• United States



by David Miller, Covisint

Spooked! The Top 13 Identity Management Fears

Oct 30, 20085 mins
Identity Management SolutionsIT Leadership

A scary number for a scary subject? Covisint CSO David Miller looks at what stops IDM projects (with a little seasonal help from the cast of the Wizard of Oz).

Let’s face it: identity has become the defacto challenge in security these days.

We all have about a gazillion username-password combinations — many of which require something unique to each individual site. It’s all just downright scary. Too much to handle. Especially for overworked IT departments, CSOs, and their staffs — more importantly, for your customers.

Since it is Halloween week, I figured fear itself rules the day. And, as security pros, it’s fear that we must face. To do this, we must first understand where we are today — to benchmark those fears — before we can even begin to handle and manage the problems that real, everyday, on-the-job fear creates.

To help you understand the scary labyrinth of terror associated with identity and identity management (IdM) — and, in unapologetic deference to Judy Garland, Ray Bolger and Burt Lahr — I submit to you that we all need a little more courage, a bigger brain, and even a place we can call home.

Here are the Top 13 Identity Management Fears.

Dorothy, will you ever forgive?

1. Because, because, because, because I WILL get audited.” When, not “if,” I get audited, I’ll have no single process to manage all of my users, nor the visibility regarding where they originate. And, audits are just too messy and burdensome for me to do well, particularly with the complexity of my userbase.

2. I’m melting with too much exposure, too little control. I’m exposed on multiple levels: legally, financially, organizationally, etc. I need to share my data outside of the firewall, yet, with HIPAA, I’m liable for situations which — with my data “out there” — that are beyond my control. It’s the IT and identity management version of “taxation without representation.”

3. We’re not (just) in Kansas, anymore. Here’s the simple scary fact: If my company is global, I can just take all of my U.S.-based challenges and multiply that by the number of countries I now serve. Global identity problems require a completely different privacy mindset than those involving only the U.S. For example, in healthcare, HIPAA compliance changes; in financial services, SEC regulations, the European Union Data Protection Act and other regulations are in force when data is shared across national boundaries.

4. I do, I do, I do believe in international nuances. Yet, they scare me. You see, I have a global market and am not equipped to deal with geographic and cultural sensitivity issues for identity and user management. There are multiple languages, customs, help desk issues, etc., all of which I’m simply unaccustomed to handle.

5. No courage for large groups. I want to grant access to large groups of users — such as AOL, Yahoo, Comcast — yet I fear successfully leveraging the existing identity providers.

6. All those identities: just put em up, put em up. My internal users have so many passwords that they try to use the same easy-to-remember one for every identity. Or, worse yet, they’ve written them all down on colored sticky notes on their monitor. That can’t be safe. And, customers are increasingly telling me that they are just saturated with IDs — they just won’t keep adding new username/password combinations.

7. Follow the government’s mandates. When the federal government mandates it, the federal government gets it. This, of course, applies when Uncle Sam requires me to implement multi-factor authentication. Yet, I don’t have the time, budget or expertise on staff.

8. We’re off to meet the customers’ demands. My customers are demanding that I federate into their existing systems. I don’t have the expertise to do that.

9. Acquisitions and divestitures and federation — oh my! My company keeps buying (or divesting) other companies and I’m overwhelmed trying to integrate (or dismiss) their identities securely into my systems.

10. I think I’ll miss the old days most of all. I’m afraid to expose my information on the public Internet. Back in the day, this was the network guy’s problem when access is managed via a single, secure VPN connection to my directory. Now it’s my headache.

11. Co-opetition twister? My community is implementing a coopetition model that requires me to share data and users with my competitors. I’m not sure how to do this safely and securely.

12. Pay no attention to those 50 or so acronyms behind the firewall. SSAML, SPML,EXACML, WS-FED, WS-TRUST, WS-POLICY. What the hell are all of those? I can’t even pronounce these things, let alone successfully manage them all.

13. I need a (bigger) brain. Previously, I was required to manage only passwords. Now, it’s tokens, certifications, risk-based items, BINGO, card space and others. And, don’t even get me started about HSPD12! Help!

Yet, Dorothy, somewhere over your identity fears, there really is hope.

In a future article, I will provide my thoughts regarding overcoming these fears. I’ll discuss where identity is headed and the methods you can put in place today and in the near future to help yourself and your company deal with the not-so-scary future of identities.

Now click your heels together three times. ##

David Miller is Chief Security Officer for Covisint, where he is responsible for internal and external system architecture security issues for e-business exchange. In addition, Miller directs the identity management offering at Covisint, which currently secures access for automotive, healthcare and government customers.