My day at the office starts when I switch on my laptop and, responding to the system prompt, type the name of my Icelandic great-grandfather into the password field. As soon as Windows XP stops churning, I click on Lotus Notes and watch the hieroglyphics dance beside another password box as I type in the name of my favorite basketball coach. Having proved who I am to the satisfaction of our relatively low-security system, I can then get down to work.
This description confirms that I’m among the vast majority of computer users who sentimentally drop little crumbs of their real identities into the markers that enable their virtual identities. Of course, these bits of individual history also serve as effective mnemonic devices, which are pretty hard to come by when your password is something like “8bz96q”.
Those two passwords are about all I need to do my job, but they’re just the beginning of my own personal identity management crisis. Add to those the usernames and passwords necessary to track my bank and credit card accounts, retirement funds and escalating fines at the public library. And then there are all those useful Web sites with the irritating requirement that I register before they’ll give me access to the content, even if it’s free. I’d use the same username and password every time if only I could remember them without introducing ever-so-slight variations.
But any individual’s minicrisis dwarfs in comparison to the identity management problems facing most large businesses. The typical Fortune 500 company reports that it maintains over 180 directories, often requiring end users to keep track of a dozen or more sets of IDs and passwords, according to the Burton Group. This situation represents a security and helpdesk nightmare. There’s plenty of software being developed to solve the problem, but the complex issue of identity management remains far from resolution.
In the corporate context, identity establishes a relationship between a person (or entity) and a business process. That relationship evolves over time, has a lifecycle and, at some point, should come to a clear end. The relationship also almost always involves a push-pull between the availability of information and security concerns.
For a business, managing identity means providing and controlling access to key applications and information. It means being able to turn that access on and off easily and protecting information on both sides of the relationship.
E-commerce has been the showcase for many high-profile identity management issues. And, those haven’t gone away — if anything, the struggle between privacy and convenience has been intensified by increasing regulatory pressures. But much of the action on the identity and access-control front has moved inside the corporation to employees — and to the boundary of the organisation where relationships are maintained with partners and suppliers.
When a new hire joins the company, he is assigned an identity, probably an e-mail address and a password, which will be enlarged to include his privileges to access the computer system, network file shares and applications appropriate to his specified role. Some of those applications will come with new identifiers and authentication mechanisms. Clearly defined roles and policies are at the heart of automated identity management within the corporation.
A promotion or transfer automatically translates into access to different resources. Identity management systems track the roles that match the employee’s changing position in the company, sometimes adding privileges and enlarging his identity, and at other times pruning outdated access or services. The process continues until the employee leaves or retires, at which time the final step in the process is to end all access tied to the user’s identities and authentications, lest the vestiges of his identities create the security risk of an “orphan” account.
The increasing need for companies to offer partners, suppliers and contractors access to their systems dramatically ratchets up the scale and complexity of the identity management problem. The exchange of information has become a core business transaction that can take place only when everyone’s identity is established and authenticated while intellectual property rights and the privacy of individuals are maintained.
Identities, in a business context, will be increasingly consolidated and standardised as they’re federated across many organisations. And the means of authentication will change. As ID management systems expand, security risks grow. Password references to pets, former significant others, alma maters and other arcane personal tidbits will be replaced by an encrypted key, a token or a fingerprint scan.
What could be more personal than a fingerprint? And there’s nothing to remember.
Tommy Peterson is US Computerworld’s technology editor at firstname.lastname@example.org.