Shoring up internal system security

As users gear up to protect systems against external cyberterrorism threats, they also will have to consider locking down internal security by better managing the identity of their end-users.

This point was underscored this week by industry players ranging from professional services giant PricewaterhouseCoopers (PwC) LLP to security vendor Courion Corp., each of which earmarked identity management as now crucial to enterprise efforts.

PwC joined Oblix Inc. and BMC Software Inc. in New York on Wednesday to explore market research firm Gartner Inc.’s findings that companies are indeed ramping up enterprise identity management initiatives because of government compliance, cost savings, and the benefits of easing administrative burdens.

According to Stamford, Conn.-based Gartner, the identity management framework includes permission and policy management, directory services, user authentication, user provisioning, workflow, and an enterprise information architecture.

Gartner interviewed executives from 10 organizations within each the financial services, retail, and high-tech company segments for its study, said Joan Rosania, director at Gartner Consulting.

They found that eight of 10 financial services companies queried are implementing an EIM (enterprise identity management) solution at a tactical or strategic level, four of which are investing US$6 million to US$10 million toward the effort. Retail respondents showed that seven of 10 are going forward with EIM and spending US$0 million to US$3 million. Lastly, the high-tech segment reported that seven of 10 interviewees are instituting EIM, with three spending as much as US$3 million and one respondent pouring as much as US$10 million into the endeavor.

However, on a broad scale most users have yet to realize “the bigger benefits of leveraging identity,” said Jo Duffy, lead partner for National Security Practice at PwC, based in New York.

“What they’re doing is looking at one piece [of security],” Duffy said. “Sept. 11 changed the bar. This is now a must-have component versus a nice-to-have component. Clients that don’t figure this out will lose.”

Duffy said that PwC is advising its clients to resist the urge to tackle the identity management problem with a “silver bullet” mentality and instead view connected systems, applications, and platforms as a multilayered but single entity that must communicate and identify users in a consistent format.

Scott Hublar, client server infrastructure analyst for Louisville, Ky.-based Baptist Healthcare System, said for his statewide hospital network, the Health Insurance Portability and Accountability Act (HIPAA) government regulation proved the biggest justification for his organization’s heightened internal security.

HIPAA requires that individually identifiable patient information only be accessible to those who need the data for clinical, medical, or billing processes. Designed to drastically overhaul outdated legacy systems and paper-based workflow processes within a two-year to-three year timeframe, HIPAA addresses patient electronic data transmission, security, and privacy concerns.

Hublar said running a fine-tooth comb over possible internal threats allowed his organization to patch up or eliminate dormant rogue accounts, close exposed backdoors, and provide a much clearer picture of system vulnerabilities and multiple access points.

“We found that by taking better control of internal security, it gave us better control over our external security,” said Hublar of the statewide hospital network. “We don’t want to have such a complicated security system that it takes a new user three months to get set up.”

Baptist Healthcare System uses Houston-based BMC’s Control-SA product to simplify and consolidate the management of access control across applications and platforms.

For its part, Courion introduced AccountCourier and CertificateCourier this week – two new products of its identity management suite for profile building, password and authentication, self-service account provisioning, and digital certificates.

The Courion suite enables the use of PKI (public key infrastructure), said Tom Rose, vice president of marketing at Framingham, Mass.-based Courion. Rose says Courion’s “self-service” approach limits the number of people who must share personal information or company data.

John Pescatore, senior analyst at Gartner, said the administrative streamlining that identity management yields should help users with systems that were too hastily constructed during extreme buildup and prosperity before the economy came to a screeching halt.

“What we’ve seen in the last four or five years is a big rush to implement e-business. That rush has caused lots of new applications” to be added without configuring proper authentication and authorization measures, Pescatore said. “The IT shops are in a position to get back some control and efficiency and add [mobile] users.”