While working for a competitor, a former bank employee dials in to her old voice-mail account and filches internal banking announcements. An intern at a major manufacturer builds his own sales account simply by calling a secretary who gives him unfettered access to the company's sales-lead database. How secure is the data your company gathers and stores? If your company is like most, your data is probably more readily available than you think.
When companies forge partnerships with suppliers, clients, and customers, they expose their systems to security breaches not only by their own employees but their partners' employees as well. How can a chief technologist gain control over access to a company's secure resources? The answer seems to lie in a robust identity management system, which gathers and manages employees' personal data, ensures the approval of those whose data is being used, and offers ironclad security. On the surface, identity management offers many protections, but lurking beneath are the many thorny issues still surrounding privacy and trust.
Tony Scott — CTO of General Motors in Detroit and an active member of the Liberty Alliance, a federated-network identity standards group — sees a great need for identity management systems that better address privacy concerns.
"In a business context as collaborative as GM's — with all its partners and joint ventures — you worry about the security of partner identities," Scott says. "Let's say we contract with Company A to work with us on designing an automobile part. We want them to have access to some GM systems. You worry about privacy concerns in this context. And if I am an employee of Company A, I probably have to give GM a lot of personal information just to do the work with them, and I don't trust GM as much as I trust Company A."
If an identity management system fails to protect privacy, the company faces sharp fines, legal liability, a damaged reputation, and the loss of customers' trust. But a company that guarantees privacy guards against shattered end-user and business partner confidence, safeguards enterprise access points from unauthorized entry, and offers compliance with a slew of government-mandated privacy controls (see "Leading the charge into privacy legislation").
Getting privacy under control
Many technologists have yet to come to grips with the implications of an inadequate identity management system, says Walter Janowski, a San Jose, Calif.-based Gartner research director whose expertise includes enterprise privacy management.
"Privacy is a growing concern," Janowski says. "There will be large-scale abuse [of personal data] that will lead people to say, 'We'll never do that again.' But companies that are ahead on their thinking are considering ways to get their privacy [policies] under control."
One of the first questions that chief technologists must answer is how they'll handle and use personal data, according to Ken DeJarnette, principal at New York-based Deloitte & Touche. To reduce the risk of trampling on privacy, identity management systems must include corporate policies that define the level of access to information that employees have according to their role within the company. Companies also need to scrutinize how they can share information freely with partners without breaching employee or customer privacy rights.
Privacy concerns are affecting companies in all sectors, but no single industry sits as squarely in the crosshairs as financial services, largely because of high transaction volumes and the vast amount of sensitive user and business information it harbors. Secure transactions, for example, remain one of the greatest causes for worry. Identities are ripe for the picking if unique qualities — such as an unusual last name, a medical condition, or even a geographic area — can be used to link someone's digital identity with personal, identifiable data.
Making matters worse, companies are storing such identifiable data and digital IDs in more transparent directories and LDAP-accessible systems rather than stowing them in the back end. Much of the information being stored — in an HR or customer-order database, for example — is being pulled on the fly into less secure meta and virtual directories for business purposes.
"We see the [privacy] problem getting worse. We see the entire financial industry in the U.S. putting their heads between their knees right now hoping the problem is going to go away," says Jim Hurley, vice president and managing director of information security at Boston-based Aberdeen Group. "These guys better get their heads out of the sand, or they're going to be in trouble."
Working in conjunction with an identity management system should be a good privacy system with an emphasis on human interaction and judgment. To be effective, it must include a hierarchy of sensitivity that allows critical data to be treated and navigated differently as higher levels are attained, according to Larry Ponemon, chairman and founder of Ponemon Institute, a Tucson, Ariz.-based privacy research facility.
Privacy-enabling technology from major IT vendors must allow IT administrators to make better decisions about how they use, share, and collect information. Ponemon dubs privacy the "sleeping tiger" technology because it could allow companies to prove to their customers that their data is being protected, establishing a high degree of trust with them. Privacy best practices must develop from a disclosure model to one capable of keeping bad things from happening. Ponemon believes that IBM has great potential to accomplish that goal, pointing to IBM's Tivoli Privacy Manager and the company's European institute dedicated to researching privacy problems and developing privacy-enabling technology (see "IBM enhances the honor system").
A united front?