IDM projects must be implemented with caution, say experts

Identity management implementations mean that IT chiefs must tread carefully

Identity management (IDM) has numerous associated IT and business benefits, but IT chiefs must tread carefully when considering implementing IDM projects across the enterprise, experts warn.

At the annual Information Security Solutions Europe (ISSE) event in Rome, Greg O’Malley, chief technology officer for identity management at cryptography specialist nCipher, praised IDM for enabling firms to pass data-protection audits, benefit from IT operational efficiencies and make economic gains through partner enablement.

But he warned that if not implemented correctly, it can leave the enterprise exposed.
Key mistakes highlighted included generic and administrative accounts that are left unmanaged and allocating administrator rights that are too strong, especially around access to the audit logs.

Authentication itself is becoming susceptible to hackers, with even two-factor systems now vulnerable to criminal attack, and so in future more IDM systems will involve data encryption as well as stronger controls over who can access the information, he added.

“This move from infrastructure protection to data protection will create a huge management issue,” he warned. “If you don’t manage the keys properly and [you lose] them then you are effectively shredding the data – so tread cautiously and have well-defined processes for recovering data and keys.”

O’Malley also advised IT security chiefs in large firms with potentially complex IDM projects ahead of them that “a phased approach with tightly managed scope and stakeholder buy-in is important”.

But delegates were sceptical about the business case for implementing comprehensive IDM projects. One IT chief argued that many firms would need to see a clear ROI before they thought about implementing large-scale identity management.
O’Malley argued that the “benefits of IDM outweigh the risks or we wouldn’t have seen so many firms already adopt it”, although he admitted this would depend on how risk-averse a firm is.

Nissim Bar-El, chief executive of security consultancy Comsec, argued that identity management and identity theft are among the most important issues facing firms today. But while the technology solutions are available to mitigate the risks in this area, IT chiefs must rigorously enforce policies and procedures around them to reap the rewards, he added.