Children's Hospital Boston automatically adds new workers to most systems and apps, says Lenzi (right, with Leary
Photo by Jason Grow
About a year ago, the hospital took steps to cure its identity-management ills. It tackled passwords and installed Courion's PasswordCourier first. The application lets hospital workers reset forgotten passwords and synchronizes user names and passwords for various applications. Last summer, the hospital installed Courion's AccountCourier, which helps IT and business managers more easily grant and revoke access to applications and system resources. Most databases, applications, and identity directories have their own native access-management schemes. AccountCourier provides a central identity repository that contains an employee's access rights and can be used to centrally create, modify, disable, or delete access rights as needed.
Today, hospital workers can be automatically added to most of the hospital's systems and applications. "Our turnaround time is literally 10 minutes," Lenzi says. That's quite an accomplishment for an organization with a transient workforce. An intern or a resident may start working, leave for 30 days, and then return. That makes it hard to track and manage identities. By using one identity-management repository, most of the inefficiencies have been eliminated, Lenzi says. Security problems, such as a worker who has left the hospital but could still have access to applications, also have been solved, he says. Everything is tracked through the hospital's help-desk software. "This brings us one step closer to the goal of having single-sign-on access for employees," Lenzi says.
But that goal is still down the road. One step the industry still needs to take is to adopt interoperable standards so various products can work together without a lot of manual integration. Another problem: Most provisioning, access-control, and identity-management applications don't support a wide enough variety of applications, databases, and operating systems, says Gene Fredriksen, VP for information security at Raymond James & Associates. The financial-services firm is evaluating identity-management vendors. "So far, it doesn't seem like any single vendor can do everything or provide everything you need," he says.
Then there's that question of trust. As GM learned with its test, it probably won't be technical issues that keep identity-management systems from making the leap from handling internal applications and employees to managing access for nonemployees working for business partners or suppliers. It's likely to take many businesses much longer to work out the legal and security issues involved in letting outsiders gain single-sign-on access.
Nobody understands that better than Fredriksen, who works for a firm that moves vast sums of money around the world at the press of a button. "What if a financial-services company trusts the sign-on authorization from a partner company and conducts a transaction, and it turns out that person's identity was stolen? Who's responsible for that transaction?" he asks.
That's a good question, and one that probably will have to be answered in court. But for most businesses, the benefits that can be derived by improving the way they manage identities are too great to wait for all the answers.
Illustration by Viktor Koen