Show Me Some ID, Please

Who’s perusing your company’s information systems? And should they be poking around in there? Identity and access management systems can provide a central point of control over who’s allowed to see what—and they can also make your employees’ lives easier.

United Parcel Service realized that being able to instantly yank away someone’s ability to look at corporate information is just as important as granting that access in the first place.

View the PDF — Turn off pop-up blockers!

Two years ago, UPS was considering the ramifications of the Sarbanes-Oxley Act of 2002, a U.S. law that specifies how publicly held companies handle financial information internally. A light bulb went off: To comply with Sarbanes-Oxley’s rule for shutting off data access to terminated employees, UPS would need an automated way to disable a worker from logging on to any of hundreds of servers when one of its 350,000 employees leaves the company, says Paul Abels, the company’s manager of security policy and strategy.

“If we’re depending on people for removing those access rights,” Abels says, “the chances are slim to none that it will happen.”

To handle this task, UPS is using IBM’s Tivoli Identity Manager, which provides a central, companywide catalog of employees and which systems every employee can access. The IBM software is linked with UPS’ PeopleSoft human-resources application, so that when someone is removed—presto!—the employee can’t get into his e-mail, or anything else. Conversely, when an employee is hired, Identity Manager distributes log-on data to the appropriate places.

The original impetus for the project was to give employees a way to make changes in their access profiles themselves, rather than relying on the information-technology department. “As UPS expands globally, we felt we had to put together some kind of automated process to manage this in a better way,” Abels explains.

Identity and access management software tracks who’s allowed into which systems, and then enforces those rules. Businesses have become more keenly interested in the software because government regulations like Sarbanes-Oxley and the Health Insurance Portability and Accountability Act can require audits to prove who viewed or changed a particular piece of data.

Vendors in this category, which include Computer Associates, IBM and RSA Security, have also been cooking up an even more sophisticated authentication capability, called federated identity management, which will provide a standard way for organizations to verify the identity of an individual whose log-on details are maintained by another entity. So, for example, if George has an account with the White House, the State Department could recognize him and confirm his password if the agency has set up its systems to access George’s information at the White House.

Of course, enterprise applications and operating systems include their own authentication mechanisms. But that can mean an employee has to remember numerous passwords, something that identity and access management products are designed to solve.

Too many passwords: That’s one of the first things Giuseppe Cimmino, director of corporate systems architecture at Discovery Communications, noticed when he joined the cable network in December 2002.

The Silver Spring, Md.-based company, which produces the Discovery Channel, Animal Planet and other networks, has about 5,000 employees worldwide. Each of those employees, Cimmino says, had to remember up to 12 different combinations of user name and password to get into various systems, including Lotus Notes e-mail and applications running on IBM’s WebSphere application server. “It’s the kind of problem that goes to the mom and apple pie of security,” he says.

First, there’s the ongoing administrative cost and hassle of resetting passwords that people forget. But assigning numerous passwords also potentially compromises the company’s security: Like employees everywhere, Discovery’s staffers found creative ways to keep tabs on their log-on information, most of which defeated the whole point of having passwords. “You’d find IDs and passwords on a sticky note on the monitor,” Cimmino says.

Discovery decided to deploy a centralized, Web-based identity and access management suite from Netegrity (now part of CA). The system, called SiteMinder, grants employees—with a single ID and password—access to 20 applications, including some of the company’s outside service providers, such as Concur Technologies’ travel and expense reporting system.

A single-sign-on system that unifies authentication and authorization functions is also easier for administrators to manage. Instead of dozens of servers that must be updated with a user’s information (such as new passwords), a change needs to be made only once. “Collapsing the number of places I do authentication lets me control things a lot better,” says Bob West, chief information security officer for Cincinnati-based Fifth Third Bank, which uses RSA’s ClearTrust.

Bringing up an identity and access management system, however, is a harder nut to crack than it seems, according to George Dobbs, chief architect for the Knights of Columbus, a philanthropic organization that offers insurance to its 1.6 million members.

Since June 2004, he’s been wrestling with getting IBM’s Tivoli Access Manager to work in his environment to handle authentication for 1,400 insurance agents. Part of the project has involved retrofitting a Web application written for Macromedia’s ColdFusion Java application server to handle security by linking directly with IBM’s WebSphere to verify user identities, instead of using cookies (small pieces of code planted in a browser by a Web server).

“I think any project you’re trying to do like this would take some time,” Dobbs says. “There are a million things to configure with these systems.”

Group Dynamics: Who Goes There?

Category: Identity and access management

What It Is: Software that verifies the identity of employees, partners or customers and controls which applications and data they may access over a network.

Key Players: Computer Associates, Entrust, Hewlett-Packard, IBM, Novell, Oblix, Sun Microsystems, RSA Security, VeriSign

Market Size: $2.14 billion, 2003 (IDC)

What’s Happening: Government regulations are prompting companies to improve how they manage and monitor who’s allowed to view or change information. These include Sarbanes-Oxley, which requires public companies to restrict access to financial systems.

Expertise Online: The Liberty Alliance Project ( www.projectliberty.org ), whose members include customers and vendors, provides tutorials, case studies and other information on digital identity management.

Companiesitalicized are featured in dossiers this month.