While working for a competitor, a former bank employee dials in to her old voice-mail account and filches internal banking announcements. An intern at a major manufacturer builds his own sales account simply by calling a secretary who gives him unfettered access to the company's sales-lead database. How secure is the data your company gathers and stores? If your company is like most, your data is probably more readily available than you think.
When companies forge partnerships with suppliers, clients, and customers, they expose their systems to security breaches not only by their own employees but their partners' employees as well. How can a chief technologist gain control over access to a company's secure resources? The answer seems to lie in a robust identity management system, which gathers and manages employees' personal data, ensures the approval of those whose data is being used, and offers ironclad security. On the surface, identity management offers many protections, but lurking beneath are the many thorny issues still surrounding privacy and trust.
Tony Scott -- CTO of General Motors Corp. in Detroit and an active member of the Liberty Alliance, a federated-network identity standards group -- sees a great need for identity management systems that better address privacy concerns.
"In a business context as collaborative as GM's -- with all its partners and joint ventures -- you worry about the security of partner identities," Scott says. "Let's say we contract with Company A to work with us on designing an automobile part. We want them to have access to some GM systems. You worry about privacy concerns in this context. And if I am an employee of Company A, I probably have to give GM a lot of personal information just to do the work with them, and I don't trust GM as much as I trust Company A."
If an identity management system fails to protect privacy, the company faces sharp fines, legal liability, a damaged reputation, and the loss of customers' trust. But a company that guarantees privacy guards against shattered end-user and business partner confidence, safeguards enterprise access points from unauthorized entry, and offers compliance with a slew of government-mandated privacy controls.
Getting privacy under control
Many technologists have yet to come to grips with the implications of an inadequate identity management system, says Walter Janowski, a San Jose, Calif.-based Gartner Inc. research director whose expertise includes enterprise privacy management.
"Privacy is a growing concern," Janowski says. "There will be large-scale abuse (of personal data) that will lead people to say, 'We'll never do that again.' But companies that are ahead on their thinking are considering ways to get their privacy (policies) under control."
One of the first questions that chief technologists must answer is how they'll handle and use personal data, according to Ken DeJarnette, principal at New York-based Deloitte & Touche. To reduce the risk of trampling on privacy, identity management systems must include corporate policies that define the level of access to information that employees have according to their role within the company. Companies also need to scrutinize how they can share information freely with partners without breaching employee or customer privacy rights.
Privacy concerns are affecting companies in all sectors, but no single industry sits as squarely in the crosshairs as financial services, largely because of high transaction volumes and the vast amount of sensitive user and business information it harbors. Secure transactions, for example, remain one of the greatest causes for worry. Identities are ripe for the picking if unique qualities -- such as an unusual last name, a medical condition, or even a geographic area -- can be used to link someone's digital identity with personal, identifiable data.
Making matters worse, companies are storing such identifiable data and digital IDs in more transparent directories and LDAP-accessible systems rather than stowing them in the back end. Much of the information being stored -- in an HR or customer-order database, for example -- is being pulled on the fly into less secure meta and virtual directories for business purposes.
"We see the (privacy) problem getting worse. We see the entire financial industry in the U.S. putting their heads between their knees right now hoping the problem is going to go away," says Jim Hurley, vice president and managing director of information security at Boston-based Aberdeen Group Inc. "These guys better get their heads out of the sand, or they're going to be in trouble."
Working in conjunction with an identity management system should be a good privacy system with an emphasis on human interaction and judgment. To be effective, it must include a hierarchy of sensitivity that allows critical data to be treated and navigated differently as higher levels are attained, according to Larry Ponemon, chairman and founder of Ponemon Institute, a Tucson, Ariz.-based privacy research facility.
Privacy-enabling technology from major IT vendors must allow IT administrators to make better decisions about how they use, share, and collect information. Ponemon dubs privacy the "sleeping tiger" technology because it could allow companies to prove to their customers that their data is being protected, establishing a high degree of trust with them. Privacy best practices must develop from a disclosure model to one capable of keeping bad things from happening. Ponemon believes that IBM has great potential to accomplish that goal, pointing to IBM's Tivoli Privacy Manager and the company's European institute dedicated to researching privacy problems and developing privacy-enabling technology.
