Since Sept. 11, 2001, states have stepped up efforts to improve security. For those involved in protecting computer systems, the dilemma has been how to better protect systems while keeping them accessible to legitimate users.
North Carolina is taking a unique approach. By using a system originally designed for an entirely different function, the state is strengthening network security while cutting costs and improving service to citizens.
Cost of Keeping Pace
Two years ago, North Carolina began planning an employee white pages database. The goal was to absolve administrators from tracking the movements of 60,000 state employees -- a time-consuming task. As employees changed addresses and phone numbers, the cost of keeping up with changes in numerous databases was rising. "We had all these folks, and they had to enter data in different databases in different ways," said Michael Fenton, North Carolina's chief technology officer. "The validity of much of that data was compromised. This caused problems with security, mailing paychecks, etc."
To simplify database upkeep and improve accuracy, the state issued an RFP for a system that would reduce the steps involved, as well as authenticate employees logging on to enter new data or use state services. "Because the government offers services both internally and externally, it's important to understand the identity of who is using the network and the systems available on that network," said Fenton. "It was also important to allow employees to access information and services on their own."
A contract was eventually awarded to Oblix, a Cupertino, Calif.-based company that developed an application called NetPoint, which manages identities and tracks individual users' privileges. At the same time, it allows users to serve themselves.
But as the state began putting NetPoint to work, officials soon realized the technology could be used much more extensively.
"It turned out that technology, as it evolved, was ideally suited for the bigger problem of identity management," said Fenton. "It soon became clear that the security aspect was going to be the driver behind this, not the employee self-service."
Shortly following the Sept. 11 attacks, North Carolina Gov. Michael Easley directed the state's technology team to improve the state's technology infrastructure. The idea of expanding NetPoint into a statewide identity management system gained nearly instant approval.
North Carolina's identity management system eventually will control access to information and applications throughout the state -- both for government employees and citizens. Instead of using an individual ID for each separate application, users will access systems throughout the state using a single user name and password. A powerful authentication and authorization function will ensure each user is legitimate.
"We're trying to get a handle on who is on our network and what they're allowed to do," said Ann Garrett, state security officer. "We've got a lot of different pieces to bring together, but we're trying to bring an enterprise focus to it, set rules and raise the bar for security."
First, the state had to set security standards. Until recently, each agency had its own security and policy requirements; the idea of users logging onto the state portal once and accessing information or forms from various agencies quickly became complicated. By implementing a statewide security policy, the state began the problem-solving process. "A lot of it has been getting the standards developed, advertising them, educating, communicating, catching some things on the front end, working on the back end ," Garrett said.
North Carolina then made NetPoint a central service available to all agencies. "There are two pieces of identity management -- authentication and authorization," Fenton said. "Without the identity management system, each one of our lines of business would have developed their own methods for doing that. That itself turns out to be a security gap.