When you think of managing identities, user names and passwords probably come to mind first. But this standard feature of computer life can be more cumbersome than helpful -- even if it does provide some measure of security -- due to the multitude of systems found within any one government agency.

Contra Costa County's Department of Information Technology, for example, uses products from Sun Microsystems, IBM, Microsoft, PeopleSoft, Computer Associates and Vanguard Integrity Professionals, in addition to a security application written and maintained in-house. "The challenges of integrating identity management with other applications are significant because it requires competing vendors to work together and share sometimes-proprietary solutions," said Kevin Dickey, the county's deputy CIO and chief information security officer. "This is almost never successfully done, which is why you always hear the complaint that users have too many user IDs and passwords."

Ignoring the proliferation of IDs and passwords comes with a price. While much attention is focused on the potential for outside cyber-attacks, more threatening are internal pressures from employees who changed positions, retired or were released. All too often, their user names and passwords remain on systems long after they leave, creating situations they can easily exploit. A PricewaterhouseCoopers survey of 138 CEOs in 2002 found that ex-employees and on-site contractors pose far more of a security hazard than hackers.

The challenge for CIOs is how to achieve identity management -- by balancing ease of access for citizens and companies doing business with their governmental employers, while restricting access only to those who need it. There is no one solution to this conundrum, but CIOs are tackling this tangled issue and making headway.


Building the Foundation
To avoid proliferating user IDs -- the passwords for which can invariably be found on sticky notes under keyboards -- Phil Windley, former CIO of Utah, suggests CIOs start on identity management by developing an enterprise information architecture (EIA). This would determine which businesses the agency is in and how those businesses should fit together.

"Security is a part of the architecture, but there's more to digital identity management than throwing up a defensive perimeter and firewalls," said Windley, who is now an IT consultant. "I view identity management as a positive, opportunistic activity rather than a defensive activity. A good [identity management] infrastructure allows an organization to proactively associate with partners and give them the things they need to do their work. It allows an organization to interface with customers in a friendly, knowing way. These aren't things you get from a security outlook."

By creating an EIA, said Windley, a CIO will account for which resources must be accessed by which citizens, employees, suppliers and businesses; the level of access appropriate for different types of users; and how those entities will interact with the resources.

"Identity management is really about policy," said Windley. "It's probably too large a task to build a single database authentication system that encompasses every vendor and resource."

Arizona is in the blueprint stage, said Lee Lane, information security manager for the Arizona Department of Administration's Information Security Services Division. "We've identified an LDAP [lightweight directory access protocol] as a critical component. We know that we need an information directory; now we're working on who needs this information and why, with the goal of establishing a trust model between all involved entities."

An architecture can help organizations group data in terms of security and accessibility needs. "There used to be one gate or firewall that would either let Brian Anderson in or keep him out," said Brian Anderson, program director of security market management for IBM Tivoli Software. "Now governments have recognized they need to let almost everyone in, whether as customers or partners."

Today's government portal might consist of three perimeters: the first