printer friendly version

The identity conundrum

Identity management is not a very popular word in today’s business environment. The popular belief is that identity management is a complex set of processes and products that does very little apart from getting in the way. At the opposite end of the scale, when looking at access control, whether physical or logical, the benefits to companies are clear because it is a simple act of “does person X have the authority to access” a location or application.

Of course that is an over-simplification, but it does represent the attitude to many of today’s business leaders to identity management. Ideally identity management should offer businesses and governments the opportunity to manage the activities of people in all spheres of their operation from a single source – much like the Home Affairs database, but reliable.

In the business area, it is this identification and provisioning of users that is gaining much of the focus of identity management today. Management wants to be able to ensure that people gain access to the resources (physical and logical) they need with the minimum of fuss, while also keeping data, locations and secrets secure. However, it does not want to reinvent the wheel each year to achieve this through complex applications and endless consulting requirements, which is why identity management is often relegated to whatever tools and solutions come bundled with the server software these companies buy – which is your basic user authentication.

Karel Rode, principal consultant at RSA has some experience when it comes to identity management processes involved in granting users access (or not). He advocates an automated process that relies on a single source of identity information, such as the HR component of an ERP system. User provisioning is then done according to the roles and privileges assigned to each person. And from this common source of identity information, other applications can also draw information to govern who gets to do what.

Karel Rode

No business runs that smoothly though and in more mature systems, managers can assign people specific privileges outside of their normal scope of operation for a certain period, as long as a project is running, for example. The system will then revoke the provisioning automatically at the appropriate time, according to the standards set in the workflow system. The system will also automatically remove users when they leave to close the common door of having unused access credentials floating around from people who have left the company.

Of course, provisioning according to identity is vital to prevent anyone from gaining access to anything they want, but there are also arguments that once provisioned, the way people identify themselves can also create problems for companies.

Marius Coetzee, CEO of Ideco Biometric Security Solutions notes that it is important to understand that there is currently a dangerous divide between identity management solutions and user authentication. “Until very recently, the two issues have rarely been integrated. This has created a situation where we have highly advanced identity management solutions that are reliant on outmoded user-authentication, typically cards, PINs and passwords (CPPs).

“In reality, it does not matter how advanced the identity management solution may be. If you cannot positively identify users, then what is the point of trying to authorise what they can do within a corporate IT system?”

Marius Coetzee

When Coetzee talks of identifying users, he means being sure that the person badging into an office or entering a password to access the corporate network is the actual individual the password or badge belongs to.

CPP: convenience with risk

Traditional access credentials such as CPPs all suffer from the same fundamental flaw: anyone can use your PIN, or your card or your password, and you can use theirs. “We need to accept that the use of such credentials cannot be restricted to one specific person,” says Coetzee.

And these credentials are also the common denominator in the rising incidents of cybercrime that are causing such astonishing corporate losses. The sheer scale of their abuse was highlighted by the 2011 Data Breach Investigations Report (DBIR) from Verizon and the US Secret Service which stated that, “The use of stolen access credentials was the number one hacking type in the data breaches that were investigated by Verizon and the Secret Service.”

Over the past seven years, more than 1700 corporate cybercrimes have been investigated for the annual DBIR, making it one of the most significant commentaries on the subject.

The reason for this astonishing level of credential exploitation is obvious. As Coetzee points out, “We all recognise that anyone can use your password, card or PIN. Once acquired by a cyber villain, the credentials enable access to systems and permit all the activities that are meant to be restricted to authorised users. It is a problem that is completely undermining the security of corporate IT.”

Cybercrimes based on the abuse of identity frequently appear in the SA media. “In addition to the widely publicised cyber theft of R42 million from Postbank, it was reported in February that an FNB employee had been convicted of illegally transferring R27,3 million from an account of Amalgamated Beverage Industries (ABI) – the soft-drinks arm of South African Breweries.”

In this case, the employee apparently used a key logger to steal the PINs and passwords of two colleagues. “It is a classic example of the way cyber villains use other people’s IT credentials in order to access systems and then operate as if they were fully legitimate users,” says Coetzee.

So, what are the primary foundations of identity management today? Coetzee emphasises that there needs to be a link between identity management solutions and secure, positive identification of users so that we can use such converged solutions to really reinforce security.

Confirming identities

“South Africa is regarded a world leader in the adoption and application of biometrics. Fingerprints are generally accepted as the methodology that can accurately, consistently and conveniently identify a person. An important consideration is also that fingerprints are the only accepted biometric in a South African court of law.”

Coetzee suggests that there are five areas of competency that should be considered when choosing a fingerprint technology to reinforce identity management:

Accuracy: This is about how well the technology differentiates between the people it must identify and its ability to work with true minutia only.

Capacity: How many people’s prints can the technology manage and still maintain acceptable levels of perform-ance? Also, can the technology grow to an enterprise solution?

Security: It is important to understand that different technologies offer different levels of security. In terms of the most secure technology, the recently-introduced range of Morpho VP scanners work with fingerprints and the vein-pattern beneath the surface of the finger.

Integration: Will the technology work with the existing physical access control and time and attendance systems? Is it compatible with civil systems such as the criminal record verification or identity verification systems? And can records successfully be used in a court of law should something happen on site.

Speed: This really comes down to identification times. How long does it take the technology to accurately recognise a user? And does it take multiple attempts to do so?

