Is centralized identity management the solution to cyber-security issues?

Passwords are "the dirty little secret" of the computer-security industry, says Arvind Krishna, a software security expert. The use — and misuse – of passwords illuminates a cyber-security conundrum: is it about the user, or the data? Industry experts like Krishna study the plethora of security screw-ups for clues. Krishna favors centralizing identity management — he mentions passports as a real-world example — but much work and deep thinking must be done before such a concept can become workable in the cyber-security world.

Passwords are "the dirty little secret" of the computer-security industry, says Arvind Krishna, vice president of provisioning and security development for Tivoli Software, part of IBM's software division. Their use — and misuse — illuminates a cyber-security conundrum: is it about the user, or the data? Industry experts like Krishna study the plethora of security screw-ups for clues.

Consider the following examples, all of them "data-centric" bungles that illuminate the immediate need for tight data management, also referred to as "data governance:"

 Personal data on Ted Turner and roughly 600,000 other current and former Time Warner employees was stolen in May 2005. Their names, addresses and Social Security numbers were on backup tapes being trucked to storage by a subcontractor; the tapes still haven't surfaced but pessimists say that info has long been sold to identity thieves.

• California regulators fined Kaiser Permanente $200,000 in late June 2005 after determining the health maintenance organization posted the confidential medical records of 150 patients on a publicly accessible Web site (the site was a systems diagram resource for IT staffers).

• The thief who broke into a San Jose doctors' office in March 2005 got more than the two computers carted away in the night, authorities say. Those computers contained the personal data of about 185,000 current and former patients, authorities say.

• And in July 2005, just two months ago, City National Bank announced the disappearance of two backup tapes with customers' personal data that included account and Social Security numbers.

At the same time, though, identity management is becoming increasingly complex, Krishna says. The typical computer user has at least a dozen IDs. Count them: Your ID — user name and password — for work. Maybe you've got more than one, because you need to access different systems. If you bank online, use a drug prescription Web site, or buy kids' tube socks in bulk from Hanes.com, there are a few more. Belong to a professional organization, an alumni group or a stock-watch service? Add three more.

Figure in the newspapers and magazines you read online, the message board for ABC's hit show, "Lost," the distance-learning class on time management and the Web site for dog trainers. Don't forget the celebrity-gossip chat room. You've hit a dozen without even digging deep. IT employees or heavy computer users can easily possess 50 to 60 IDs, Krishna adds.

Krishna has identified six tasks related to managing it all: provisioning new users, managing users, de-provisioning users, deploying new initiatives, reconciling user data and protecting trust. Managing computers is easier, he jokes, "because computers are much more hardened against social engineering and charm."

That's why companies will begin to regard comprehensive audits of their information security system as "mandatory and ubiquitous in the next several years," Krishna explains. These audits will determine how many super-users have access to the systems; whether all departed employees have deactivated passwords; who has accessed which sensitive material when; and whether non-sanctioned users are logging in, among other issues.

But that's going to take some doing, as information security lags far behind law and finance when it comes to efficient, productive auditing. For one thing, auditing is an automated process in law and finance, but IT managers "have to scramble to get the information manually, from here and there," he continues.

Krishna endorses federating — centralizing — identity management. In fact, he's been beating that drum for almost two years now, heralding the Web as the instrument that will enable federation. Naysayers raise the specter of Big Brother, with government or business entities controlling users through cyber-manipulation.

While Krishna insists that "Big Brother is not going to happen," it's still too early to tell how federation will change privacy. One thing is for sure, though — federating identity management will change the computing security environment, he says. 

Can federating identity management work? Krishna gives an awesome example: passports. One country issues it. Other countries accept the identification validation provided by that issuing country in the form of the passport. "You only get one passport, but it works everywhere, because there is trust between users," he explains.

"Trust" is a word Krishna uses often to describe a working relationship based on shared premises. For instance, federation will be easier due to standards for securing Web services developed by IBM, Microsoft and the Liberty Alliance, an alliance of more than 150 government agencies, companies and nonprofit organizations around the world.

Identity-management federation is still pretty much a pipe dream when it comes to what Krishna calls "the commercial world." And it shows. For instance, in February 2005, ChoicePoint, a huge consumer-information collector, began notifying more than 145,000 consumers that their identities may have been stolen.

The security breach happened when crooks posing as small companies — ChoicePoint customers — got their hands on the data. "ChoicePoint discovered it was doing business with two nonexistent companies," he notes.

Then there's the notorious JetBlue Airways security breach that led the American Civil Liberties Union to publish an online Freedom of Information Act form for customers whose personal data was shared with the government. When the Pentagon asked JetBlue for passenger records as part of an anti-terrorism project, the airline complied.

But then the Pentagon's subcontractor used a data merchant to match more than 5 million JetBlue records with customers' Social Security numbers, income and occupational information; some was eventually posted on a Web site. Krishna says JetBlue decision-makers didn't know their customer data would be used in such a way, but points out it's a lesson that others "can take that info and merge it with other data bases. Data flows everywhere!"

While there are several reasons to adopt federated identity management, including simplifying integration and facilitating automation — a process crucial to efficient data governance — cutting costs and growing market share are the biggest drivers. First, federating lowers the cost of ID management. Second, Krishna says, federation improves user satisfaction by simplifying their lives. Third, it reduces risk of security breaches, which can be enormously expensive.

Without data governance, you also end up in trouble. Just ask pharmaceutical giant Eli Lilly and Company. The Federal Trade Commission charged Lilly with a number of violations after an IT staffer creating a new patient e-mail program sent 669 Prozac users an e-mail that displayed their addresses to each other.

Lilly was dinged for inadequate employee training, spotty administrative oversight, weak "checks and controls" and violating their own privacy rules; the company eventually settled with the FTC, promising to beef up security. "It all comes back to audit trails and automation," Krishna adds.

Bottom line: data governance requires federated identity management, and federated identity management alone leaves the door open to intruders, he told IT managers gathered in Tempe, Ariz., for the third annual Security Symposium. The event is sponsored by the Center for Advancing Business Through Information Technology at Arizona State University.