Knowing who is able to connect to corporate systems, and being able to control what they can do once they are connected should be the starting point of any IT strategy.
However, effective identity management has been a perennial challenge for CIOs, requiring them to build separate access controls for each application, database and operating system and individual network domains.
The result is an administrative nightmare. Systems governed by individual security domains are difficult to integrate across multiple business processes and users frequently struggle to remember different passwords.
Furthermore, analysts at Gartner estimates that it can cost a company as much as $39 every time a user forgets a password and rings the help-desk to have it reset and this is just the tip of the iceberg.
At some organisations, password management can become such an issue that it requires dedicated staff to deal with it. At others it can simply run out of control, creating a situation where old IDs and passwords are allowed to remain on the system long after staff have left, or where users share passwords among themselves or write them down in places where they can be found by others. This is not just poor management, it is weak security.
But the industry is starting to come to terms with ID management. A raft of new systems from vendors such as BMC Software, Computer Associates, IBM and others can now automate the process of centrally creating and administering electronic identities for staff.
These systems have many advantages, not least of which is that by providing the business with a central management console, the responsibility for allocating, refreshing and revoking access privileges can now be vested in the human resources department, rather than with IT.
This takes a tedious and often inappropriate burden off the shoulders of IT, and makes it much more likely that an individuals’ security profile will closely match their job description. In particular, it means that HR can easily shut down accounts the moment someone leaves the company, for example, rather than leaving the account open until someone in IT has the time to remove their privileges from each and every system.
Whether or not ID management responsibility is handed to HR or not, the new systems promise much tighter control of internal security policies, and over the electronic participation of temporary staff and contractors in company affairs. This is good for security and offers the opportunity to derive measurable efficiency improvements and cost savings.
But every new technology is not without its challenges. In the case of identity management, implementations can be long and time consuming. For example, US health insurer Regence Group has been implementing BMC Software’s ControlSA for two years and still has not finished the job.
