Making Sure Your ID Management System Works

Consider the passport security breach of three presidential candidates last year. Did the State Department have appropriate security controls that should have prevented the breach? Why did senior State Department staffers not learn of the improper access until more than two months after they first occurred?

The importance of data and information security has become more pronounced in recent years. We still read about compromised credit cards, identity theft, and other intentional data security breaches. An even more common occurrence is the unintentional leak of information, such as when someone loses a laptop and potentially exposes sensitive and proprietary information. Data loss happens so often now it’s hardly news.

A common theme of compliance auditing and fraud detection is the difficulty in the “detection” itself of a violation or other misconduct. Short of someone—an employee, customer, or (ugh) the media—reporting an incident, how do you know when a privacy or other policy violation has occurred? One approach, identity management, has emerged as its own industry offering a promising line of attack to information security issues. It further offers the potential of a “federated” approach that lets you open your network to trusted partners without compromising security, although this idea is still in its infancy.

What is Identity Management?

Identity management broadly refers to managing the roles and access privileges of individuals (identities) within a company system. IM systems provide tools and technologies for controlling access to critical information within an organization.

A little background may help. A core principle of information security is to control how resources are accessed so they can be protected from modification or unauthorized disclosure. Access controls protect systems from unauthorized access and determine the level of authorization after authentication steps have been successfully completed. In this context, confidentiality is assurance that information is not disclosed to unauthorized individuals or processes. Information must also be accurate and complete, so controls are needed to guard data from being altered to ensure its integrity.

To access key data, somehow you (or your IT system) must determine that someone actually is who he claims to be. Identification is the means for ensuring that a subject is the claimed entity, which can be verified through the use of a credential (like a user name, account number, or anatomical attribute such as the use of biometrics). After we identify who a person is, he or she must then be authenticated to further prove the fact; this is usually where the person must provide another credential, such as a password. Then we must determine if the person has been given the necessary rights and privileges to do what he wants to do—that is, the person has been authorized.

IM systems are intended to streamline all these processes. That reduces cost and error rates of user account management (including the persistent need to modify and disable accounts, and to reset passwords). Critically, an IM system can minimize unauthorized access to sensitive systems and data. More specifically, an IM system provides tools to change a user’s role, track user activities, and to enforce policies on an ongoing basis.

Regulatory Drivers

Regulatory mandates have also put more onus on companies for safeguarding customer and financial information. Sarbanes-Oxley, Gramm-Leach-Bliley, and the HIPAA privacy and security rules each hold a company responsible for controlling access to various types of sensitive information. More recently, the Federal Trade Commission published “Red Flag Rules” that require covered companies to establish a program designed to detect, prevent, and mitigate identity theft.

An IM system can support compliance in these areas by providing tools to implement comprehensive security, access, and audit policies. Essentially what is needed is an efficient way to realize who accessed what, who can access what, how access was granted and who granted it, with audit trails for investigations and handling exceptions. The more automated these processes the better—which is where technology can play a role.

The Identity Audit

That being said, having the right IM application or system isn’t enough. Once identity-related security controls are implemented (perhaps through an IM application), an organization needs to audit those controls. Auditing can better ensure that users are accountable for their actions, verify that policies are being enforced, and serve as a deterrent to improper conduct. Auditing capabilities are also useful as investigation tools. Audit trails can be reviewed manually or through automated means, but ultimately they do need to be evaluated.

Part of the identity audit would be a review of the IM system itself, particularly if you’ve implemented a software product. This would include examining the logs generated by components of the IM system, including connected data repositories. Obvious and simple tests include determining if users can select overly simple passwords or can access files where they have no rights in contravention of policies.

But the auditor also needs to look externally to verify that an IM system (whether automated, manual, or both) is doing its job correctly. Proper controls and user rights are important, but what users actually do is often more telling. Further, while system administrators have to contend with hackers, organized crime, and other external threats, a low-level employee is usually your prime culprit. According to the World Privacy Forum, for example, the preponderance of medical identity theft occurs through insider methods that are difficult to detect, even after the fact.

In the State Department passport incident, a seemingly ordinary act became a high-profile breach. The individuals in question had the approved user rights and privileges, but simply chose to subvert policy. Similarly, medical staff must be able to access patient medical records, but in publicized incidents, some had chosen to peek at celebrities’ records without a legitimate need to know.

Continuous Compliance

Periodic and random audits can still leave a company vulnerable to security breaches, and are no longer sufficient. Instead of viewing the audit as a single event (“the auditors are coming, so we need to get ready”), more organizations are recognizing compliance as a continuous process that benefits from automation whenever feasible. And instead of sampling a few transactions to see if the outcome was right, you can audit every transaction.

Real-time monitoring of behavior based on security policies that can continually uncover questionable activities can be valuable, but still wanting in most cases. Some IM systems can generate activity reports based on internal tracking, but don’t report on identity external to the system (say, log-ins from business partners); or others fail to cross-reference data across logs, making review and tracking extremely cumbersome.

Audit logs should have thresholds and impact measures aligned with the business context of the information to indicate the level of compliance (which would be of great help to the external auditors). The challenge is in designing the custom rules that alert you to highly suspect activities pertaining to the risks your organization faces.

I work in healthcare, so I’ll give a few examples from that field. An identity audit in our industry could include alerts highlighting unusual volumes of patient record printing, which may suggest an identity theft scheme is underway; user/patient name matches to identify snooping of family members; and family member looping, where one goes through an entire family to steal their medical identity.

To some degree compliance auditing is more art than science. Audits attempt to verify the accuracy of a system or process; in the realm of compliance, audits validate the existence and effectiveness of policies and other controls. Judgment is critical. A risk-based approach to compliance is needed, as perfect security is impossible.

The key question to ask is whether you can prove the appropriate level of due diligence. In a number of information security breaches, the FTC had deemed that the company’s procedures in place to protect the data were inadequate given industry practices.

With the right approach, IM technology can provide previous-day exceptions for review, rather than manual review of enormous activity logs. Audits and technology obviously should be coupled with employee and partner privacy education, incident resolution processes, and consistent discipline and corrective action—the basic tenets of a compliance program—to effectively limit information breaches, intentional or not.

As you tackle IM, it is important to take the time to define and document your processes. This will assist in evaluating the degree of automation that is needed. (You may discover that full automation through technology is not necessary.) Factors to assess include the number of identities to be managed, the diversity and heterogeneity of your information environment, and of course the cost of current processes. A comprehensive identity audit can go far in helping to make the determination.