Identity management can be a chaotic mess, but there are ways to create order from chaos.
Hi-Tech Security Solutions recently invited a few local experts to a round-table to discuss the topic of identity management. The topic is a touchy one as there are often as many definitions as there are definers, and in the past we have seen a large disconnect between the traditional security industries’ concept of identity management and IT’s understanding.
Fortunately, these two streams are converging as the security and IT worlds converge, with more players speaking the same language and realising the dependency they have on each other’s expertise. Starting the round-table as normal, Hi-Tech Security Solutions asked the attendees to provide their view on identity management as they see it playing out in the real world today.
Connie Grobler looks after the identity and security management business for Novell; she believes it is crucial to have some form of identity management in place in any organisation. “At the end of the day it is not computers talking to each other and causing security breaches, it is the person that is sitting behind the computer that is causing the action, that is interacting with your information.
“If you do not have a handle on who that person is, how he fits in the organisation, what else he has access to, then you are not compliant and you have got a big issue in your environment – especially If you are thinking of moving information and services into the cloud.
“It is vitally important, get your in-house security and identity management in place before you try and outsource and put your ‘stuff’ out there in the cloud, because you are putting yourself at even greater risk if you adopt the cloud without the appropriate security policies. Identity is key to any organisation, but you do not have to put a huge system in place; there are controls you can put in place that are quite efficient and cheap.”
Ideco’s Marius Coetzee adds that biometrics is one of the “major enablers of identity management and the employee screening process. One of my favourite sayings is, ‘if you want to stuff up any idea get people involved’. Therefore, understanding the people involved in any process is the most critical part in any identity management scenario. The ability to build what we refer to as identity chains in any event, any interaction with organisations, within organisations, with customers etc, that is what identity management is about.
“In other words, to know exactly who did what, where, when, why, et cetera. Having that identity chain is so critical for the purposes of having the assurance that everything is happening the way it is supposed to be happening, and a process of alerting you when it is not.”
Walter Rautenbach from neaMetrics looks at it from the high-end as neaMetrics is involved with several government identity management solutions – such as Civil ID, driving licences and criminal systems. “In identity management, the ideal solution is to have it [your identity] sealed from birth right through to death: one identity source that covers each individual for life.
“It is a bit idealistic in South Africa though, as the police and Home Affairs are not allowed to share data to enable the protection of citizens’ privacy. At the same time, it is easier in South Africa because we are very open to biometric thinking. If you want to receive pension in the rural areas, you have to supply your biometrics, for example.
“I also believe it is very difficult to take identity management from beginning through to the end because the biggest flaw is that there is always someone with a password; and if there is someone with a password, the identity chain can be broken.”
Charles Laxton from Brand New Technologies believes identity management and using the associated technology is more applicable to Third World countries than in the First World where systems are already mature.
“I think identity management starts with citizen management and by having a good, well defined, well managed population register, registering births, deaths, visitors, marriages and so on. If that was done very well we would not need technology such as biometrics because you would be able to rely on the documentation you are issued. The biggest problem we have today is that the documentation we have, such as drivers’ licences are suspect. For example, you cannot use the South African drivers’ licence as identity if you renew your drivers’ licence, they expect another document. The green ID book has also been compromised. On the positive side, the new SA passport is one of the most secure passports in the world, so it seems we are getting on track.”
He adds that transaction authentication is also a crucial aspect to identity management. “When doing a transaction, you need some type of identity that offers non-repudiation, confirming that you actually did that transaction. However, this requires all sorts of systems working together, so I do not think there is one component that solves the problem of identity management, it is a number of components. Once again, I think the most important thing is that it is a very suitable technology and enabler in Third World countries where there is corruption and a lack of proper controls.
Who is to blame?
Because of its complexity, identity management spans most organisational structures, incorporating HR, IT, finance, logistics, security and so forth. Who then is responsible for the identity management system, ensuring it is maintained and accurate, and that unauthorised people cannot access personal data? It is commonly left with IT to manage because there is technology involved, but is this the correct solution?
