Identity Management and Access: A Smarter Gatekeeper

By Bob Violino  |  Posted 2006-12-22

Managing the identity of people who have access to critical business data has long been a key component of effective information security strategies. But it's taken on greater urgency with the push to mitigate corporate risk by restricting access to applications and information.

Identity and access management tools verify the identity of people—including employees, business partners and customers—and control the applications and information those people can access.

A major benefit of the technology: It's helping companies comply with government regulations such as the Sarbanes-Oxley Act, which requires public companies to back up financial statements with proof of the procedures and controls in place, and the Health Insurance Portability and Accountability Act (HIPAA), designed to secure patient information.

In response to those measures, demand for identity and access management products is on the rise. Total worldwide revenue for the software will increase from $3 billion in 2005 to more than $5 billion in 2010, predicts Framingham, Mass.-based research firm IDC. The market has attracted information-technology and security vendors including RSA, IBM, CA, Novell, SafeNet, Hewlett-Packard, Sun Microsystems and VeriSign.

Mark A. Lobel, a partner at PricewaterhouseCoopers' advisory services group, sums up identity management this way: "Providing the right people with the right access at the right time." Despite that straightforward definition, he cautions that ID management projects can trip up companies, depending on the number of applications that must be integrated with the identity manager and other project requirements.

Pushed by Sarbox

MasterCard International began using CA's eTrust Identity and Access Management Suite in 2005 to simplify the process of managing the identities of its 4,300 employees worldwide.

In 2004, as the company worked on meeting the requirements of the Sarbanes-Oxley Act, including an audit of internal controls over financial reporting and other systems, it found that the task of managing identities manually—required to ensure that only authorized people had access to financial systems—was time consuming. At the time, staffers were keying in data detailing access privileges for each individual and for all types of systems.

Given the multiple identities that needed to be tracked—for example, one ID to access Windows-based systems, another for Unix, yet another for mainframes—MasterCard was dealing with more than 200,000 identities in all, says Malcolm McWhinnie, group head of global information security. "We wanted to simplify the management of all those identities and improve the cycle time" to grant and deny access, he says.

MasterCard looked at ID management products from multiple vendors before selecting eTrust. MasterCard managers believed that CA best understood the business requirements for implementing ID management, McWhinnie says. MasterCard declined to disclose other vendors considered.

MasterCard got its major computing platforms, including Windows and Unix, functioning under the system. The company initially chose 12 applications to put on the system, and has since expanded the effort to all production applications.

With CA's ID management software, "We related people to roles and roles to privileges," he says. "Before that, we were relating people to file names and it was quite complex."

Every employee is defined in the CA software, which is linked to a human-resources database that serves as a "directory of record," McWhinnie says. Now, when someone is hired at MasterCard, the HR department loads information about the newcomer into the database, and basic access rights—such as access to the corporate network—are granted to that employee. Other privileges are granted based on job role. When an employee leaves the company, access to applications is immediately ended.

Help with Sarbanes-Oxley compliance is a key benefit of the software, McWhinnie says. "Getting control over terminations and job-role changes is very important to SarbOx," he explains. "We were compliant long before we had identity management, but the amount of time it [took] to run manual systems begs some sort of automation."

The cycle time to fully grant or take away access is about 10 times faster with the software than with manual systems, he says. The new system sets up access requirements the same day they are requested; the old process took up to two weeks to complete. For removing access rights, "If someone had a complex role with a number of different IDs, the housekeeping might take several days" using the manual process. With the ID management software, it can be done instantly.

McWhinnie says MasterCard has invested "several million" dollars on the ID management project, including software, hardware and labor. He declines to specify how much the company expects to save.

One project challenge involved changing business processes related to ID management, McWhinnie says. For example, department managers had to learn new ways to provide access by defining roles in the organization and the corresponding access rights. Previously, the company gave workers access to all files and directories individually, which could amount to hundreds of access privileges for each person.

Is MasterCard any more secure with ID management? Not necessarily, according to McWhinnie: "But we are definitely more efficient with our ID management and compliance efforts, and our housekeeping is in better shape."

RX for Faster Access

Continuum Health Partners, a nonprofit hospital system in New York that comprises six hospitals and has more than 15,500 employees, in 2005 hired Novell to help improve systems access and desktop management, and address requirements to protect the privacy of patient records.

Novell's information-technology services group maintains all e-mail, authentication, file, print and identity infrastructure for Continuum's hospitals and 300 clinics. For identity management, Continuum began using Novell's Identity Manager software in January 2006, says Ken Lobenstein, chief technology and chief security officer at Continuum.

With Identity Manager, Continuum's I.T. department can automatically issue each employee in the organization a single ID number and password, rather than multiple passwords—sometimes as many as 10—as in the past.

The software also provides tighter access controls and enables better tracking of who accesses patient data and when. This helps Continuum comply with HIPAA, as well as with sections of the FDA's Code of Federal Regulations Part 11, which is designed to ensure that electronic records and signatures are trustworthy and compatible with FDA procedures, Lobenstein says.

Continuum evaluated other ID management products, but since the company already relied on Novell for directory and messaging services, the vendor's identity management system seemed "a natural choice," Lobenstein says. He estimates that the total cost to implement the system will be about $1 million.

With the tool, employees can now access e-mail, medical records databases, purchasing and personnel systems in 10 seconds or less with a single ID and password. Without the software, it can take up to five minutes for people to gain access to the systems they need to perform daily tasks.

Lobenstein says Continuum expects to reap other benefits, such as improving its process of granting access rights to as many as 400 different software programs, once the company links the identity management software with other data sources, including an HR directory and a nursing management system.

Personnel data from those sources will be fed into Identity Manager, which will be used for providing and taking away access rights, Lobenstein says: "It will reduce the time it takes to get an account set up from two or three weeks to an hour or so." It will take an hour or less to close an account when an employee leaves, instead of as long as one month, because the current process relies heavily on paper reports and manual processing.

The tool will help with the annual arrival of several hundred resident physicians. Each receives credentials before using the hospital systems. In the past, about a dozen workers manually collected and entered data to authorize access.

Now, Continuum downloads information about the physicians from a directory of the Association of American Medical Colleges into Identity Manager. In addition to time savings, the process helps Continuum avoid data entry errors by allowing direct electronic feeds among systems.

The biggest challenge with the technology? The up-front task of ensuring there is a single identity for each person, Lobenstein says. "We have literally hundreds of systems and have information about people scattered throughout those systems," he says. "There are a number of instances where data is not readily matched. There's no easy way to know that Ken Lobenstein in one system is the same person as Kenneth Lobenstein in another. You have to sort through pieces of information to determine that."

He says Continuum made a significant investment of time in the initial loading of identities from multiple sources, and then verifying that matching algorithms linked records from those multiple sources correctly.

Lobenstein, who did not provide metrics on Continuum's security improvements, says: "Security has three components: availability, integrity and confidentiality. The identity management program will support all three. By using identity management to provision new accounts quickly, we ensure systems are more readily available as members of the workforce are added."

4 Tips for Successful Identity Management

  • Consider factors such as the ID management software's ability to scale, compatibility with existing applications, and ease of use.

  • Keep in mind business process changes—such as new ways to define access rights for employees—that will accompany the technology, and provide needed training.

  • Get buy-in from business managers by demonstrating the value of identity management systems.

  • Budget sufficient time for project completion, including entering initial information about employees and various access rights.