Managing staff access is big business

Effective identity management - tracking when employees start and stop work at an organisation - is a complex but important IT function for any reasonable-sized business.

In enterprise-speak, information professionals talk about "provisioning" access to various IT applications for new staff and "de-provisioning" those services when people leave.

As well as making newbie staff feel welcome and productive, a well-run identity management system can have a big impact on a company's bottom line.

Knowing exactly who is (and isn't) working for the company at any point in time can mean a huge saving in software licensing fees, for example, and can prevent costly security breaches.

IT sabotage attacks or security breaches by disgruntled former staff who find their way back into the system are a nightmare scenario for businesses.

Last year three former employees of Indian business process outsourcing company Mphasis were arrested on charges of using their old access privileges to plunder the company's databases, stealing bank account information from Mphasis clients and transferring US$350,000 into new accounts.

Large corporates are increasingly wary of this type of scam and as a result are more willing to invest in effective "de-provisioning" systems.

One company taking the issue seriously is global investment banking firm Lehman Brothers, which has more than 15,000 employees in 42 offices around the world.

On a visit to New Zealand last month, Lehman's vice president of information security, Ramin Safai, said the firm began a major overhaul of its identity management function about four years ago.

"Our typical system, when we started doing analysis of it, had about 20 to 30 per cent bad users in it - users who should not have had access," Safai said. "That justified the cost of the provisioning system all together."

Lehman discovered it was running hundreds of systems - everything from email to specialised data bases - meaning the task of recording who had access to what was a massive one.

"One of the reasons we started the project was that the CIO (chief information officer) came to the office and asked: 'If one of my staff leaves how long will it take you to tell me what that person had access to?'.

Our answer was, in the best estimate, two months because we had to go and scan every system out there," Safai said.

"That was totally unacceptable and one of the main reasons we decided the risk factor of not knowing what the user has access to was quite significant."

Alberto Yepez, Oracle's vice president of identity management and security, says most companies don't have adequate internal controls to allow then to turn off access to all systems a staff member has access to when that individual leaves the business.

US-based Yepez, also in the country last month on a tip to drum up business for Oracle's identity management solutions, says the recent focus on improving audit trails and corporate governance was driving interest in the issue.

In this part of the world, where the impacts from governance scandals such as Enron has not been felt as strongly, identity management has not yet received the corporate focus it has in Europe and America.

However, large Australasian enterprises that are working on identity management projects with Oracle include several banks, Telstra, Qantas and, in New Zealand, the Inland Revenue Department.

Michael Burling, Oracle's Sydney-based general manager of identity management solutions for Asia-Pacific, said the identity management issue affected all types of industries.

It was an effective process to have in place when organisations were going through a merger because it helped ensure privacy was maintained and staff of both organisations retained appropriate access to their various systems.

Burling said he expected government departments in New Zealand will be the early adopters of Oracle's identity management systems.

"It [New Zealand] won't be the biggest market but certainly there is still a requirement here and there will be reasonable opportunities."

From the perspective of the IT manager, identity management is an area they are keen to embrace because staff see it as a worthwhile and user-friendly application.

"It's one of the few security things that actually give you benefits when you implement it," is how Lehman's Safai explains it.

"People like you because you've implemented it.'