Grobler says it is not IT’s responsibility. Identity management should be a business-driven process best suited to the risk division of an organisation, “because they are the one ultimately responsible for the overall risk profile, managing potential exposures, and are concerned with the public image of the company that could be compromised if the necessary processes and controls are not in place”.
However, she says that it is a hard sell as the identity management process is tough to put together. HR is, after all the primary custodian of corporate identities and the authority and access they may have in the business. Then there are other areas of the organisation that own or control specific aspects of the physical or logical access, which also need to approve access specifics. Done correctly, identity management is a process that uses workflow to gain input from a variety of people within the organisation. It is also a recurring workflow if the business is to ensure accuracy and reliability as people come and go, or are promoted and demoted within the group.
Grobler suggests identity management is managed by IT as it maintains and controls the environment, but business put the rules together as to how this whole identity solution will function. Based on these business requirements, IT puts the mechanisms in place to make it possible for business to have the insight into the access requests throughout the environment.
As identity management has an impact on a very broad scope of an organisation, it depends where the biggest risk and immediate requirement lies; there Coetzee believes, we find the driver of the solution. For example, the logistics environment is often the driver.
Logistics is often where companies suffer enormous losses associated with the handling of valuable goods between one point and another. To avoid or minimise these losses justifies looking at implementing an identity management solution that actually tracks exactly who is involved in the whole process throughout the chain. Simply knowing they are identifiable will reduce criminality among many members of staff. There are also examples where identity management is a driver when looking at workforce management and compliancy with respect to Occupation Health and Safety.
“Identity management can deliver value to a company in two areas. It is either a matter of providing assurance or accountability,” adds Coetzee. Looking at these two value drivers results in the immediate question of where is the biggest risk. That will be the driver within the organisation.”
Laxton adds that we have identity management solutions to eliminate the fraud, corruption and unauthorised access. However, he says particular attention must be paid to how it is managed and how to be sure of non-repudiation. Moreover, he says companies also need a process to tag the bad apples to make sure they are routed out of the organisation and not simply into the next company. “We have too many examples of people who are employed in one company, are dismissed and simply move next door to the next company.”
He says identity management is a board decision. It sits at the highest level within an organisation and it should sit on the risk register and be incorporated into all business processes, be it physical or logical.
At the end of the day, there needs to be buy-in from everyone, says Rautenbach. If you try to implement an identity management system and someone feels left out and does not support it, it will not work.
Where do you start?
Determining the need for identity management is one thing, but deciding where to start is another problem entirely. Laxton believes it starts from a citizen perspective. “It has got to start cradle to grave. We have situations now where there is huge fraud in various industries because of the lack of reliable identity processes in the country. For example, look at the funeral industry. One body gets ‘processed’ numerous times to defraud insurance companies. So I support creating a non-repudiable identity when a person is born and terminating it when the person dies.”
The catch is to control the whole process. Rautenbach refers to Home Affairs. It has most of the personal identities of South Africans, including fingerprints, so it should be the source or central controller of identities. However, in the past, ways were found to create false identities for profit, thereby negating the trust value of Home Affairs’ identity system. This creates a break in the identity chain that, for example, creates doubts when employers perform identity confirmations against such systems.
The good news is that by using biometrics in its working processes now, Home Affairs is doing its best to deal with this problem. How it plans to deal with the existing false identities out in the market is another issue.
A trend we may see developing in terms of identities over the next few years, according to Coetzee, is identity profiling. Every identity that you interact with, from its point of origination or creation has continuous processes of events happening in its life cycle until it ends. This can be on a governmental scale from birth to death, or in a business, from the start to the end of employment. Profiling an identity is an interesting concept because an organisation will analyse the profile and make decisions based on its own policies as to what level of exposure it will give this identity profile.
