BOSTON—IT executives concede that efforts to improve electronic identity management are still in their nascent stages.
While many businesses have begun reinvesting in their authentication systems by bringing on-board new identity management and roles-provisioning applications, project management leaders say they face a wide range of issues in helping those efforts succeed. Challenges cited by enterprise customers include the data aggregation necessary to bring disparate password systems together and the process of creating specific user profiles for the legions of individual workers employed by their companies.
At a gathering of information security workers hosted here May 23 to May 25 by identity management software maker Courion, attendees emphasized that the task of better managing employee data access privileges is one that will likely never be fully completed.
While software systems from Courion and other vendors including IBM, Oracle and Sun Microsystems have helped businesses address compliance regulations and take their first steps toward improving information security, experts said much work remains to be done. A quick poll of the roughly 150 customers gathered for the meetings, dubbed Courion Converge, found that close to 70 percent were less than 25 percent finished with their ongoing ID management initiatives.
Of the issues companies are trying to overcome, 28 percent of those attending the show said they are struggling with data consolidation related to centralizing user IDs. Another 27 percent cited the process of creating roles for end users as a challenge, while 23 percent said that applying ID management across widely distributed corporate IT systems remains a pain point.
Executives agreed that more comprehensive ID management will deliver many benefits beyond helping them meet the specifications of federal regulations such as the Sarbanes-Oxley Act and HIPAA (Health Insurance Portability and Accountability Act). However, delivering on ID management plans in the real world remains a tricky process, said Paul Scheib, chief information security officer at Childrens Hospital Boston.
In the health-care industry, under HIPAA, efforts to improve patient information security must be carefully balanced with workers legitimate demands. Doling out access to patient records requires extensive consideration of worker roles, said the CISO, and the many partnership and research relationships fostered by hospitals add other levels of complexity.
“As an IT organization, our focus is on letting our doctors and nurses do their jobs, not inhibiting their work over issues of access,” Scheib said. “At what point do you want to interrupt peoples ability to provide patient care in the name of complying with a business policy?
“Theres definitely a significant challenge in weighing risks and potential benefits.”
Another problem facing health-care companies looking to improve ID management is the speed at which such organizations need to share information, as physicians seek to gain access to patient records as quickly as possible.
Financial services companies face different stakes, but the challenge of protecting customers account information while keeping workers running at full speed is the same. Along with the sensitivity of the data handled by banks and other investment companies, the businesses face regular turnover in their employee ranks.
Tim Callahan, manager of access control and support services at Atlanta-based SunTrust Banks, said that a full one-third of his companys 33,000 employees either leave or change jobs every year, further complicating ID management efforts. In addition to making sure that departed employees are deleted from the companys systems, the process of allowing workers to maintain appropriate access as they transfer among jobs poses yet another challenge, he said.
“One of our basic rules is that no one worker can occupy two different roles in our systems, but that makes it very hard to address the gray area created as people change positions,” said Callahan. “You get into a scenario of granting the absolute minimum of access that each worker needs to maintain, but thats a very manual process; its a very hands-on process to try to automate.”
Another market trying to come to grips with ID management is the government sector, where employees are also frequently coming and going, as many jobs are tied to legislative terms and workers are often lured away to private companies.
Along with the same issues faced by private companies around defining roles and keeping workers productive, government employees are often forced to compress ID consolidation projects into timeframes that private companies wouldnt consider, said H. Lee Buchanan, a vice president at electronic warfare specialist EDO and former assistant secretary of the U.S. Navy.
Since the dawn of the Homeland Security era after the terrorist attacks on the United States in 2001, efforts to improve ID management have moved forward, but not without problems, he said.
“The original intent of the Department of Homeland Security was to provide more power to the individual states, but that led to a lot of different plans and no uniform standards for government ID management nationwide,” said Buchanan. “Now the federal government is trying to move back to a more centralized approach, but theyre finding that its really very hard to do that; you layer on the challenges of budget and job tenure that persist in the government sector on top of these challenges, and you see what a complex problem this is.”
At least one expert said that while compliance regulations are driving the convergence of roles policy, password and account auditing, and user provisioning, those processes should be part of any companys security operations. Moving beyond simple password management to more specific user provisioning helps enterprises get closer to a practical enforcement model for compliance, said Roberta Witty, analyst with Stamford, Conn.-based Gartner.
Businesses not directly affected by Sarbanes-Oxley or HIPAA should also take note, she said.
“Nonpublic companies will be bitten eventually if they dont address ID management, as there will be more regulations to come, for trading partners and others,” said Witty. “Companies need to figure out how important ID management is to their business and how it plays out in the larger picture; they need to figure out how it drives their business and what it means to their future.”
Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.