IM is the via media in the trade-off between security and efficiency
companies open their systems to partners, security assumes greater importance,
particularly with regard to network access and monitoring. Archie Reed,
Director, Strategy, Hewlett-Packard, speaks to Deepali Gupta about the
importance of Identity Management.
How would you define Identity Management?
Identity Management (IM) has evolved from two different avenues. IM helps the
CIO, CFO, or CTO understand what is happening with his access systems. One of
the biggest challenges today is to map business into IT. The need of the hour
is for a solution that, once when pushed down after consideration from the senior
management, does not require day-to-day monitoring.
Definitions of IM vary from comp-any to company. A technical definition is that
IM is putting access control in place to perform a specific task.
What is the purpose of IM?
We say IM is combination of people, process and technology. It puts together
delivery, creation, maintenance, and determination. It doesn't matter if a customer,
a partner or a Web service is attempting to gain access to your environment.
From the broad security perspective, the challenge is that the business wants
to open up to partners. Once you have access from the inside, you are dealing
with an insecure situation. Therefore, when you open up an ERP system you need
to know who's accessing it and what level of access he or she should have.
There is nothing like water-tight security; it's about risk management. There
are an increasing number of security officers, particularly in Europe and US,
for whom risk management is a big issue.
Is IM pertinent in the Indian context given that so many
businesses have yet to roll out their entire IT infrastructure?
Organisations that work with US-based companies are forced to have processes
in place. If you deal with American companies, they themselves have to get attested
first, and after that get your procedures attested. Even if they (the American
companies) do not have IM tools they have to manage access permissions. Every
quarter they (the American clients) have to monitor who accessed what, and that
is a tedious manual task.
IM includes provisioning, workflow, validation, external permissions that may
be required, and licence management. At one point we were buying Microsoft licences
for every new employee, but we didn't track when people left. We ended up with
a situation where we had 15,000 employees and 20,000 licenses.
What are the technical problems associated with IM?
Technology is less of an issue than the process; the goal is to take a good
look at the processes and services that we offer. We need proof that people
get the right access to do their jobs. Specific technology problems may vary,
but there is nothing that cannot be dealt with.
Is there a correct approach to establish an ideal IM structure?
A lot of people ask for models. Role-based access control, a popular approach,
doesn't deal with the process even though it may be based on one. It doesn't
deal with who has the proof, or what you have to do. In a sound approach a hierarchy,
and many sub-hierarchies, need to set up. How you structure it matters. The
challenge is that HR, IT, and finance all want to look at available information
in a different way. Sometimes employees can be customers, so we have to come
up with a process to solve that challenge. We need to devise another approach,
for example, a service-oriented approach, where you can say, "Here's a
service, one to talk to our employees, another to address customers, but all
going through the same hierarchy."
How does IM trade-off security against efficiency?
From the standpoint of security, a business wants to take greater control. On
one hand it wants to open everything up to partners and suppliers. Security,
on the other hand, wants to close everything down. The via media is IM.
When we talk about security, we refer to managing privacy, letting individuals
manage and access their own data, as well as cost reductions and solving staffing
issues. A world-wide survey identified that half the queries to a helpdesk were
password-related. A possible solution would be to give service passwords, thereby
freeing people on the helpdesk to focus elsewhere. Password queries are dealt
with by the system itself, so there is no need for a person to handle this task.
Aren't service passwords unsafe?
It really depends on how critical the information being accessed is. Security
is about risk analysis.
What buzzword will IM evolve into?
It took a while for IM to come together. We believe that this is a cornerstone
of security. It will be a while for IM to be superseded by another buzzword,
but from my perspective, Risk Management is taking the forefront in the American
If you look at financial institutes, they put a high risk on a lot of things.
Manufacturing puts a low risk on information about how a product got manufactured.
However, if you look at a company manufacturing for a US company in competition
with a Chinese company, then how far can you open your network? Risk management
is about establishing priorities. It encapsulates a lot of what IM is trying
to achieve, but it also involves compliance and privacy. If you look at things
in those terms it's a good way to look at business.
Risk management is catching on as an increasing number of CFOs are talking about
it. It's a way of the business looking at the infrastructure and saying, "There
is a risk. Now how much monetary value do we associate with that risk?"
If you oppose it and you are doing work for a European company, you cannot comply
with the Data Protection Act.
Deepali Gupta can be reached at firstname.lastname@example.org