By George V. Hulme

While identity and access management (IAM) is one of IT's oldest security challenges, the need to manage identities and access has rapidly intensified in the last decade with the dramatic rise of digital commerce. Also, with the rise of the virtual enterprise, the risks for CIOs who fail to manage IAM properly have also intensified. Add today's wave of government and industry regulations bursting onto the scene, and CIOs need near-ironclad management techniques for user access, reporting and security.

Regulations come in many flavors. There's Sarbanes-Oxley for publicly traded companies; the Health Information Portability and Accountability Act (HIPAA) for organizations that handle private medical information; not to mention the Federal Information Security Management Act for government agencies. What they all share is a common need for high levels of security and the ability to ensure that only authorized users have access to regulated data.

In their rush to reach regulatory compliance, many companies have turned for help to their CIO. This, in turn, has created a formidable challenge for IT. CIOs must be able to manage access to regulated information and systems, satisfy external audits, and demonstrate that proper access has been strictly controlled. "In other words, you have to run reports, reports and more reports," says Bob Blakley, a principal analyst at Burton Group, an IT research and advisory firm. "You have to show who has access to what, and you have to be able to compare that access against corporate policy. You also have to justify the levels of access that different people have been granted."

Providing a verifiable audit trail is serious business for organizations that operate in heavily regulated industries. Just ask Christopher Paidhrin, IS Security & HIPAA compliance officer for Southwest Washington Medical Center (SWMC) in Vancouver, Wash. SWMC must vigilantly maintain compliance and security, and it must always be ready for visits from the Joint Commission on Accreditation of Healthcare Organizations, which evaluates and accredits nearly 15,000 U.S. healthcare organizations. "About once a year they do snap inspections," Paidhrin says. "They'll arrive for two days and run tracers on particular cases." If a hospital doesn't pass the inspection, it risks losing its accreditation and could even be forced to shut down.

As part of his effort to maintain compliance, Paidhrin evaluated all of the hospital's security policies in light of HIPAA security rules that went into effect in 2005. Much of the work involved streamlining the hospital's access privileges for nearly 6,000 users, including access for 500 external physicians and 1,500 related medical support staff. He discovered that as part of its effort to grant proper workforce access to the hospital's Web portal, SWMC had designed role-based access to data and applications, based on the duties of each employee. That's since changed. Today access rights are based on providing medical workers with only the data they absolutely need to provide quality health care. "You don't want to give everyone access to a patient's entire medical history," Paidhrin explains. "You want to limit access to what is needed."

Critical Consolidation
Further, to ensure that identity access policies were managed properly, Paidhrin consolidated five identity-data stores that had grown over the years, including two proprietary identity databases. This consolidation proved critical. SWMC is now able to manage user accounts, authenticate them and track every user's identity. "You need to track identities and validate that you have one identity per person," Paidhrin says. "And you need to be able to show, in the event of an incident, who had access."

Such granular IAM efforts are crucial for companies that wish to attain, and maintain, regulatory compliance. "An auditor has to find only a single account from a person who is no longer with the company, or an account from someone who switched jobs in the last year and still has access to the wrong applications," says Andrew Stone, identity and access management security practice head at business-services provider Crowe Chizek & Co. "All of a sudden a weakness in your organization has been demonstrated."

But there's more danger in those weaknesses than a negative audit finding. Improperly managed identities are exactly where malicious insiders and thieves look to attain illegal access. "It's clear that if you can immediately adjust peoples' privileges to what they're supposed to be, you can significantly reduce your exposure to various kinds of fraud, theft and vandalism," says Burton Group's Blakley.

Getting an IAM program that can quickly add, revise and terminate or suspend user access takes a combination of the right tools and advanced planning. The typical enterprise has dozens, if not hundreds, of programs running on multiple platforms, from desktops through servers and all the way back to mainframes residing in the data center. As a result, the manual approval process required to expand an existing employee's access rights can involve myriad sign-offs and approvals—from distinct business groups including immediate supervisors, middle management, human resources and IT managers. Attempting to manage this provisioning of user access with manual paper sign-offs, or lengthy spreadsheets, is not only time-consuming and inaccurate, but it can also create porous audit trails. "The worst part is, by the time the account gets created, the person you've created it for can be out on vacation, and then the temporary password you set for him expires," says Crowe Chizek's Stone. "Then you have to start a whole new process that has to be fixed."

Simplify It
Until recently, the ability to provide authentication and authorization for employees, business partners and others required many solutions from at least as many vendors. These included provisioning software directories, single sign-on for both Web and, custom applications, role-based management solutions, as well as Web and intranet single sign-on capabilities. To help make it simpler, some providers offer identity management solutions that provide centralized identity, access and entitlement management in a single suite.

These suites aim to not only simplify management of an IAM solution, but also help CIOs overcome some of the biggest hurdles in a full-fledged IAM deployment. In particular, there are significant technical difficulties associated with connecting all applications—whether they were built in-house or bought—to any IAM solution, not to mention the lack of consistent entitlement management among those applications. "Most Fortune 1000 companies have applications that they've built internally," says Bilhar Mann, SVP and GM for CA's Security Business Unit. "And the ways that each of those applications manages access usually are different."

The holistic approach offered by IAM suites is crucial, not only for managing identities and access to applications, but also for regulatory audits. "With a suite, you can get detailed audit information from various applications very easily," Mann says. "This makes it possible to add reporting details that may allow auditors to gather the data they need."

That kind of flexibility impresses industry consultants, who say the new consolidated offerings actually provide CIOs with a broader range of capabilities. "Many organizations are looking to address their strategic initiatives, as opposed to one-time, siloed solutions, such that they can address their broader governance framework requirements," says Deborah Golden, a security and privacy services principal at Deloitte & Touche LLP. "The components of identity and access management may address a variety of governance aspects that span an organization including people, processes and technology."

In fact, the benefits of IAM can extend far beyond compliance and security. Single sign-on—requiring only a single user name and password for users to access the resources they need—can enhance the user experience and save time by eliminating the risk of forgotten or lost passwords. Similarly, simply installing password-reset tools can save an enterprise thousands of help desk calls every year. And self-service administration, by which partners and suppliers are given the power to manage user access, can improve user-identity account accuracy and speed access to crucial applications and resources.

The overall move, say industry watchers, is toward better internal controls on practically all systems. "Systems today are growing more richly connected," Blakley of Burton Group explains. "In the old days, you didn't have to worry about somebody connecting to your system from a cell phone on a train in Bulgaria. Now, you pretty much do. With this new level of connectedness comes a need to protect and control systems deeper and deeper in the enterprise."

George V. Hulme is a Minneapolis-based freelance writer who has covered business and technology for nearly 20years.