News

Congress Looks at Enterprise ID Management

• By John K. Waters
• March 28, 2005

If you're not nervous about identity management and security in your organization, you're just not paying attention. Recent ID heists at ChoicePoint and Bank of America lit a veritable bonfire under Congressional behinds, and lawmakers are set to put the onus for safeguarding customer info squarely on the shoulders of the enterprise.

"Congress is about to put companies on the spot to clean up their act by requiring corporate offices to demonstrate that they have implemented adequate measures of security for customers' personal data," says Joe Anthony, director of integrated identity management at IBM Tivoli. "The new legislation is going to make it an even bigger challenge for businesses. Remember that the ChoicePoint data was publicly available data. It’s not like they went off and did anything devious to capture it. Like many, many other companies, they simply accumulated all of that information over time."

ChoicePoint maintains a 19-billion-item database that includes Social Security numbers, drivers’ license numbers and credit data. In mid-February, the company disclosed that ID thieves had gained access to the personal information of up to 145,000 U.S. residents. Later that same month, BofA announced that digital tapes containing the credit card account records of 1.2 million federal employees (including 60 U.S. senators) had been lost during transport on a commercial airline flight.

Adding fuel to this bonfire, LexisNexis' parent company, Reed Elsevier PLC, announced last week that hackers had compromised databases and stolen the personal information of at least 32,000 people.

In 2003, California passed the only state law requiring companies to notify customers of data breaches. The latest thefts have spurred Golden State Senator Dianne Feinstein to propose a new bill that would require businesses and government agencies to notify the likely victim when there is a "reasonable basis to conclude" that a criminal has obtained unencrypted personal data.

Now, Senate Banking Committee, Senator Jon Corzine of New Jersey and Senator Charles Schumer of New York are proposing national ID theft legislation. Corzine's bill would require businesses to tell customers immediately if they believe that data about them has been compromised. Schumer's legislation would establish an ID theft office at the Federal Trade Commission with jurisdiction over data brokers, and would require companies that sell consumer data to third parties to conspicuously display that information on the front of their Web sites.

And just last week, the U.S. Federal Reserve Board issued new rules requiring banks and other financial institutions to notify consumers "as soon as possible" when their personal data has been stolen.

The final picture is still pretty fuzzy, but it's clear that more regulation is coming. Now is the time for companies to take a hard look at fraud prevention. Gartner analyst Avivah Litan recommends a "multipronged" approach. Commenting on the ChoicePoint breach in a recent Gartner report, Litan writes: "This incident shows how enterprises must take a multipronged approach to fraud prevention. Strong authentication does nothing if you are authenticating a bogus transaction. Data encryption does nothing if crooks pose as legitimate entities to gain open access to the data."

Gartner recommends that enterprises tighten access controls on credit reports and other sensitive data; subscribe to better fraud protection systems, so that when these stolen identities begin to be used, they are detected through behavior pattern recognition and implement a policy of notifying consumers immediately and fully when a breach is discovered."

“Don’t wait until there’s a breach,” advises IBM Tivoli’s Anthony. “Go ahead and start taking steps to make sure that there are good controls in place. Think in terms of [Sarbanes Oxley], where you have to have the business processes in place and then demonstrate compliance.”

IBM's Tivoli software unit, based in Austin, TX, provides a variety of products for managing computer networks, including applications that enable network administrators to control users, systems, databases and applications from a single location. Tivoli's products are also used for tasks such as storage resource management, security management and performance and availability monitoring.

Anthony describes Tivoli's ID management products as a “portfolio statement,” and he agrees with Gartner's advice. "No one product does it," he says. ID management is really a lifecycle management process."

The Tivoli portfolio contains several ID management products, including three versions of IBM Tivoli Access Manager (for Business Integration, for e-business, and for Operating Systems), as well as the IBM Tivoli Directory Integrator, Directory Server, Identity Manager, Privacy Manager for e-business, and Security Compliance Manager.

Whatever the technology deployed, there's no final solution, Anthony says. Companies need to think about ID management as an ongoing process. "Keep the Sarbanes-Oxley model in mind," he says. "Auditors are coming in each quarter, asking questions, auditing the system, even though very good controls are in place. That's a good way to run the entire operation."