The Basics
Identity Management
By Jill R. Aitoro
What Is It?
One way to think about identity management is by imagining an enormous blueprint of an office building. It shows the rooms into which each person who works in the building can enter. The blueprint also shows what kind of key each person would need to open the door to get into that room, and what that person can do once they are there.
A computer network is like the building, and each room represents a file, database or application on that network. The employees working in the building are the users. The keys are the privileges that the system administrator hands out to each person who works on the network, providing access to a file, database or application. The keys also determine what they can do while accessing a specific file or application.
Like building security, identity management is the most essential form of information protection that agencies use. Yet, it also is among the information security practices that are least used or properly implemented.
More Than Just a Password
Identity management is more than simply permitting a user to log on; it controls what that user can do, similar to putting boundaries on where a person can go once in a building. A systems administrator assigns a credential of some sort, usually a number, to a worker. That number allows the employee or contractor access to the network and determines what resources can be accessed. It also can flag the administrator (through a monitoring tool) if the user somehow gains access to forbidden areas, or if the user is performing actions that may indicate an attempt to gain entry to prohibited areas.
Requiring a username and password - whether to pass through a firewall, to log on to a virtual private network or to open an application - is identity management in its minimal form. At a more sophisticated level, it incorporates biometrics (such as hand, fingerprint or iris scans) to identify a user, to approve or deny access (known as provisioning and deprovisioning) to resources, and to deliver custom services (such as training materials and e-mails) based on users' roles in an organization.
Identity management provides managers a custom view of the IT environment for each user, determined mostly by job function and security concerns.
Why Should I Care?
For the government, interest in identity management increased after President Bush issued Homeland Security Presidential Directive 12 in 2004. It requires agencies to issue credentials to all federal employees and contractors by October 2008. Cards will contain an embedded microchip on which is stored personal information including biometric data, such as fingerprints. Employees and contractors will use the card to gain access to federal buildings and computer networks. They provide a standard for identification and access, which agencies can use to link into more comprehensive identity management.
Identity management also has increased in importance as networks come under more attacks. In November, former CIA official Andrew Palowitch said government and private systems had experienced 37,000 security breaches in 2007. "America is under widespread attack in cyberspace," he said.
One of the most notorious examples of the potential harm that can result without identity management occurred in February 2001 when the FBI arrested one of its own veteran counterintelligence agents, Robert Philip Hanssen. He gave more than 6,000 pages of documents containing classified information to Russia and the former Soviet Union. He downloaded most of it from the bureau's computers. Controlling access to certain files makes it harder for insiders like Hanssen, or outside hackers, to steal sensitive information.
Without proper security processes and technologies, users can wander through networks virtually unimpeded. Employees, as well as hackers, can slip into files and databases to peer into and steal sensitive information. To protect this information, agencies will spend almost $350 million on identity and access management technology in 2008, according to INPUT, a Reston, Va.-based research firm.
Identity management also provides benefits beyond security, improving business processes and information sharing. For example, a centralized system that gives employees and contractors access to networks also allows an organization's human resources sector to create e-mail and Voice over Internet Protocol accounts in a matter of minutes. In addition, a single sign-on capability that is linked to an e-government application allows citizens to protect personal information when accessing agency services online.
If managed well, IM better secures information that agencies share, because it gives the information owners more assurance that it will not be accessed by unauthorized users. Theoretically, the credentials attached to an employee could extend across government, transforming federal systems into an enormous information grid. But for now, incompatible systems and a lack of standards make widespread information sharing difficult. For example, agencies may define Top Secret security clearances differently, so a systems administrator is unable to specify in a user's profile an identifying code that all federal networks can understand that shows what files the user may access.
The Latest on Identity Management
Despite the risks of unauthorized users electronically grabbing private or sensitive information, many agencies have yet to install an identity management tool. The reason: It's complicated. To begin implementing IM on its networks, an agency's IT shop typically conducts an inventory of systems to determine what information it stores, where it is stored and how the right to access that information is assigned for each application. Many are legacy systems or run on proprietary programs built by the agency. That makes it difficult or impossible to reprogram the systems or applications to interact with a commercial IM tool.
In addition, an identity management program requires more work for what is typically an already overworked IT office. Agencies have to develop a central database to maintain identities, manage the access rights for every user on the network and enforce a strict policy for how that database will be managed.
Those obstacles may help explain why the Government Accountability Office has found that agencies still are unable to properly secure systems with IM tools. In an April 2007 report, GAO concluded that the FBI continued to have major security weaknesses in its critical computer networks, including failing to properly identify and authenticate users or consistently configure network devices and services to prevent unauthorized access. In September 2007, GAO found that the Veterans Affairs Department, which reported two high-profile security breaches in 2006, had not fully completed 20 of 22 IT security recommendations that its inspector general made a year prior. VA failed to adequately restrict access to data, networks and facilities or to ensure that only authorized changes and updates to computer programs were made, according to the report.
