While many businesses have begun reinvesting in their authentication systems by bringing on-board new identity management and roles-provisioning applications, project management leaders say they face a wide range of issues in helping those efforts succeed. Challenges cited by enterprise customers include the data aggregation necessary to bring disparate password systems together and the process of creating specific user profiles for the legions of individual workers employed by their companies.
At a gathering of information security workers hosted here May 23 to May 25 by identity management software maker Courion, attendees emphasized that the task of better managing employee data access privileges is one that will likely never be fully completed.
While software systems from Courion and other vendors including IBM, Oracle and Sun Microsystems have helped businesses address compliance regulations and take their first steps toward improving information security, experts said much work remains to be done. A quick poll of the roughly 150 customers gathered for the meetings, dubbed Courion Converge, found that close to 70 percent were less than 25 percent finished with their ongoing ID management initiatives.
Of the issues companies are trying to overcome, 28 percent of those attending the show said they are struggling with data consolidation related to centralizing user IDs. Another 27 percent cited the process of creating roles for end users as a challenge, while 23 percent said that applying ID management across widely distributed corporate IT systems remains a pain point.
Executives agreed that more comprehensive ID management will deliver many benefits beyond helping them meet the specifications of federal regulations such as the Sarbanes-Oxley Act and HIPAA (Health Insurance Portability and Accountability Act). However, delivering on ID management plans in the real world remains a tricky process, said Paul Scheib, chief information security officer at Childrens Hospital Boston.
In the health-care industry, under HIPAA, efforts to improve patient information security must be carefully balanced with workers legitimate demands. Doling out access to patient records requires extensive consideration of worker roles, said the CISO, and the many partnership and research relationships fostered by hospitals add other levels of complexity.
"As an IT organization, our focus is on letting our doctors and nurses do their jobs, not inhibiting their work over issues of access," Scheib said. "At what point do you want to interrupt peoples ability to provide patient care in the name of complying with a business policy?
"Theres definitely a significant challenge in weighing risks and potential benefits."
Another problem facing health-care companies looking to improve ID management is the speed at which such organizations need to share information, as physicians seek to gain access to patient records as quickly as possible.
Financial services companies face different stakes, but the challenge of protecting customers account information while keeping workers running at full speed is the same. Along with the sensitivity of the data handled by banks and other investment companies, the businesses face regular turnover in their employee ranks.
Tim Callahan, manager of access control and support services at Atlanta-based SunTrust Banks, said that a full one-third of his companys 33,000 employees either leave or change jobs every year, further complicating ID management efforts. In addition to making sure that departed employees are deleted from the companys systems, the process of allowing workers to maintain appropriate access as they transfer among jobs poses yet another challenge, he said.
"One of our basic rules is that no one worker can occupy two different roles in our systems, but that makes it very hard to address the gray area created as people change positions," said Callahan. "You get into a scenario of granting the absolute minimum of access that each worker needs to maintain, but thats a very manual process; its a very hands-on process to try to automate."