February 3, 2004 By Linda Formichelli
Contra Costa County's Department of Information Technology, for example, uses products from Sun Microsystems, IBM, Microsoft, PeopleSoft, Computer Associates and Vanguard Integrity Professionals, in addition to a security application written and maintained in-house. "The challenges of integrating identity management with other applications are significant because it requires competing vendors to work together and share sometimes-proprietary solutions," said Kevin Dickey, the county's deputy CIO and chief information security officer. "This is almost never successfully done, which is why you always hear the complaint that users have too many user IDs and passwords."
Ignoring the proliferation of IDs and passwords comes with a price. While much attention is focused on the potential for outside cyber-attacks, more threatening are internal pressures from employees who changed positions, retired or were released. All too often, their user names and passwords remain on systems long after they leave, creating situations they can easily exploit. A PricewaterhouseCoopers survey of 138 CEOs in 2002 found that ex-employees and on-site contractors pose far more of a security hazard than hackers.
The challenge for CIOs is how to achieve identity management -- by balancing ease of access for citizens and companies doing business with their governmental employers, while restricting access only to those who need it. There is no one solution to this conundrum, but CIOs are tackling this tangled issue and making headway.
Building the Foundation
To avoid proliferating user IDs -- the passwords for which can invariably be found on sticky notes under keyboards -- Phil Windley, former CIO of Utah, suggests CIOs start on identity management by developing an enterprise information architecture (EIA). This would determine which businesses the agency is in and how those businesses should fit together.
"Security is a part of the architecture, but there's more to digital identity management than throwing up a defensive perimeter and firewalls," said Windley, who is now an IT consultant. "I view identity management as a positive, opportunistic activity rather than a defensive activity. A good [identity management] infrastructure allows an organization to proactively associate with partners and give them the things they need to do their work. It allows an organization to interface with customers in a friendly, knowing way. These aren't things you get from a security outlook."
By creating an EIA, said Windley, a CIO will account for which resources must be accessed by which citizens, employees, suppliers and businesses; the level of access appropriate for different types of users; and how those entities will interact with the resources.
"Identity management is really about policy," said Windley. "It's probably too large a task to build a single database authentication system that encompasses every vendor and resource."
Arizona is in the blueprint stage, said Lee Lane, information security manager for the Arizona Department of Administration's Information Security Services Division. "We've identified an LDAP [lightweight directory access protocol] as a critical component. We know that we need an information directory; now we're working on who needs this information and why, with the goal of establishing a trust model between all involved entities."
An architecture can help organizations group data in terms of security and accessibility needs. "There used to be one gate or firewall that would either let Brian Anderson in or keep him out," said Brian Anderson, program director of security market management for IBM Tivoli Software. "Now governments have recognized they need to let almost everyone in, whether as customers or partners."
Today's government portal might consist of three perimeters: the first to determine who gets in -- perhaps permitting access only to those in certain geographic regions; the second to direct users to areas appropriate to their needs; and the third to restrict outside users from accessing particular databases. "You want to give a customer access to inventory levels and his account on ASP [active server pages], but he can't be allowed to touch accounts receivable and payable," said Anderson.
Another basic aspect of identity management, which is often overlooked, is the creation of a life cycle that defines user access from start to finish. Organizations usually have no problem provisioning accounts for new users, or granting different access levels as user interaction changes. All too often, however, account oversight ends without officially closing accounts or restricting access.
"I'm betting every organization has resources users have significant access to that they shouldn't have," said Windley. "I've talked with people who can access their voicemail five years after they've stopped working somewhere. It's one of these big jobs that doesn't seem to accomplish anything, so we don't do it." The only way to ensure de-provisioning takes place is to plan for it in the architectural foundation.
Having an audit trail of user access is also helpful should an organization take legal action against someone up to no good.
Securing the Walls, Lowering the Gates
Access and security go hand-in-hand in identity management, but security concerns garner far more attention because any breach of information will typically be far more damaging -- and headline worthy -- than an equivalent lack of access. Yet it's difficult to measure how much should be spent to secure data, or once the money is spent, whether those measures are worth the expense.
"Unlike most aspects of IT security, where ROI is hard to quantify, identity management can pay for itself in less than a year," said Mary Ann Davidson, Oracle's chief security officer, who added that it is difficult to show an ROI for most IT security since ROI is focused on a bad thing that hasn't happened.
