IAM and best practices still under utilized

Is it surprising that 50% of user accounts remain active when employees leave?  How about that 90% of companies don’t have automated security audit capabilities?  Or that 7 out of 10 companies still only use usernames and passwords for all authentication?  These are the startling findings of a survey of 259 IT professionals in the UK, as reported by IT Pro.

Perhaps I shouldn’t be so surprised — based on the lax attitudes I frequently witness on security projects, the more shocking story would be if the majority of enterprises had comprehensive identity and security solutions in place… 


Managing tough security projects

For most of the past four years, I’ve found myself in project management positions on security projects.  The work has included managing technical and business teams as they integrated applications into an enterprise Identity and Access Management solution.

These projects have been among the most difficult I’ve had to manage with most of the challenges came from managing multiple teams.  On each of these projects, successful delivery of the work required cooperation from multiple disciplines: business analysts, software developers, infrastructure guys, core integrators, vendors, security analysts and privacy analysts.  On the larger projects (e.g. gov’t healthcare or education) there were up to seven teams involved, often from three or four different organizations.  And, of course, each organization had its own project sponsor and senior management teams to please…

Perhaps enterprise IAM is unique in terms of implementation complexity.  The client organization (government) certainly was complex, and the public-facing nature of the IAM solution required care in planning and execution.  The technology we chose was complicated and new.  The solution was highly distributed.  Our vendors over-committed and, frankly, under delivered.

I found that it was critical to focus on delivery and manage that delivery formally.  For those projects where we used this approach, we were successful.  For others, well, the results eventually were produced but not without hardship and delay…


Who are you? Part two

When we work with clients on identity proofing designs, it is surprising how difficult it is to establish parallels between real world identities and electronic identities.  In some cases, the physical identity process is considered sacred, one that cannot be modified or added to for the purposes of adding an e-business identity.   Government and private sector alike struggle to align these two similar — same? — processes.

In other cases, we are asking clients about confirming identity for the first time — they simply don’t have existing business processes to properly validate the user when conducting business.  They haven’t considered formal process in this area because the need for serving up sensitive information is so new.  And they recognize that developing this process will cross organizational boundaries and create disruption at a business level (after all, this isn’t a technology issue).

Identity proofing is a critical issue in identity management and it needs to be carefully designed to ensure that users are appropriately identified before they are allowed access to sensitive information. 
Bottom line: Identity proofing for electronic identities is fundamentally the same as identity proofing in the real world.  In other words, proving you are who you are is the same regardless of how you conduct business!


Who are you?

Quick — what are the top IT security issues today?  A list might include things like uncontrolled wireless devices, organized e-crime, identity management and ‘the next big virus’.  It would be hard to discredit any on this list, but from a individual user’s perspective, identity management is becoming a very hot topic.  And identity management is certainly something that is of interest to large organizations, particularly those that are in government or regulated industries — which covers a lot of ground these days.

Identity management is critical to conducting e-business and for protecting sensitive information.  Practically speaking, if a company doesn’t know who is ‘at the end of the wire’ then it is very difficult to offer up anything significant in the way of business content.  And if that identity is not managed properly over time, the user can lose confidence in the relationship and even stop using the offered services completely.

So, how can you know who is accessing your site, web portal or business application? How sure can you be that they are who they say they are? It all starts with confirming the identity at the first interaction with the user, or what we like to call ‘identity proofing’.  This critical step can be difficult to design, build and operate.  Identity proofing requires good process, the type of process that businesses and governments use to support the issuance of identity cards in the physical world. When it comes to proving identity, electronic identities and physical identities must follow the same process to be effective.