level involvement because IAM projects require business-process management changes across an organization.

Strategy No. 3: Explore defining roles In order to control access to IT systems, data, or facilities, each employee needs to be assigned roles that determine access privileges. "Organizations are having the most difficulty with the role management aspect of this," Diodati says. "You want to limit role proliferation. Otherwise, if you have as many roles as users, you haven't done yourself any favors." He says it's important that the infrastructure takes into account the life cycle of roles -- such as when employees get promoted, leave, or the company rolls out new services.

Strategy No. 4: Address compliance Using strong authentication at access points and correlating between IDs and security breaches are major drivers for deploying more sophisticated IAM protocols -- and to deal with regulatory compliance in many cases. "What's happened with Sarbanes-Oxley and other regulations is regulators have asked for better audibility of the IAM system, security information, and event management," Wagner says. "Centralizing events at the security and IAM level, you have only a single place to go when you want to create a report that an auditor is asking for, to correlate security events or to do forensics when you have an issue."

Finally, Garner recommends that CIOs don't attempt to have their teams write an in-house comprehensive IAM system unless their needs are extremely simple. They'd be better off researching and procuring products that can meet their needs and come with support. When in doubt, enterprises should take their time and ease into IAM deployment, just like the Department of Homeland Security is doing -- it's starting with smart cards for general access and could expand to using IAM for email-sender authentication and other security monitoring.

"The biggest challenge is figuring out as an enterprise where you are and then planning how to make it more efficient and how you want it to work," Wagner says. "Once you have that in place, the rest is applying a little technology in the right place."

Courtney Macavinta is a Silicon Valley-based business and technology writer. Her articles have appeared in CNET News, Business 2.0, Red Herring, Wired News, and The Washington Post. She also is managing editor of  the online program The Online Family.