Identity parade
- Reduce text size Decrease text size
- Increase text size Increase text size
- Print article Print
- Jump to comments Comment
- Share this article Share
- Email article to a friend Email
As organisations increasingly make corporate data available to a vast network of employees, customers and partners, how can they safeguard their systems from unauthorised access?
The growing need for identity
| ||||||||||||||||||
The story may be apocryphal - but it is also entirely feasible. Organisations are increasingly opening up their systems to external parties, enabling employees, customers and trading partners to access core enterprise applications through corporate intranets, and increasingly, the Internet.
According to research from US consultancy Arthur Group, companies expose on average 44 web applications to employees and 16 web applications to external users such as suppliers, partners and customers. But although access to shared information and applications creates productivity benefits - employees and partners have access to the information they need to do their jobs without having to go through an intermediary - it also raises major security issues. How do they manage access to information that is stored in disparate systems? How do they control who accesses that data - and how it is used?
Organisations need to find a balance between sharing information in order to improve productivity and protecting it as a valuable asset. According to Joe Duffy, a partner at management consultancy company PricewaterhouseCoopers, the issue is further complicated by the fact that most organisations' applications reside in departmental or functional silos, each with its own security policy, so each time a user is added, deleted or their profile is modified, systems administrators must make a series of manual security changes. "Multiply this task by the thousands - and possibly millions - of your company's system users and it's easy to see how that silo architecture can become an administrative burden, driving up costs and the possibility of errors," says Duffy.
Unfortunately for organisations facing this dilemma, no single technology can address the challenge of managing digital identity across multiple systems and groups of users. Instead, a combination of technologies is required: Security vendors such as RSA Security, Baltimore and VeriSign all offer authentication technologies such as digital certificates or public key infrastructure (PKI) systems; a number of other companies, including Sun Microsystems and Microsoft, as well as US start-up company Oblix, have developed 'single sign-on systems' that allow users to access multiple systems without having to use multiple passwords; a key role is played by directory services systems from companies such as Novell; while systems management software suppliers such as BMC and Compuware are looking to add the vital management component that will determine who sees what, where they see it and when.
Before investing in any of these component technologies, however, organisations need to define who should have access to which company resources and why, based on each individual's job function and responsibilities. As Shelley Wilson, vice president of marketing at Oblix, explains, "Knowing who is authenticating is not enough. Companies are already moving on to policy-based authorisation, allowing them to set access rules that control who can access what applications and data on an extranet, based on user-identity criteria."
The first step in implementing identity management is to understand the processes, applications and assets the organisation has in place already and what level of security it requires for individuals to still meet their responsibilities, adds Wilson. From there, IT managers can develop permission and entitlement policies against a central user directory.
Authentication is a fundamental element of identity management. At present, most organisations use passwords or user IDs to verify the identity of a user and to grant or deny access. The problem here is that users tend to be equipped with multiple passwords for disparate systems and applications and, while common sense dictates that passwords should be synchronised and regularly reset, it is a cumbersome and resource-intensive process. According to Nand Mulchandani, founder and chief technology officer at Oblix, it costs an average of $14 just to reset a password when someone forgets it.
But while there have been advances in authentication technology, such as RSA's 'token' system, which provides authentication by generating a new, random number every minute and matching it to details on a server, they are generally insufficient in isolation. Other advances, such as two-factor identity verification – a process based on the provision of something the user knows, for example, a password, plus something the user has, for example, a token or smart card – heighten access security but do not place it within the context of access rules or policies.
Single sign-on technology claims to bring together the authentication element of identity management with the next phase in the process: that of defining user provisioning - the right to access, view and change different types of data. So an organisation could, for example, authorise all the accounts payable managers within an organisation's top hundred suppliers to access the inventory system five days a week during set periods of time.
| ||
On a grander scale, software giants Microsoft and Sun Microsystems have launched projects that aim to provide a global, monolithic authentication system. Microsoft's 'Passport' authentication system has been developed primarily for consumer use in online transactions throughout a network of 'trusted' organisations and services, but the company believes it could be effective in the corporate environment. Sun, meanwhile, uses its Open Net Environment (ONE) network identity platform in its own organisation to manage access to its employee web portal, retirement accounts and voicemail. It even manages what buildings an employee is allowed to enter on Sun's campuses.
However, because of the immaturity of the technology, there are a host of standards issues that need to be resolved before organisations can expect truly universal access control to their systems. Sun is a founder member of Liberty Alliance, an independent authentication initiative established in September 2001 and made up of 40 member companies, including Sun, AOL, United Airlines, RSA Security, Nokia, Cisco Systems and American Express. But while Microsoft was invited to join the alliance, it has so far declined. Nick Bleech, head of information systems security at management consultancy KPMG, believes the complexity of the standards issue may put some organisations off adopting identity management technology. "We need to have single identities that can be mapped out to different systems. Standards and interoperability are fundamental."
Because no single technology can cater for all aspects of identity management, building secure, flexible access to enterprise systems - whether within the organisation or externally - will continue to be a challenge. But the benefits outweigh the hassles encountered in implementing the component technologies.
Networking equipment giant Cisco, for example, found that building Web Foundation - an interface that provides secure, personalised access to a huge number of its corporate applications to employees and partners via a browser -improved customer satisfaction rates by 25% because employees were now able to deal with 90% of transactions over the web.
As Duffy of PwC explains, managing digital identity is more than a security issue: "It's the answer to the business challenge that many companies have been grappling with for years - how to ensure security, increase productivity and reduce operating costs in an environment requiring a constant, rapid flow of information within and across company borders over the Internet."
