You know the nightmare: A few thousand credit card numbers are stolen from your company's customer database. After digging into your systems to see how security was breached, you learn that the crime was perpetrated not by an anonymous hacker, but by a recently dismissed employee.
Worse, the former employee gained access to the customer database simply by using his old user ID and passwordwhich was not deleted when he was discharged.
Before long, your company is facing a public-relations disaster: The media is spreading the word about your firm's vulnerabilities, furious customers are threatening lawsuits, and your CEO is demanding an explanation as to why the IT department wasn't practicing good identity management.
But consumer fraud isn't the only reason you should be concerned with identity management. Companies are finding that complying with such regulatory issues as HIPAA, Sarbanes-Oxley and Gramm-Leach-Bliley means authenticating and tracking all employees who have access to sensitive data, such as patient records and financial documents.
Although identity management is not specifically cited in any of the federal regulations, most companies agree that in order to ensure compliance, stricter controls are necessary.
"Sarbanes-Oxley is driving a lot of the conversations I have with clients," says Roberta Witty, a research director at Gartner Inc. Currently, many IT departments are so focused on upgrading identity management that purchases in other areas of the business are being put on hold.
There is good reason for all the urgency around identity management.
According to Gartner, more than seven million Americans were victims of some form of identity theft during the 12-month period ending June 2003a whopping 79 percent increase over a similar Gartner survey concluded in February 2002. The issue has gained enough attention that, in July, President Bush signed into law an identity theft bill that adds two years to the prison sentences of criminals convicted of using stolen credit card numbers or other personal data.
Unfortunately, identity management is no easy task, and it can be a major challenge if your company's systems operate on different platforms.
More than 100 identity management vendors are currently peddling their wares; some offer application suites that promise to meet your every need, others provide specific expertise. And because there are several pieces to the identity management puzzlesuch as single sign-on, self-service, authentication, access control and automated provisioningknowing which area to tackle first presents yet another stumbling block.
Additionally, privacy issues and employee resistance are always a concern, especially when your authentication tools include biometrics or other invasive technologies.
But the biggest headache may be getting all the key departments to sit down and discuss the policies and procedures that will govern identity management.
Still, the benefits usually outweigh the headaches.
Identity management gives your firm greater control over processes and programs, tighter security around sensitive information and better management of employeeswhether they are new hires, recently fired or changing their role within your organization. It also cuts down help desk costs, which can mean significant savings, and can free up your staff to do more important things.