Despite this potential uncertainty, CIOs must develop security policies as part of their EIA. It's unreasonable to take a strict, limited access policy across the board because doing so burdens users and wastes their time and money by forcing them to overcome barriers that shouldn't exist in the first place. "Not everything needs to be supersecure," said Davidson. "We have an application internally that lets people reserve conference rooms, but that application requires a user name and password. Does someone at Oracle think an employee is going to maliciously reserve all the conference rooms so no one can hold a meeting?"
Organizations must identify these different levels of risk and educate their potential business partners. "In the public sector, you have investigators who need access to information, but you can't always disperse their identities," said Arizona's Lane. "In some cases, it doesn't matter, but in some it's life or death. Any CIO needs to look at the risk and manage that accordingly."
While the benefits of good identity management to information security might be hard to quantify, it's much easier to tally the gains dollarwise. Simply creating a single sign-on user name and password for each person, rather than a separate user name for each system, can cut costs in an organization. "This reduces cost in a number of areas, starting with the help desk because users can reset their own password," said IBM's Anderson. "Analysts say it costs $20 to $40 per password reset, and 40 percent of help desk work is password reset." Another plus is reduced administration time that accompanies users having one account rather than starting new accounts over and over. "Few people understand that you might need to complete 188 fields to start an account," he said.
Ann Garrett, chief security officer for North Carolina's Office of Information Technology Services, has seen those cost savings firsthand, thanks to the state's Identity and Access Management System (IAMS), which began as a pilot project in the summer of 2000. "My security office used to generate 40 percent of client support calls, although it had only 1 percent of the budget," she said. "Once that went away, the help desk was able to focus on real client support."
Cost savings should only improve in the future as more applications are integrated with IAMS. "It creates a more consistent interface, which makes users more productive because they can help themselves," said Garrett.
Playing Well with Others
Given the endless changes in systems, databases, users and policy-makers, can any identity management system ever be called complete? No, said Windley. "It's one of these huge tasks that's never done."
The task becomes even more complicated when considering how many agencies are developing identity management systems, which may or may not be compatible with one another. While right now new identity systems look like a second Babel, there is hope for a common language in security assertion markup language (SAML) being developed by OASIS, an international nonprofit organization that organizes and adopts e-business standards.
In documents created by SAML, which is based on extensible markup language (XML), a user's information comes nested with internal statements about that user's authentication, authorization and attributes. The receiver of that information then automatically determines whether the user should receive the requested information. "CIOs need to be aware of all the work going on in the federal identification space," said Windley. "If people are paying attention to things like SAML, cross-organization identity will be easy to do once everything's in place. If not, they'll find their cross-agency and interstate efforts will be hampered by a lack of identity structure."
While SAML looks promising, it will have to overcome the proprietary -- and nonintegrative -- identity management systems already in place. "Government can't really dictate a propriety vendor's solution across the board, because of the RFP and other bidding processes," said Contra Costa's Dickey. "We end up with a mix of vendor solutions that don't integrate well, if at all.
"To be cost-effective and obtain the approval of consumers, the vendor community needs to agree on a standards-based solution," Dickey continued. "However, I don't really see that in any government's future because we are subject to a competitive bidding process that is designed to qualify as many 'solutions' as possible."
Despite Dickey's gloomy outlook, some states, such as North Carolina, are having success with identity management.
For now, IAMS primarily covers 60,000 state employees, but businesses can use the system to file quarterly sales and use taxes online with the North Carolina Department of Revenue, which makes filing easier for them and revenue collection timelier for the state. Once funding is available, more business functions will be integrated with IAMS in the future. "There's no money for a lot of what we'd like to do," said North Carolina's Garrett. "Luckily we bought the infrastructure and licenses before things went bust in 2001, and have been able to fund it incrementally."
Dan Lohrmann, chief information security officer for Michigan, said the state is working on four identity management pilot projects and will examine their results before deciding on one or two platforms to take statewide. Pilot projects include work for the state police and criminal justice community, the internal state government portal, and probably the biggest success, the Michigan Childhood Immunization Registry (MCIR), which cost approximately $500,000.
"We built a Web-based, self-service module for the Department of Community Health in which health-care providers can pass information back and forth," said Lohrmann. "It's a self-registration process in which users identify which databases they need access to, then we have someone in the back end who verifies their identity. We have 20,000 licenses available on MCIR, with 12,000 in use."
With pilot projects based on products from Sun, Novell, Vignette and others, Lohrmann has run into the same situation as Contra Costa's Dickey. "We know we need a standard across the enterprise and have everyone plug into that, but the question is how to get there," he said. "If we could be beamed four years ahead to everything being done by one channel, that would be marvelous, but right now you still have a lot of different initiatives out there."
You may use or reference this story with attribution and a link to