A fine idea, BUT…
John Pickett, Executive Director, CIO Executive Council (Canada)
There’s broad agreement among Council members on the desirability of a centralized enterprise access and identity management system. We all face a growing portfolio of systems to which employees, business partners and customers need access. The physical boundaries that once defined the enterprise have little meaning in the networked world, and mobile users are enjoying even greater freedom through the use of wireless technologies.
The complexity of our information environments is one of the primary reasons a holistic approach is needed. But that complexity is also proving to be a challenge to many members in moving forward with a solution and, in some cases, to developing a credible business case.
In 1996 CIBC Mellon took advantage of being a new venture to develop a scalable access solution from its beginning. But for most companies, their reality includes a range of existing applications with varying approaches to access management so getting there from here can be a daunting proposition.
Here, CIO Executive Council members share insights based on their experience. As members of The Council, they draw on the experience of one another as trusted colleagues to make better decisions for their organizations, and they act collectively to advance the profession of the CIO.
For more information on the Council visit www.cioexecutivecouncil.ca.
Who’s who on the ID-Management team
by Sari Kalin
CIO Executive Council members say governance is key to successful identity management. “The only way you can adjudicate identity management policy questions is with a good governance structure,” says Bruce Metz, CIO of Thomas Jefferson University.
At Tufts University, where Metz was CIO prior to coming to Jefferson University earlier this year, an IT Council composed of stakeholders across the institution made decisions about IT spending priorities. An IT Policy and Security Committee that reported to the Council developed policies and security practices, including those related to identity management. Metz aims to set up a formal structure at Thomas Jefferson. He advises that CIOs setting up a security governance body in a corporate or campus setting make sure they include representatives from the following departments:
Human resources: Identity management is all about people.
Legal: Be sure to include a legal representative on your team. “You need to make sure your policy is enforceable and that it is reasonable,” Metz says.
Chief security and privacy officers: If your organization has a CSO or CPO, they should be on the security governance committee.
Representatives of key business units or functions: For example, Metz tapped a representative from the head academic office and the head administrative office while at Tufts. You should include someone from each of the company’s main business units.
Internal audit: Someone from the internal audit department will help ensure that policies are compliant with regulations such as HIPAA.
In their own words
Helen Polatajko Senior Vice President & CIO at CIBC Mellon, Toronto
CIBC Mellon developed an in-house Data Security Information Control System (DSICS) in 1999. It was developed using Lotus Notes technology as this was CIBC Mellon’s email platform as well as used for some application development.
Unlike other companies that have been established for many years, and have attempted to add an access management system as an after the fact development, the CIBC Mellon joint venture, being formed in late 1996, had a distinct opportunity to develop such a system right at the onset.
As such, DSICS was developed when CIBC Mellon had a manageable number of systems, and allowed for scalability as application systems continued to be added.
DSICS is a first generation access management system, giving the Information Security group within CIBC Mellon a control system to manage employee access to application systems. It also provides business owners of the application systems monthly reports to review employee access and to ensure that access is only available to those employees with the need.
The system has been well received by both the business owners and CIBC Mellon’s internal audit department as it provides the appropriate level of access management control. The firm will be initiating a 2006 project to bring in a second generation system for both identity and access management.
Tackling identity and access management
by Sari Kalin
CIO Executive Council members share advice on policies and processes for identity-management projects, prioritizing their efforts and how to get funding.
A chain is only as strong as its weakest link. And at many companies, when it comes to IT security, the weakest link is identity and access management. Ideally, a company would have an automated process for doling out application access — and for yanking that access once an employee leaves.
Employee identities would be synchronized across all systems, and technologies would enable companies to trust the identities of suppliers, business partners and other outsiders who need secure access to their systems.
But the reality in most companies is far from ideal. Terminated employees may still have access to sensitive systems for weeks because the system admin never saw the termination e-mail from HR. Employees burdened by having to remember multiple passwords write them on sticky notes and slip them under their keyboards.
CIO Executive Council members met in August to share advice on ironing out policies and processes for identity-management projects, prioritizing their efforts and how to get funding. Here are some of their tips.
1. Make the case with hard and soft benefits. Be prepared to educate business partners about identity and access management — what it is and why it is important. “It’s a very nebulous area to someone outside IT,” says Bruce Metz, CIO of Thomas Jefferson University. “One challenge is to have people understand what you’re trying to do. Then, the second question is, ‘Why does it cost so much?’”
Members who’ve successfully secured funds for their identity- and access-management projects say the secret is in staying away from the nitty-gritty details of single sign-on, smart cards and other elements of security infrastructure. “Keep this from becoming a techie exercise,” says Keith Glennan, VP and CTO at Northrop Grumman. “Anytime you’re doing something that’s essentially an infrastructure project, you have to explain clearly what you’re trying to accomplish in business terms.”
Glennan made his case by showing that new ID-management systems would reduce IT administration and help-desk costs (by reducing the manual hassles of resetting passwords and assigning application access). Security would improve (no more sticky notes with passwords under the keyboard), and so would user productivity (since users wouldn’t have to repeatedly log in to multiple systems). And Glennan points out a soft yet exceedingly important benefit: being better prepared to enforce compliance with regulations and demonstrate that compliance to Sarbanes-Oxley auditors.
2. Pilot the processes, not just the technology. CIOs who’ve begun identity-management efforts say that business-process issues present bigger hurdles than the technology. Steve Strout, CIO at Morris Communications, advises peers to walk through processes and rules related to identity creation and resource access before hardening those processes into code: Who is