Identity Management Success

As we approach the end of another year on the cusp of the new, it seems a good time to consider how fragile security technologies can be. Another large (very very large) organization, has lost yet another laptop containing reams of vital personal and exploitable data. For the sake of discussion, I will assume that everyone reading this column is familiar with at least some, if not all of the high-profile data breaches, destruction, and theft which has occurred in just this last year. So why write about the topic in a blog about Identity and Access Management? I guess it was both the scale and frequency of the problem in 2006 that struck me. Databases are getting larger, information is increasingly cross-referenced and indexed, meta data dependencies are becoming myriad and harder to separate. With each breach, the stakes go up. How does one even begin to calculate the negative ROI for an organization incurring a well-publicized breach?

As a company that makes its living from consulting and implementation of Identity Management Systems and Services, it is all too easy to forget how easily - almost trivial - an entire multi-million dollar investment IdMS investment can be rendered almost useless through carelessness. Through direct or indirect contacts and project work, I am familiar with the inner workings of many of the breached organizations. All of them have access controls and voluminous policy controls in place. Some even have process manuals on all manner of minutiae that make War and Peace look like a portable comic book. And yet, it just takes that one individual, that one lack of process or policy adherence, to put the entire organization, its partners, suppliers, investors, manufacturers, and customers at risk.

Presuming for a moment that each breached organization has a set of fairly rigid access controls in place, how is data protected in the “last mile”? Do the people with the stolen laptops have to sign in and out of Identity Management systems, subject to roles and data classification systems, in order to view data? How easy is it to store the accessed data in a file? Transferred to a CD? USB? Secure Digital Media Card? Portable Hard Drive, etc., etc.? How can people be protected from themselves and the temptation to go portable/mobile/wireless? Is this a problem that technology can solve? How best to bridge the gap between protections provided by a well-implemented IdMS and a non-protected mobile device?

There is no single answer, but the point I’m driving toward (apologies for taking a while to get there…) is that technologies do not solve the problems of process and policy implementation. Because, business is about people, behaviors, relationships, communications, and culture, and not tools and technology. Technology at best can enrich and improve the business experience, but at worst can exacerbate an already chronic problem of too much data, and too much ease with which the data can be transported. For an individual, data portability it is a great and liberating thing. For an organization, especially a large and public one, that freedom can be daunting and when not at least cursorily managed, it can be ruinous.

Part of the solution, is that people from day one, must be made responsible to themselves, the organization, and their co-workers. Individuals must be cultivated as data owners, and data custodians. Individuals must understand the data, and their relationship to the data. There is a very large company that I have worked with, which instills the concept that “security is everyone’s responsibility” from day one. Employees and contractors are responsible for knowing the policy, following the policy, and verifying that they are following the policy which applies to even the smallest scrap of paper. In some ways the policy may seem like overkill at times, but it succeeds at a very primal and subliminal level. It literally forces people to think about the security of the company and its clients in everything they do at work or away from work. Cell calls - check. Paper shuffling and filing - check. Pagers - check. Electronic data - check. Email - check and double-check. If your organization is contemplating Identity Management implementation, my advice is to carefully consider your security and data ownership policies before proceeding.

In closing, I hope this post has provided some food for thought. As always, Links Business Group, LLC is here to assist in your evaluation process, and security policy management. Contact us to schedule a complimentary 1/2 hour consultation.

Best wishes and regards,

Corbin H. Links, President
Links Business Group, LLC