Coetzee also believes we may see organisations appearing in the near future that will profile identities in a similar fashion to the way credit bureaux today deal with risk profiling. The principle of continuously profiling identity through these bureaux could prevent much of the fraud we see today as these companies would build profiles around the particular identity that extend further than its interaction with one company.
Of course, once again, we need to find a highly reputable, recognised identity document to start with, says Laxton.
The eternal password
Despite South Africa being a leader in the adoption of biometrics, the much-hated password is still a reality in all our lives. Be it online banking or logging on to your work system in the morning, passwords are part of our everyday lives and they are also inherently insecure. When companies insist on strong passwords, these are often written down, making them useless. So the question is, why are we still using them?
Grobler says it has a lot to do with history and legacy systems that are password driven, and it is a question of cost. Companies would rather focus on the top high-risk applications and protect those with additional authentication mechanisms, leaving the less critical applications with password-based access controls. To prevent people from using their dog’s names or whatever the popular password of the day is, sufficiently strict password policies need to be enforced. “Passwords are just easier and cheaper at the end of the day and it can be an enormous task to set a new system in place. It is all about balancing cost versus risk.”
How do you start?
Assuming an organisation has decided it wants some form of identity management solution in place, where does it start? The participants in this year’s round-table are in agreement that it all starts with a risk assessment, or some form of analysis of the environment. It is crucial that identity management is part of an integrated risk management solution to ensure the benefits it can deliver are demonstrable across the company, not only in a few limited areas.
Once done, the company can then pinpoint an area that is most at risk and start. And starting small is important; the big bang approach does not work. Focus on one small area where you can achieve a quick return on investment and build from there. Many local identity management implementations go wrong because the project has multiple streams with multiple project leaders, each one doing a bit in association with a political ally. Then in the end they fail because they end up with lots of bits of nothing.
Identify management is a process
Gary Chalmers, CEO of iPulse was not able to make the round-table, but he spoke to Hi-Tech Security Solutions and offered a few insights into the topic of identity management.
As anyone involved in security knows, your biggest risk is normally from those inside your organisation. Effectively tracking who is doing what, and ensuring that there are as few loopholes in a system as possible, mean that you need to know who is really responsible for any actions that are performed which result in negative outcomes.
Moreover, without accurate and up-to-date identity management, it is impossible to control access, both physical and logical, time and attendance, or general HR practices within a company. On a national scale, identity management plays a key role in a free society, protecting an individual from fraud, allowing them to exist as a citizen and to claim the rights of an individual, without having those rights compromised through identity theft. South Africa, which has poor identity management and endless system loopholes, is a classic example of a country where these rights are easily overridden, and the results can be catastrophic for some.
Identify management is a process, like any other. It comprises systems more than technologies, and planning more than spending. Like anything, this type of integration can be achieved relatively simply and at a reasonable and foreseeable cost when correctly implemented, but will be a long, drawn out process with escalating and unexpected costs when the opposite is applied.
Traditionally, physical identity management was managed through some form of physical identification, be it an access card, ID book or passport of some kind, while logical identity management has been through the combination of user name and password. The problem with both of these methods is that there is no validation of the specific individual involved, and therefore, these methods are repudiable in terms of the law. Biometrics has become a key differentiator in both physical and logical access, allowing an individual to validate their identity through a personal attribute that is both specific and unique to them as an individual.
By linking a user’s profile to a biometric measurement, such as a fingerprint, the following process would have to be followed for a user to take information from a company system:
* A user would access the building using their fingerprint. This means that the user cannot deny they were present in the building when the event took place.
* On entering the building, the user’s virtual profile could be activated, in other words, unless they physically enter the building, they cannot log onto the computer systems.
* Finally, when logging into the system, the user would have to again present their fingerprint, again proving they were physically there at the time the documents/information in question was accessed.
|Tel:||+27 11 543 5800|
|Articles:||More information and articles about Technews Publishing (SA Instrumentation & Control)|
© Technews Publishing (Pty) Ltd | All Rights Reserved