A united front?
Customers' concerns about privacy have reached such a level that the usually fractious vendor community has been compelled to unite. In mid-April, the nonprofit public-policy group, the Center for Democracy and Technology, along with Microsoft Corp., the Liberty Alliance, Hewlett-Packard Co., Intel Corp., and VeriSign Inc., presented its Authentication Privacy Principles to the Federal Trade Commission in Washington. The association hopes these principles will encourage best practices by vendors and customers to prevent the abuse of privacy. The principles call for providing user control and informed consent of personal-information use in authentication systems; support for a diversity of authentication services; use of individual authentication only when appropriate; notification of collection and use of information; and accountability to ensure authentication providers are complying with privacy practices.
"There are still many questions that need to be answered around privacy, security, and governance about how information will be treated," says Ari Schwartz, associate director of the Center for Democracy and Technology in Washington. "There is a new focus now because ID management is thought of as a way to address several kinds of problems, including identity theft, fraud, and other security issues."
Two groups are driving the push for identity management.
The Liberty Alliance, which now includes more than 160 technology vendors and end-user companies, is building open technical specifications that enable information-sharing relationships among employees, customers, and partners. The second "group" stems from an informal arrangement Microsoft and IBM Corp. have with each other to also work out federated network identity security standards based instead on Web services standards such as WS-Security. Although the Liberty Alliance and the Microsoft-IBM joint venture both endorse a federated identity management model of creating trusted groups of partners and clients, the two camps differ in their approach.
Microsoft and IBM are building a set of Web services security standards for operating systems and applications servers and platforms. They are also pursuing SSO (single sign-on) security systems such as in Microsoft's .Net Passport and IBM's Tivoli Identity Manager. In contrast, the Liberty Alliance is developing its own set of open specifications and solutions for federated identity management that securely share applications. In the future, the Liberty Alliance hopes to also construct open specifications that will link its efforts to the Web services being developed by IBM and Microsoft.
IT executives should choose between approaches based on their needs, says Dan Blum, an identity management analyst at the Burton Group in Midvale, Utah.
"Once you have a base of ID infrastructure and your security policy is set, then you can look to external capabilities. If you're establishing relationships with consumers (or customers), Passport may work for you, and if you're working with partner accounts in a federated relationship, Liberty Alliance may work. Or you may use both," Blum says.
Besieged by standards
Both groups are releasing their standards and specifications in such a frenzy that it's almost too overwhelming, according to Blum.
"IBM and Microsoft were not part of the Liberty Alliance initially because it started as an anti-Passport thing. Over the months, the anti-Passport rhetoric cooled down, and the Alliance leadership shifted to the end-users who did not want a standards war," Blum explains. "(The users) wanted Microsoft and IBM to get on board with the other vendors. Microsoft and IBM wanted to work on (standards) from a broad platform perspective and work on other areas, like Web services issues such as reliable messaging. They feel Liberty Alliance will be too big and too bureaucratic."
In the swirl of identity management activity, the most recent development came in April when the Liberty Alliance published Phase 2 of its standards and specifications road map. It describes a federated system in which partners can communicate across enterprise networks to run their companies more efficiently and securely. This second phase of standards includes the Alliance's ID-FF (Identity Federation Framework) 1.2 and introduces the ID-WSF (Identity Web Services Framework) and the ID-SIS (Identity Service Interface Specifications).
The ID-FF adds functionality to the opt-in account linking and SSO capabilities released in July 2002, including protocols for sharing information with a group of trusted, affiliated sites and giving access to anonymity features, which allow a service to ask for user attributes without knowing the user's identity. The ID-WSF offers a standard way to create interoperable, identity-based Web services; components include permissions-based attribute sharing and an identity-discovery service, which allows an identity provider to respond to a user's identity services depending on the user's permissions. Adding more enterprise identity and privacy tools, the ID-SIS will become the basis for additional specifications built on the ID-WSF. Liberty Alliance officials expect that, following public review, a final version of these specifications will be available this summer.