Commenting on conventional credentials, Coetzee points out that passwords are routinely forgotten, shared and stolen. Access cards and smartcards are forgotten – for example, left at home or in your car – as well as being shared and stolen. You cannot leave home without your fingerprints.

Biometrics in the real world

Mark Stoop, business unit manager of the Innovation Group at Business Connexion says the company has been implementing fingerprint-based physical security solutions in southern Africa for the past seven years.

“The business case for replacing traditional access cards with fingerprint technology is straightforward and has repeatedly been proven in local organisations ranging from mines to food-processing plants. In terms of accurate identity management, our clients know that biometric technology cuts the losses caused by unauthorised access and activity within the workplace. Any security solution based on a card or a code is clearly vulnerable to abuse simply because it is so easy for people to share or steal them.”

He points out that the ability to accurately identify people within the workplace delivers a great deal more than preventing buddy clocking – the practice where people clock-on for one another at work in order to defraud their employer’s payroll system.

“We are also able to deliver benefits in areas such as occupational health and safety, because we can accurately control who can enter certain areas as well as recording people’s location as they move around their place of work.”

Although Stoop has first-hand experience of the benefits his clients derive from fingerprint identification within their physical security and attendance systems, he believes that organisations are increasingly exposed to the risks of fraud. “The majority of corporate IT systems still rely on passwords, PINs and cards to control who can access the systems and operate within them. This creates obvious vulnerabilities.”

Mark Eardley of SuperVision Biometric Systems says that identity management within corporate IT systems has come to a fork in the road. “A choice needs to be made. Either continue on the current path and accept that we build our solutions on inadequate levels of user-identification, or we branch off into a world of identity management based on a commitment to positive identification.”

Mark Eardley

He says that the pressure to make this choice has never been greater. “Two factors are creating the pressure. First, there are the rising losses that are being caused by corporate cybercrime. Secondly, there are growing demands for organisations to demonstrate that they are implementing adequate policies concerning governance, risk and compliance (GRC).”

Governance responsibility

What is disturbing is that preventing cybercrime is not perhaps achieving the attention and securing the resources that it demands. A 2011 survey of its members by the Information Systems Audit and Control Association (ISACA) found that regulatory compliance is ranked as the primary concern for corporate IT. In terms of achieving compliance, the number one technology challenge apparently relates to segregation of duties and privileged access monitoring.

However, the ISACA survey reveals that among senior managers and executives there is a continuing lack of commitment towards introducing effective measures to reinforce security within IT. This suggests that the issue is not only under-resourced, it is persistently swept under the carpet.

If preventing the losses from corporate cybercrime is not yet a mandatory board-level issue, GRC certainly is. King III requires board members to take overall responsibility for IT governance. Directors must ensure that prudent and reasonable steps have been taken to protect intellectual property, company information and client information – the exact same data targeted by cyber villains.

RSA’s Rode believes getting buy-in for implementing any form of identity management must start with the business benefits. He says you cannot simply force a new system on employees. There will always be some disruption and discomfort with the changes a new system brings.

The best solution is to go for quick wins that allow for easy changes, such as provisioning for Windows or Linux access. With a number of quick, significant wins, the company and especially the people who sign the cheques will be inclined to accept the more complex changes, although there will almost always be certain areas where the change is too complex or expensive. “It is all about the value the business people see in the process,” he says.

Of course, with the current increase in data crimes, you would have to go a long way to find a director willing to take the responsibility of poor identity and access management.

“It is important to recognise that acquiring access rights and authorisations is a priority target for modern cyber villains. Managing users’ identities with nothing more than a password, PIN or a so-called smartcard creates vulnerabilities and must surely prompt us to re-examine the effectiveness of how any identity management solution is governed,” adds Eardley.

He says that the costs of integrating fingerprint identification into an identity management solution are insignificant in comparison to recurring cybercrime-related losses. “For example, deploying the SuperSign solution for every IT user within a 1000-user organisation would cost less than R80 per user, per month over three years. That would cover the software, licences, fingerprint hardware as well as the annual support and maintenance fees.

“Surely the argument here is that with corporate cybercrime costing millions of rand per year based on the exploitation of traditional credentials, a mere R80 a month cannot be viewed as costly.”

Rode partially disagrees with this take, saying that password access, for example, will continue to be popular because it is cheap. It comes standard in almost every piece of business software or operating system one gets. He suggests companies deal with this by implementing more secure processes governing passwords, such as stipulating a minimum length, a mix of characters and regular expiry dates.

He adds that the choice of method of identity confirmation also depends on the value of the assets the company needs to protect. Therefore, some companies may choose biometrics for accessing certain areas and information, while the rest of the company remains on passwords.

Identity management is a necessity in the world we live in today. If a business wants to operate efficiently with the knowledge that information and access to sensitive data is secure it needs to know more than that only authorised people have access to sensitive areas or bank accounts and so forth. The business needs to know that the person using an identity actually belongs to that identity.

According to the arguments above, limiting access to specific identities (people) is necessary, but not enough if you cannot be sure that the person using that identity’s credentials is actually the right person. The question is, how far does the business go and what costs are acceptable in validating identities? Or perhaps the question should be, how much can you afford to lose while skimping on effective identity management?

Share this article:

Further reading: