Analysis: Security, compliance and CRM in one

Identity management promises to secure corporate data, ease compliance and support customers. But reaping these rewards requires careful attention. Anthony Plewes takes a look at three key areas to consider when rolling out the technology.

It's no surprise that identity management (IDM) is seeing considerable growth in recent years. Large organisations have countless applications their employees and partners need access to, and hundreds of databases that store details on their customers and other confidential data.

Without proper handling of access to this sensitive data, the security of customer records and proprietary company information could be seriously compromised.

The trouble is, most organisations have several identities for both employees and customers - one for each application or database. This leads to a whole host of problems. Security is compromised as administrators struggle to deal with thousands of accounts and companies are unable to treat their customers as individuals across the organisation.

To solve this problem enterprises are increasing their spending on dedicated identity management technologies. Market analyst IDC predicts that spending on ID management and access systems will rise to $950m by 2009, from $550m in 2005.

Budgets for the technology are also on the rise. According to a recent Forrester Research survey of organisations in Europe and the US, 38 per cent had identity management budgets of more than €250,000 and 12 per cent had budgets in excess of €1 million. The survey also predicts spending is set to increase, with nearly half of the respondents expecting larger budgets over the next three years.

Governance

One of the key issues that organisations need to address in any identity management deployment is governance. Peter Jopling, head of IBM's Tivoli Identity Manager software, says: "IDM and governance go hand in hand. Sarbanes-Oxley Section 404, for example, shows a need to demonstrate control of access to sensitive resources. Without an IDM tool this process is both time consuming and costly to ensure compliance."

Companies need to ensure they have a consistent policy for both their employees' and customers' identity across the business. John Hughes, an identity management specialist at PA Consulting, a leading consultancy working with both public sector and private companies on IDM projects, says: "In large organisations IDM spans the whole business and governance concerning identity is often not in place. It is essential that someone takes responsibility for identity across the whole organisation. Unfortunately identity is usually the responsibility of the line of business or function."

Hughes calls for someone to be responsible for identity on the board and suggests the CIO is best placed. "It needs to be a non-functional role. In a financial services company the identity of the retail bank customers should not be the responsibility of the head of the retail bank. It needs to be someone with a cross-organisational role," he says.

Authentication

The most visible part of identity management is authentication. This is the process of correctly identifying the employee or customer and his rights and access privileges.

One of the key issues that authentication systems have to deal with is the user's desktop. The desktop is a very hostile environment and needs to be secure to prevent phishing attacks or other fraudulent access. Employee's desktops can be made more secure by deploying antivirus and anti-spyware software and by enforcing security policies.

For customer access, authentication is more complicated but can be bridged by authenticating the user's identity independent of the desktop, through two-factor authentication. This means a user needs more than just a password to access resources; he or she also needs a token, smartcard or other device to log on. The deployment of chip and PIN credit cards is a mass-market example. What organisations need to do is to bring this approach to the desktop.

One of the most popular systems is a token that generates a unique one-time password. Miles Clement, senior research consultant at the Information Security Forum (ISF), says: "Two-factor authentication using tokens is already commonplace in Scandinavia, and in the UK major banks such as Lloyds [TSB] are trialling it.

"The token requires no extra hardware attached to a PC so is easier to deploy. Systems do not even need an actual token, as there are Java applications that run on the mobile phone that fulfil the same function."

Other approaches also have promise. PA Consulting's Hughes explains: "In the UK, [banking industry body] Apacs has developed a total authentication system for banks. The system includes a set of standards for a smartcard with a reader to authorise the transaction. This effectively brings the chip and PIN system to a wider environment. It is a good functional solution but it is expensive and complex."

As ever, the question of cost is a central consideration. Smartcards are expensive to deploy because card readers need to be attached to the end user's device. Tokens are easy to use but also require organisations to provide and support hardware. The older digital certificate approach might not have used hardware but required major spending on infrastructure. In the end organisations will need to segment their customers and employees and provide the appropriate authentication system for the customer's value and the employee's security level.

Customers

The main difference between deploying ID management to employees as opposed to customers and users is one of scale. For customers, organisations need to deal with potentially millions of identities compared to hundreds or thousands for employees. However, customers will usually only need access to a single system through the internet, whereas employees will need to access multiple applications using multiple devices.

Any IDM project should consider customers along with employees. The Forrester survey mentioned above found that while most companies have deployed projects around user account provisioning and strong authentication, fewer than half had projects to apply identity management practices to their customers and business partners.

IBM's Joplin says: "The strength of using an IDM technology is that you can provide consistent policy enforcement that is specifically aligned to individual groups, such as customers. Within this you can easily define sub-groups with different policies. This ensures that, irrespective of what type of user you are managing, there is a suitable policy association."

The benefits of customer identity management are many. Not only does it ensure outsiders who need to access sensitive data are doing do securely, it also offers a way to better serve customers.

For instance, an insurance company might be selling different products to the same customer but each part of the business would have a different identity for the customer. An identity management strategy would streamline this process and help give a single view of the customer.

In the end, getting ID management right means not only protecting corporate data from its biggest security risks - employees - but also easing compliance efforts and improving customer relations.