Not to be outdone, IBM is working with Microsoft to build out WS-Security, which will define standards for Web services protocols that are used to implement confidentiality in Web services applications. WS-Security will enhance the integrity of user identity in Web services by codifying security specifications. IBM and Microsoft have submitted it to OASIS. The Liberty Alliance announced in April that it will also submit its Phase 1 federated network identity specifications to OASIS for inclusion in the OASIS SAML (Security Assertion Markup Language) specification for Web services security frameworks.
"What will happen ultimately is that as soon as stuff shows up in the light of day, each group -- under customer pressure -- starts figuring out how to be compatible with each other," Burton's Blum says. "They will diverge and converge, diverge and converge. It's not the best way, and it means that all the data is still out there out of control."
These standards may make identity management systems more attractive to customers, yet they fail to fully address concerns about protecting companies' and employees' privacy.
Recovering from a blow
Last month's imbroglio over a flaw in Microsoft's .Net Passport did nothing to bolster confidence in privacy protections in identity management systems. The vendor and its SSO system, which allows users to sign in to various Passport-enabled sites with just one user name and password, were subjected to widespread criticism for failing to secure the privacy of individual user accounts. This security vulnerability could have enabled unauthorized access to Passport accounts used for transactions and e-mail authentication, and all an attacker needed to know to exploit this flaw was a user's e-mail address. Despite Microsoft's patch for the problem, IT analyst company Gartner recommends financial institutions, credit card issuers, retailers, and other enterprises break all Passport services connections until at least November, giving Microsoft enough time to secure Passport.
Gartner calls the Passport flaw a major blow to Microsoft and even to the Liberty Alliance as they struggle to coax customers to accept and trust that identity services will protect privacy. But Microsoft officials countered that users have a misperception about just how much information is stored in its Passport service. Pete McKiernan, product manager of Microsoft's platform strategy group in Redmond, Wash., says the varying needs of different Passport users are difficult to balance.
"Some users want privacy to go up toward near anonymity, and (other) customers want to give out their information for a better experience," McKiernan says. "With businesses, a lot of participating sites (that accept Passport) want that higher degree of assurance."
Undaunted, Microsoft is pushing ahead with identity management in its .Net Passport and MetaDirectory platforms; new tools and services such as account provisioning and self-service password management are slated for the coming months. Windows Server 2003, the foundation of Microsoft's identity management framework, will be bolstered by Authorization Manager, a role-based authorization infrastructure that allows customers to define usage roles based on attributes. In addition, Windows Server 2003 supports Passport to authenticate a user and protocols such as x509 and Kerberos.
Along with Passport, Novell's eDirectory and IBM's Tivoli identity management system are being updated to pull together disparate systems, incorporating into the platforms identity management technologies such as identity and access management software, password synchronization, and provisioning policies.
"Clearly, secure identity management is one of the most significant issues companies are facing today, because failing to address it can have a major impact on both the security and cost structure of an organization," says Chris Stone, vice chairman in the office of the CEO at Provo, Utah-based Novell. To answer the need for secure identity management that doesn't layer on confusing password management and inefficient data administration, vendors such as Novell are developing provisioning and access management systems as well as meta directories that combine disparate directories.
This growing concern over privacy is nothing new to the European Union, which has been more aggressive than U.S. policy-makers in securing government data-protection rules. In January, the European Union pressured Microsoft into making significant changes -- including a radical alteration to information flow -- to its .Net Passport system to alleviate privacy concerns surrounding online authentication mechanisms. As identity management standards and specs continue to be rolled out, a working group of E.U. data regulators are keeping a close eye on both Passport and the Liberty Alliance technology to ensure E.U. privacy standards are adhered to in existing and future technology implementations.
Despite the quickly shifting currents of identity management products, standards, and specs development, IT managers should not be daunted from deploying or improving an existing identity management system.
"If you do nothing, you run the risks of security problems and high administrative costs," Burton's Blum says. "You need to start to build ID management applications and get a security policy straight. You need to understand your requirements, develop your architecture, and deploy your solution."