Home » Identity & Access » Identity Management

Identity Management in the Real World

What's identity management? Ask 20 vendors, get 20 answers. But CSOs aren't waiting for a universal definition; they're busy tackling whatever projects meet their business needs.

Eventually Burkhardt would like to advance to proximity cards, which would also function as building access controls to save the doctors even more time. But that would require hardware replacement costs he can't currently justify.

Boeing, however, has the business case to do just that. The company is already rolling out combined logical- and physical-access cards for nearly 156,000 employees worldwide, in an identity management project that stemmed from Boeing's physical security operations.

In late 2001, Boeing's physical security group had plans for a common proximity badge to replace about a dozen different badge types that had proliferated across the enterprise (the result of a series of mergers and acquisitions). Swapping out the hardware was cost-justified because it eliminated the expense of maintaining as many different brands of badge readers to read all the cards. At the same time, the technical security team was looking into a separate secure authentication project using high-level RSA x.509-based digital certificates for a higher level of secure access to data resources. "The executives decided it would be better to combine the projects," says project program manager Sharon Lindley, who reports to both the CSO and the CIO.

Boeing plans to issue 35,000 combined smart cards/proximity badges by year's end (13,000 of which were already in use by September). The company will issue the remaining 120,000 in 2005.

"We feel that even strong passwords are too weak an authentication form," says Boeing's Lyons. "So we prove identity with the x.509 certificate on the badge. That in turn lets our authorization systems look up additional information about individuals in the electronic directory and make roles."

Like others, Boeing is taking the project forward in degrees by rolling out the cards group by group. And current roles are rudimentary. The company's internally written authorization logic bases its decisions on information such as, Is this person a U.S. citizen? Is this person a Boeing employee or a contractor? So, for example, if a non-U.S. worker wants access to the International Traffic in Arms Regulation data, the system will recognize that that person is a non-U.S. citizen and therefore restrict access, Lyons says. Justifying the EndsThere's an argument to be made for not plunking down the money for any identity management system until enterprisewide requirements have been defined. In fact, a recent Cutter Consortium report urged CIOs and CSOs to do exactly that, since a piecemeal approach could quite conceivably lead to incompatible systems or expensive overhauls down the road if the fledgling system can't scale up. But again, the folks on the corporate front lines seem unwilling to dally too long over enterprisewide definitions.