ID management in the security spotlight

Identity management remains a problem for both private and public sector organisations, according to security experts speaking at London's InfoSecurity Europe event last week.

Paul Simmonds, director of global information security at ICI, said the main problem facing organisations is deciding how to manage access of systems by people outside of that system. Organisations have increasingly complex relationships with partners, outsourced operations, and clients, he said. "The problem boils down to the fact that both corporations and government can operate ID management schemes very easily, so long as we control the scheme. How can you trust someone you don't manage? We have not thought that out."

Simmonds said one of the main challenges for businesses is the need to move to user-based access to applications, rather than whether one IP address can have access to another.

Federated identity - the identity of a user spread across distinct identity management systems, assembled by means of a token - still runs up against the wall of trust, according to Simmonds. "Federated identity is a brilliant idea but very hard to implement, as you have to trust someone else's credentials - am I going to trust your company's credentials on my system? Am I going to trust your company's smartcard to access my building? Of course not."

Andy Kellet, senior research analyst at Butler Group, agreed identity management is still a perennial problem for businesses, as semi-anonymous access is the norm. A username and password does not guarantee the identity of the user - and the lack of very clear aims hamstrings many identity management projects, he argued. "Projects often become overly complex," said Kellet. "Solutions are resource-hungry, and take too long to implement. Systems cover pseudonymous access but now there's a need for very strong, two-factor authentication."

According to Kellet, the particular problems associated with identity management are provisioning and deprovisioning of user identities, access control, and identity federation.

However, Stuart Okin, Accenture's UK head of security, said these problems can be overcome. Accenture, which runs ID management consultancy services, is working with a number of businesses to implement identity management systems. "We're working with 600 clients on enterprise management solutions worldwide," he said. "We've largely taken our clients on the journey of consolidating and sharing identities. Many clients are still on that journey."

Okin said Accenture had successfully implemented single sign-on tokens throughout its own business, and used stronger forms of identification when necessary. He said many Accenture clients that have implemented single sign-on systems are considering two-factor authentication. "The next stage is putting in strong authentication - smartcards or tokens," said Okin. "With single sign-on, you have the keys to the kingdom. Accenture gives tokens for accessing certain systems - for example SAP accountancy software - but single sign-on is usually fine for less sensitive systems like email, depending on the organisation."

However, some IT professionals feel the proposed use of identity management systems in the public sector - for example, in the national ID cards scheme - is unnecessary. Toby Stevens, vice chair of the British Computing Society security forum, said: "The issue is a disproportionate situation where an individual or organisation builds up too much information on another individual or group. We have excellent federated identity systems already in place. Now we need leadership from government in the identity assurance environment."

Stevens said it is possible to build up a thin citizen-data substrate which is used to ensure uniqueness, and to make sure people aren't asserting two different identities.

ICI's Simmonds said ID cards could be linked to corporate networks to provide trusted authentication: "With the national ID card scheme, we'd love to use that as part of corporate authentication. We've seen nothing along those lines."

However, Bob Ayers, ex-security chief of the US Department of Defense, said there is a danger that government and the private sector collating data from the use of ID management systems could seriously affect citizen privacy. "My ultimate fear is in our ability to take information held by government and information held by the private sector and begin to correlate these to understand in excruciating detail what you're doing and who you're doing it with," he said.

Tom Espiner writes for ZDNet UK