The Information Systems Security Line of Business, the e-authentication presidential initiative and the 2002 Federal Information Security Management Act provide hints about how to control access once users are logged in, but agencies must determine the best approach to meet their own requirements.
How Do I Get Started?
Perhaps most important in any successful IM strategy is to consolidate access controls. Traditionally, controls exist at the level of a software application. But security experts say that application-based controls create a fragmented environment that is a nightmare to manage and can open numerous doors for unauthorized users. Trying to control access for each application is particularly problematic for legacy systems, which tend to have many vulnerabilities and flaws because the agency has not been able to test it on a large scale as private software companies can do.
A centralized approach to IM allows agencies to automate and accelerate the process. Typically, credentials can be maintained in a computer's directory service, such as Microsoft Windows Active Directory. That provides a single place to create or modify accounts, and to approve or revoke access to business applications.
Beyond the technology, agencies need policies for ensuring that user accounts are handled properly. Consistent monitoring of how resources are accessed by employees and contractors might be the only way to detect improper behavior. And many agencies do not have a process in place to remove access when someone leaves an agency or team.
Agencies also need to ensure that employees and contractors are properly trained on security procedures. The Centers for Medicare and Medicaid Services, which is a part of the Health and Human Services Department, requires all users to participate in computer-based training when they are first issued a user ID and then again every year when their IDs are certified.
The center also has an Information Security Program policy that governs operation and safeguarding of systems; a Business Partners System Security Manual, which addresses security for those in the private sector; and it issues program memos that provide day-to-day operating instructions, policies and procedures.
RECENT NEWS STORIES
- Report finds room for improvement in Recovery Act transparency (09/11/09)
OMB Watch calls for more comprehensive reporting from subrecipients and enhanced performance metrics for stimulus projects. - Obama backs extension of benefits to same-sex partners of federal employees (06/17/09)
President issues memo granting limited benefits immediately and endorses legislation providing full benefits. - Obama names new federal CIO (03/05/09)
Vivek Kundra, president says, will work closely with new chief technology officer to implement the administration's IT agenda. - Breach of federal jobs site highlights need for contractor liability, security observer says (01/27/09)
Hacked information could be used for targeted phishing attacks and other scams. - Bailout brings massive hiring, oversight challenges (10/10/08)
Rescue effort is likely to require 1,000 additional highly-skilled civil servants and at least as many contractors. - Feds, industry announce center for identity management research (10/07/08)
Agencies, academia and corporations form coalition to find ways to better protect personal data and privacy, but offer few details. - Defense audit agency rapped by senators, whistleblowers (09/10/08)
DCAA director testifies to Senate panel that agency's problems are 'unacceptable.' - Groups urge House leaders to improve E-Verify system (07/17/08)
Corporate and nonprofit organizations seek three-year limit on extension of voluntary employee vetting program. - Federal identity programs boost biometrics market (07/03/08)
The estimated value of potential contracts to implement federal identity-solutions programs has more than doubled since 2006. - Avue announces new identity theft protection for federal subscribers (06/23/08)
Partnership with LifeLock will provide free protection for feds, discounts for families of employees. - Bush orders contractors to check employees' legal status (06/10/08)
Associations representing federal contractors fear E-Verify system is so faulty it will misidentify legal workers. - Licenses, border security to be examined at Tuesday hearing (04/28/08)
Senate Committee will look at Real ID law and Western Hemisphere Travel Initiative. - Defense to focus more on content, less on the network (04/01/08)
"Content-centric" model will allow the department and civilian agencies to pool information in a more secure way to make better decisions. - Passport system breach highlights shortcomings in agency privacy practices (03/21/08)
House chairman seeks names of State Department contractors fired for inappropriately accessing presidential candidates' files. - Intel CIO aims to cut years out of IT buying process (03/19/08)
Operations at various intelligence agencies also must be centralized to improve information sharing, says Dale Meyerrose. - Concern raised over Census bid to ease security checks on temp workers (03/12/08)
Lawmakers worried that bureau will have to revert to using paper questionnaires for 2010 Census. - Users continue to compromise federal computer networks, says tech community (03/03/08)
Survey results predict significant growth in identity management to combat security weaknesses. - Industry hoping for action on data security bill this year (02/19/08)
Legislation would update the six-year-old bill establishing requirements for securing personal or sensitive data. - VA slated for big technology budget boost (02/04/08)
Bush administration seeks 18 percent hike to replace aging equipment and enhance services.
RELATED LINKS
PROMO RIGHT: EVENTS
UPCOMING WEBINARS
NOVEMBER 10
Open Season Webinar
NOVEMBER 12
Collaborative Leadership: The Recovery Act and Beyond
NOVEMBER 18
Speed bumps for Teleworking: What are they and how to avoid them?
DECEMBER 3
Achieve Program Success: Unlock the Management Information in Your Data
DECEMBER 10
Practical Transparency: Applying Exchange Networks for Mission Results
PROMO RIGHT: DIRECTORIES
