Identity management: collaborative and continuous

Disclaimer: Please note that this article is at least 12 months old.
Any information herein was accurate when published on 1 July 2008

Subscribe to the Industry News newsfeed

We all like to think of ourselves as individuals – unique, one of a kind. With identity fraud on the increase, however, unless you safeguard your company's financial information religiously, you're bound to discover a whole new team of invisible employees who love using the company credit card. Worse still, give an identity fraudster access to company information and you might suddenly find competitors benefiting from highly “confidential” data. Mark Dunn, director of risk management: BDO Spencer Steward, explains that putting a comprehensive identity and access management strategy in place is thus critical for any business…

For identity management to work and be truly effective in your company, it needs to be both collaborative and dynamic. This is because identity management has evolved from merely knowing who someone is, to controlling what they can do in your company, as well as where and when they can do it. As such, your company's identity management processes and systems have everything to do with allowing some people in, and keeping others out – hence the development of Identity and Access Management (IAM).

IAM is built on the premise of streamlining and simplifying the administration of access. It thus comprises the processes and technologies you choose to put in place to manage the digital identities of your employees, and control how these identities can be used to access data and information. In an ideal world, employee identities would be synchronised across all your systems, and your company would have an automated process for “issuing” these and discontinuing access as soon as employment is terminated. Sadly this does not correspond with the reality in most companies. What we typically see in the marketplace is how companies leave themselves vulnerable to fraudsters both within and without the company. This is usually due to a lack of policy and subsequent strategy when it comes to IAM – and a misconception as to who is responsible for this.

Companies need to realise that identity management is not a simple IT issue, but rather a business one. It extends well beyond giving a new employee a user name and password on a “post-it”. While technology will enable identity management, business has to guide this relative to operations. It thus needs to be integrated into the business process and managed from the top. If it isn't management driven it won't happen properly.

The starting point for your company's IAM systems and processes thus needs to be management's defining basic principles and then translating these into policy. Procedures and guidelines will be derived from these – which your technical team can then set about implementing using available technology. That being said, these need to revised and updated on a regular basis; revisiting systems that aren't working and strengthening those that do.

One of the most critical (and generally neglected) elements of your identity and access management strategy is that of communicating it to your employees and getting their co-operation and buy-in. By alerting them to the dangers of identity theft – and its potential implications and impact on both themselves and the company – employees will become active participants in and contributors to your strategy. In this way you will encourage and promote a safer, more secure working environment that protects not only your critical information, but also your employees themselves.

Instead of seeing Identity Access Management as a necessary evil then, companies should rather view it as an opportunity to manage and protect valuable resources more effectively. By putting comprehensive, collaborative processes in place and updating these on a continuous basis, you'll soon find that you not only know who is doing what where, but also have a real means of improving the IT security, knowledge and systems management of your organisation.

Side bar: seven simple steps to protect yourself from identity fraud

  1. Manage your personal information wisely. Destroy all personal financial information before you throw it away. Tear it up, shred it or burn it.
  2. Store your personal and financial information in a safe place. Don't leave personal and financial information lying around at the office. Empty your purse or wallet of all unnecessary information.
  3. Know your PIN numbers by heart. Learn all of your pin numbers and passwords – don't write them down in obvious places like your diary, and never store them in your wallet or purse.
  4. Create unusual passwords. When creating passwords or pin numbers don't use obvious ones like your name or birth date, “1234” or “password”. Include numbers and symbols wherever you can – just make sure that you will be able to remember them!
  5. Be alert. If you're doing internet banking or using an ATM machine keep a look out for “shoulder-surfers”. Never enter any personal information when someone is watching you, your fingers or your screen.
  6. Don't send personal details in emails. No bank or financial institution will ever request you “confirm” personal details in an email. They will also never send you a link to update these. Should you receive such an email, contact your bank or financial institution immediately and alert them to the scam.
  7. Never let your credit card out of your sight. When paying by credit card, know where it is at all times. Ask the shop attendant or waitron to keep your card where you can see it. At restaurants if they don't have a mobile credit card machine, go with your waitron to the pay point.

Disclaimer: Please note that this article is at least 12 months old.
Any information herein was accurate when published on 1 July 2008