IT Security: Improve Control of Identities

In the late '90s, public CIOs dreamed of a single sign-on for all of their applications. E-government authentication would be centralized and easier to use. The technical benefits of this vision were obvious - lower costs, better security and transparent policy compliance.

Today, most public enterprises still struggle to keep track of who does what on their networks. Users still complain of too many user names and passwords. Government organizations still get audit findings because they can't answer some basic questions: Who are you, and should you be accessing that file? What's needed is a new, modified vision for identity management: reduced sign-on with better access controls.

Some users are starting to doubt the authenticity of e-mails or systems. Citizens may wonder if links will lead to a spoofed Web site and a fake government portal - so they opt to get back in line rather than go online. Good identity management is an e-government imperative now more than ever.

Yes, there's hope. Significant progress is being made, especially in the federal government, regarding standardization and coordination of identity management across all government levels.

I offer three recommendations to public-sector technology professionals for improving control of identities and access in government:

1. Get organized with the right identity management team. Include end-users, business executives, business process owners and technical experts in the requirements definitions. Ensure that the project has a good project manager with clearly defined deliverables, metrics and a project charter. Make sure appropriate resources and priority are provided.

Once the team is assembled, agree on your long- and medium-term goals. Develop a road map to fit into your future overall technical architecture. You may be surprised how much support this effort gets, due to the recent focus of auditors.

2. Look again at available solutions. Research the latest options in this fast-changing space. There are several excellent vendors that have finally worked out the kinks to make identity management work, so don't limit your analysis to the companies that you currently do business with regarding system support. There is also a good chance that you can piggyback on the efforts of other federal, state and local organizations rather than starting from scratch.

Where should you start to look? I recommend the E-Authentication Solution Web site. Two goals listed at this excellent site include: controlling costs, and mitigating security and privacy identity risks.

3. Start small and implement identification management in phases. Develop short-term wins that can come together like pieces of a puzzle to create your enterprisewide identification management and access control program.

While the biggest return on investment comes from examining the full life cycle of employees, from initial hiring to the day they leave your organization, I recommend breaking your processes into manageable pieces that can be implemented in 90- to 120-day (or no more than six-month) increments.

Your life cycle processes will be different for government staff than for contractors, so you must think about domain names, e-mail addresses and related naming conventions for various audiences. One idea is to add a naming differentiator between government staff and vendor staff. For example, state staff will continue to use the e-mail format SmithJ@Michigan.gov, while contractors will be identified with the extra word "contractor," such as SmithJ@contractor.Michigan.gov.

This change will help in your processes to regularly renew or disable account access. It will also clarify who can speak for your government organization on external matters. Finally internal messages from senior executives to government staff can be better segmented.

Most importantly don't ignore or delay identification management improvements based on past failed projects or technology. Good control of identities provides the backbone for cyber-security. The auditors are watching.