Businesses are building systems to manage access to applications and data.

George V. Hulme, Contributor

March 13, 2004

4 Min Read

Until recently, it would take the hospital eight to 21 days to provide new doctors or interns with access to all of the systems they needed to use, says Scott Lenzi, an information security analyst at the hospital. The problem, says customer-service integrator David Leary, was that the IT staff was flooded with faxed requests to add this person or that person to one system or another, and many of the requests were incomplete or illegible.

Scott Lenzi, an information security analyst at the Children's Hospital Boston

Children's Hospital Boston automatically adds new workers to most systems and apps, says Lenzi (right, with Leary

Photo by Jason Grow

The hospital had 30 administrators who spent some time approving new accounts and adding and removing user-access rights to various networks and applications. Many of those managers were unaware of what other managers were doing, and, as a result, many user accounts would remain in place even after the employee left. That created security concerns. "It was a huge, inefficient task and a waste of skilled personnel time," Lenzi says.

About a year ago, the hospital took steps to cure its identity-management ills. It tackled passwords and installed Courion's PasswordCourier first. The application lets hospital workers reset forgotten passwords and synchronizes user names and passwords for various applications. Last summer, the hospital installed Courion's AccountCourier, which helps IT and business managers more easily grant and revoke access to applications and system resources. Most databases, applications, and identity directories have their own native access-management schemes. AccountCourier provides a central identity repository that contains an employee's access rights and can be used to centrally create, modify, disable, or delete access rights as needed.

Today, hospital workers can be automatically added to most of the hospital's systems and applications. "Our turnaround time is literally 10 minutes," Lenzi says. That's quite an accomplishment for an organization with a transient workforce. An intern or a resident may start working, leave for 30 days, and then return. That makes it hard to track and manage identities. By using one identity-management repository, most of the inefficiencies have been eliminated, Lenzi says. Security problems, such as a worker who has left the hospital but could still have access to applications, also have been solved, he says. Everything is tracked through the hospital's help-desk software. "This brings us one step closer to the goal of having single-sign-on access for employees," Lenzi says.

But that goal is still down the road. One step the industry still needs to take is to adopt interoperable standards so various products can work together without a lot of manual integration. Another problem: Most provisioning, access-control, and identity-management applications don't support a wide enough variety of applications, databases, and operating systems, says Gene Fredriksen, VP for information security at Raymond James & Associates. The financial-services firm is evaluating identity-management vendors. "So far, it doesn't seem like any single vendor can do everything or provide everything you need," he says.

Then there's that question of trust. As GM learned with its test, it probably won't be technical issues that keep identity-management systems from making the leap from handling internal applications and employees to managing access for nonemployees working for business partners or suppliers. It's likely to take many businesses much longer to work out the legal and security issues involved in letting outsiders gain single-sign-on access.

Nobody understands that better than Fredriksen, who works for a firm that moves vast sums of money around the world at the press of a button. "What if a financial-services company trusts the sign-on authorization from a partner company and conducts a transaction, and it turns out that person's identity was stolen? Who's responsible for that transaction?" he asks.

That's a good question, and one that probably will have to be answered in court. But for most businesses, the benefits that can be derived by improving the way they manage identities are too great to wait for all the answers.

Illustration by Viktor Koen

About the Author(s)

George V. Hulme


An award winning writer and journalist, for more than 20 years George Hulme has written about business, technology, and IT security topics. He currently freelances for a wide range of publications, and is security blogger at

Never Miss a Beat: Get a snapshot of the issues affecting the IT industry straight to your inbox.

You May Also Like

More Insights