Identity Management

What Is It?

One way to think about identity management is by imagining an enormous blueprint of an office building. It shows the rooms into which each person who works in the building can enter. The blueprint also shows what kind of key each person would need to open the door to get into that room, and what that person can do once they are there.

A computer network is like the building, and each room represents a file, database or application on that network. The employees working in the building are the users. The keys are the privileges that the system administrator hands out to each person who works on the network, providing access to a file, database or application. The keys also determine what they can do while accessing a specific file or application.

Like building security, identity management is the most essential form of information protection that agencies use. Yet, it also is among the information security practices that are least used or properly implemented.

More Than Just a Password

Identity management is more than simply permitting a user to log on; it controls what that user can do, similar to putting boundaries on where a person can go once in a building. A systems administrator assigns a credential of some sort, usually a number, to a worker. That number allows the employee or contractor access to the network and determines what resources can be accessed. It also can flag the administrator (through a monitoring tool) if the user somehow gains access to forbidden areas, or if the user is performing actions that may indicate an attempt to gain entry to prohibited areas.

Requiring a username and password - whether to pass through a firewall, to log on to a virtual private network or to open an application - is identity management in its minimal form. At a more sophisticated level, it incorporates biometrics (such as hand, fingerprint or iris scans) to identify a user, to approve or deny access (known as provisioning and deprovisioning) to resources, and to deliver custom services (such as training materials and e-mails) based on users' roles in an organization.

Identity management provides managers a custom view of the IT environment for each user, determined mostly by job function and security concerns.

Why Should I Care?

For the government, interest in identity management increased after President Bush issued Homeland Security Presidential Directive 12 in 2004. It requires agencies to issue credentials to all federal employees and contractors by October 2008. Cards will contain an embedded microchip on which is stored personal information including biometric data, such as fingerprints. Employees and contractors will use the card to gain access to federal buildings and computer networks. They provide a standard for identification and access, which agencies can use to link into more comprehensive identity management.

Identity management also has increased in importance as networks come under more attacks. In November, former CIA official Andrew Palowitch said government and private systems had experienced 37,000 security breaches in 2007. "America is under widespread attack in cyberspace," he said.

One of the most notorious examples of the potential harm that can result without identity management occurred in February 2001 when the FBI arrested one of its own veteran counterintelligence agents, Robert Philip Hanssen. He gave more than 6,000 pages of documents containing classified information to Russia and the former Soviet Union. He downloaded most of it from the bureau's computers. Controlling access to certain files makes it harder for insiders like Hanssen, or outside hackers, to steal sensitive information.

Without proper security processes and technologies, users can wander through networks virtually unimpeded. Employees, as well as hackers, can slip into files and databases to peer into and steal sensitive information. To protect this information, agencies will spend almost $350 million on identity and access management technology in 2008, according to INPUT, a Reston, Va.-based research firm.

Identity management also provides benefits beyond security, improving business processes and information sharing. For example, a centralized system that gives employees and contractors access to networks also allows an organization's human resources sector to create e-mail and Voice over Internet Protocol accounts in a matter of minutes. In addition, a single sign-on capability that is linked to an e-government application allows citizens to protect personal information when accessing agency services online.

If managed well, IM better secures information that agencies share, because it gives the information owners more assurance that it will not be accessed by unauthorized users. Theoretically, the credentials attached to an employee could extend across government, transforming federal systems into an enormous information grid. But for now, incompatible systems and a lack of standards make widespread information sharing difficult. For example, agencies may define Top Secret security clearances differently, so a systems administrator is unable to specify in a user's profile an identifying code that all federal networks can understand that shows what files the user may access.

The Latest on Identity Management

Despite the risks of unauthorized users electronically grabbing private or sensitive information, many agencies have yet to install an identity management tool. The reason: It's complicated. To begin implementing IM on its networks, an agency's IT shop typically conducts an inventory of systems to determine what information it stores, where it is stored and how the right to access that information is assigned for each application. Many are legacy systems or run on proprietary programs built by the agency. That makes it difficult or impossible to reprogram the systems or applications to interact with a commercial IM tool.

In addition, an identity management program requires more work for what is typically an already overworked IT office. Agencies have to develop a central database to maintain identities, manage the access rights for every user on the network and enforce a strict policy for how that database will be managed.

Those obstacles may help explain why the Government Accountability Office has found that agencies still are unable to properly secure systems with IM tools. In an April 2007 report, GAO concluded that the FBI continued to have major security weaknesses in its critical computer networks, including failing to properly identify and authenticate users or consistently configure network devices and services to prevent unauthorized access. In September 2007, GAO found that the Veterans Affairs Department, which reported two high-profile security breaches in 2006, had not fully completed 20 of 22 IT security recommendations that its inspector general made a year prior. VA failed to adequately restrict access to data, networks and facilities or to ensure that only authorized changes and updates to computer programs were made, according to the report.

The Information Systems Security Line of Business, the e-authentication presidential initiative and the 2002 Federal Information Security Management Act provide hints about how to control access once users are logged in, but agencies must determine the best approach to meet their own requirements.

How Do I Get Started?

Perhaps most important in any successful IM strategy is to consolidate access controls. Traditionally, controls exist at the level of a software application. But security experts say that application-based controls create a fragmented environment that is a nightmare to manage and can open numerous doors for unauthorized users. Trying to control access for each application is particularly problematic for legacy systems, which tend to have many vulnerabilities and flaws because the agency has not been able to test it on a large scale as private software companies can do.

A centralized approach to IM allows agencies to automate and accelerate the process. Typically, credentials can be maintained in a computer's directory service, such as Microsoft Windows Active Directory. That provides a single place to create or modify accounts, and to approve or revoke access to business applications.

Beyond the technology, agencies need policies for ensuring that user accounts are handled properly. Consistent monitoring of how resources are accessed by employees and contractors might be the only way to detect improper behavior. And many agencies do not have a process in place to remove access when someone leaves an agency or team.

Agencies also need to ensure that employees and contractors are properly trained on security procedures. The Centers for Medicare and Medicaid Services, which is a part of the Health and Human Services Department, requires all users to participate in computer-based training when they are first issued a user ID and then again every year when their IDs are certified.

The center also has an Information Security Program policy that governs operation and safeguarding of systems; a Business Partners System Security Manual, which addresses security for those in the private sector; and it issues program memos that provide day-to-day operating instructions, policies and procedures.