ID AND THE NEED TO KNOW

Nov 1, 2004 12:00 PM, by JACQUELINE EMIGH

Identifying employees and company visitors is not what it used to be. Waves of corporate financial scams, federal regulatory changes and international terrorism are making it more important than ever to verify positive ID. But Internet access and other aspects of computerization are making the task harder than ever.

Vendors are responding with a widening array of “identity management” tools — some aimed at information security pros, and others geared also to physical security pros. Users of these tools run the gamut from blue-chip corporations such as Ford Motor Co., Pfizer and Northwest Airlines, to federal government agencies and major hospitals and universities.

Why all the interest in identity management? It's about protecting an organization and its assets, which is no longer a matter of simply standing watch at the door. The critical company documents that were once kept secure under physical lock and key have made their way onto computers. In electronic form, documents can be subject to tampering and theft by anyone who is granted access, either over the Internet or by anyone who manages to slip past the guard in the front lobby.

Federal legislation such as the Sarbanes-Oxley Act requires all publicly traded companies to institute controls over physical access and computer operations. One of the act's provisions specifically forbids alteration, destruction or concealment of either paper-based or electronic documents with the intent of obstructing a government investigation.

In some ways, documents moving from paper to electronic form is a good thing. Otherwise, compliance with new federal regulations would be even more complex and unwieldy than it already is.

With the Health Insurance Portability and Accountability Act (HIPAA) now in place — aimed at preventing disclosure of patient medical records — medical organizations are instituting highly granular approaches to document management. Employees are being granted differing degrees of access rights to various kinds of documents.

“If documents were still kept under lock and key, you would need to have a full-time locksmith on staff just for managing document access,” comments Bruce Macdonald, senior product manager at security software company M-Tech.

Software in the emerging category of identity management is meant to ease such burdens. Yet with so many identity management products on the market today, how can anyone tell them apart?

Essentially, these products can be differentiated in two ways. One distinction surrounds the method(s) used for “authenticating” people, or proving their identities. Another point of differentiation is to consider whether the product is useful in physical security as well as in information security.

Virtually all identity management products authenticate users based on something they know (a password, a user name, or the answer to a “secret question”); something they have (a card or a token); and/or something they are (a biometric identifier).

St. Vincent's Health System, Erie, Pa., for example, is using a biometric ID system from Saflink Corp. to allow employees to use fingerprints instead of passwords to access software applications. Like some other biometric software, Saflink Security Software can also be used as a component in access control systems for physical facilities.

Biometric authentication can give convenience to both employees and security managers, according to Gene Young, an engineer from Saflink who helped to install the kiosk-based fingerprint reading system at St. Vincent.

“Doctors really like the biometric system, because they have to remember so many different passwords for software programs at various hospitals,” Young says. “These are brilliant people, and they have better things to do than worry about passwords.”

“Biometrics also help eliminate the hassles of passwords,” he adds.

How many forms of authentication are really necessary? The answer depends to a large degree on the amount of risk a company is willing to take, according to Amit Jasuja, vice president of product management at Netegrity, another security software vendor.

“If you are running an Internet site, you might not really care whether the person visiting your site is actually named David or Amit. But if you are operating a large physical facility, you might not want to rely on simple swipe cards. Swipe cards are too easily lost or stolen — and sometimes, employees will loan their cards to somebody else,” Jasuja says.

Manufacturing and financial management firms, for example, tend to be more wary of risk, and to require more in the way of authentication, according to Jasuja. “What might happen if someone gets access to manufacturing facilities or computer programs who isn't truly an employee?” he asks.

Non-biometric identity management vendors also offer expanded capabilities to supplement computer-based authentication. For example, M-Tech's password management software, P-Synch, provides features that include synchronization of a user's multiple passwords (so that the password is the same for all software applications), and administration of other sorts of identity proofs, such as biometric identifiers and PC smartcards.

M-Tech also produces a number of other identity management software products. ID-Certify, now being tested at several corporations, provides users with a set of best practices for achieving compliance with federal regulations such as Sarbanes-Oxley. Other M-Tech products include ID-Synch; ID-Access; ID-Discover; and ID-Telephony, enabling users to change their own passwords over an automated phone system.

Some products originally used solely for computer access are just starting to expand into physical security access management. Netegrity's SiteMinder, for example, combines password management with the ability to assign access rights to specific software programs; employees are added to the system when they are hired and deleted when they leave the company.

In SiteMinder 6.0, the latest version of the product, Netegrity has added new software interfaces that include relational database support, for integration with physical access control systems. “A lot of access control systems use relational databases for storing ID information,” Jasuja says.

He adds that Netegrity has been gleaning knowledge about combined physical and computer systems authentication by working in the federal government's E-Authentication program.

In the future, look for more identity management products that bridge the computer and physical worlds.

FOR THE RECORD…

About the Companies

For information, circle the Reader Service number (listed below) or visit securitysolutions.com

M-Tech	15
Netegrity	16
Saflink Corp.	17

Want to use this article? Click here for options!
© 2008 Penton Media Inc.

This month in Access Control

• Opening Up About Door Closers
• An Enterprise Approach
• The Framework For Open Systems
• On A Higher Plane
• More from April's issue