Identity management: The cornerstone of security
By Todd Musselman and Al Kinney
The value of a robust identity management system has long been recognized; however, the actual development and implementation of an effective identity management system have proven to be more difficult tasks. This challenge has grown more complex as various solutions have emerged and matured, and has become more urgent as threats continue to grow in sophistication.
Consider the evolution of identity management just in the past decade. Passwords have gone from “1234” to lengthy, complex codes that require regular updates and many organizations now use smart cards -- a single credential that stores all access information for a particular user.
Homeland Security Presidential Directive 12 (HSPD-12), signed by President George W. Bush in 2004, mandates a standard for a secure and reliable form of identification to be used by all federal employees and contractors. The directive created an infrastructure that can deploy and support an identity credential to be used and trusted across all federal agencies for physical and logical access. This type of process and development in the industry reflects the changing needs of organizations and the ability of identity management to serve as a foundation for a larger security initiative.
Today, identity management encompasses many aspects of high level security and authentication, including identity and document validation, biometrics, credentialing, provisioning, physical access, logical access, and national identification and borders. Identity management helps to ensure that the right access -- whether it is to a computer system or file or an actual physical location -- is given to the right people, at the right time, in the right manner. While it cannot protect against all threats and potential dangers, a comprehensive identity management system truly is the foundation of a complete cyber security strategy.
When developing a comprehensive identity management and cyber security strategy, certain steps should be taken to ensure that the system functions efficiently and securely.
Step One -- The three A’s
As CIOs consider how to improve their identity management solutions, it is wise to start by assessing solutions against the three A’s of identity management: authentication, authorization and assurance.
Authentication involves confirming the identity of a person prior to his or her gaining access to a system’s resources. A strong authentication system will require at least two forms of verification; this could be a user ID and password, something possessed, such as a driver’s license, or biometrics. This ensures that only the appropriate user is signing on to gain access to data.
Authorization enables the right people to access what they need, when they need it, and allows organizations to have control over that process.
Assurance provides an organization a greater level of confidence that it is doing business with the right people. In short, it helps by letting the right people in at the right time and keeping the wrong people out.
Step Two -- Simplify
Once a system has met the three A’s, CIOs can appreciate one of the greatest values that identity management provides -- the ability to simplify processes. When developed appropriately, an identity management strategy will allow users to solve some of their own entry issues. For example, most identity management plans provide self-enabling tools that allow users to verify their identity through a series of questions or codes. Including these types of tools can result in cost-reduction as end-users can do some of the leg work in helping to keep the system secure and making audit compliance easier.
Identity management can also be a bridge between physical and logical security -- offering solutions that can centralize all management systems and reduce the footprint of the various identity components within an organization -- ultimately streamlining the identity management process.
Step Three -- Continue to integrate and innovate
Organizations must use their current identity management solutions to their full potential, while taking advantage of newly-developed technology solutions. Companies and government entities will need to continue to expand their infrastructure to support construction of a comprehensive identity management ecosystem. Organizations must also look beyond managing identities solely within their organizational boundaries. They will need to embrace how they are going to manage identities and access to the multitude of Cloud-based applications that are arising.
And, as the world continues to become more mobile, there will be additional challenges related to identity management that the public and private sector will need to address. The “National Strategy for Trusted Identities in Cyberspace” (NSTIC) has begun to address this issue. Its goal is to reduce the use of passwords and improve how individuals gain online access to create a more secure cyberspace. This model would develop a marketplace that allows people to choose among multiple public and private identity providers that would issue trusted credentials that authenticate an identity. This type of partnership between the public and private sector is the model for future programs that will not only protect individuals but also organizations.
The End Game -- Security
Security, in general, is a big puzzle, and identity management is a critical piece of this puzzle. It provides a greater level of assurance for organizations by verifying system users and validating physical access to locations, among other functions. Identity management systems, when implemented well, also allow other security systems and tools to work in concert -- getting rid of duplicative processes and streamlining systems. It is critical for organizations to understand what users are doing what activities within an organization’s infrastructure and who should be allowed access to their infrastructure (both physical and logical). In the end, security has to be a holistic process in which identity management is the foundation.
Todd Musselman is the senior manager of global identity practice for HP Enterprise Services, U.S. Public Sector. He can be reached at:
Al Kinney is director of cybersecurity capabilities for HP Enterprise Services, U.S. Public Sector. He can be reached at: