Identity Management

IM is the via media in the trade-off between security and efficiency

As companies open their systems to partners, security assumes greater importance, particularly with regard to network access and monitoring. Archie Reed, Director, Strategy, Hewlett-Packard, speaks to Deepali Gupta about the importance of Identity Management.

How would you define Identity Management?

Identity Management (IM) has evolved from two different avenues. IM helps the CIO, CFO, or CTO understand what is happening with his access systems. One of the biggest challenges today is to map business into IT. The need of the hour is for a solution that, once when pushed down after consideration from the senior management, does not require day-to-day monitoring.

Definitions of IM vary from comp-any to company. A technical definition is that IM is putting access control in place to perform a specific task.

What is the purpose of IM?

We say IM is combination of people, process and technology. It puts together delivery, creation, maintenance, and determination. It doesn't matter if a customer, a partner or a Web service is attempting to gain access to your environment.

From the broad security perspective, the challenge is that the business wants to open up to partners. Once you have access from the inside, you are dealing with an insecure situation. Therefore, when you open up an ERP system you need to know who's accessing it and what level of access he or she should have.

There is nothing like water-tight security; it's about risk management. There are an increasing number of security officers, particularly in Europe and US, for whom risk management is a big issue.

Is IM pertinent in the Indian context given that so many businesses have yet to roll out their entire IT infrastructure?

Organisations that work with US-based companies are forced to have processes in place. If you deal with American companies, they themselves have to get attested first, and after that get your procedures attested. Even if they (the American companies) do not have IM tools they have to manage access permissions. Every quarter they (the American clients) have to monitor who accessed what, and that is a tedious manual task.

IM includes provisioning, workflow, validation, external permissions that may be required, and licence management. At one point we were buying Microsoft licences for every new employee, but we didn't track when people left. We ended up with a situation where we had 15,000 employees and 20,000 licenses.

What are the technical problems associated with IM?

Technology is less of an issue than the process; the goal is to take a good look at the processes and services that we offer. We need proof that people get the right access to do their jobs. Specific technology problems may vary, but there is nothing that cannot be dealt with.

Is there a correct approach to establish an ideal IM structure?

A lot of people ask for models. Role-based access control, a popular approach, doesn't deal with the process even though it may be based on one. It doesn't deal with who has the proof, or what you have to do. In a sound approach a hierarchy, and many sub-hierarchies, need to set up. How you structure it matters. The challenge is that HR, IT, and finance all want to look at available information in a different way. Sometimes employees can be customers, so we have to come up with a process to solve that challenge. We need to devise another approach, for example, a service-oriented approach, where you can say, "Here's a service, one to talk to our employees, another to address customers, but all going through the same hierarchy."

How does IM trade-off security against efficiency?

From the standpoint of security, a business wants to take greater control. On one hand it wants to open everything up to partners and suppliers. Security, on the other hand, wants to close everything down. The via media is IM.

When we talk about security, we refer to managing privacy, letting individuals manage and access their own data, as well as cost reductions and solving staffing issues. A world-wide survey identified that half the queries to a helpdesk were password-related. A possible solution would be to give service passwords, thereby freeing people on the helpdesk to focus elsewhere. Password queries are dealt with by the system itself, so there is no need for a person to handle this task.

Aren't service passwords unsafe?

It really depends on how critical the information being accessed is. Security is about risk analysis.

What buzzword will IM evolve into?

It took a while for IM to come together. We believe that this is a cornerstone of security. It will be a while for IM to be superseded by another buzzword, but from my perspective, Risk Management is taking the forefront in the American market.

If you look at financial institutes, they put a high risk on a lot of things. Manufacturing puts a low risk on information about how a product got manufactured. However, if you look at a company manufacturing for a US company in competition with a Chinese company, then how far can you open your network? Risk management is about establishing priorities. It encapsulates a lot of what IM is trying to achieve, but it also involves compliance and privacy. If you look at things in those terms it's a good way to look at business.

Risk management is catching on as an increasing number of CFOs are talking about it. It's a way of the business looking at the infrastructure and saying, "There is a risk. Now how much monetary value do we associate with that risk?" If you oppose it and you are doing work for a European company, you cannot comply with the Data Protection Act.

Deepali Gupta can be reached at deepali@networkmagazineindia.com