Identity Management: More Than Just a Password

One way to think about identity management is to imagine an enormous blueprint of an office building. It illustrates the rooms each person who works in the building can enter. The blueprint also indicates what kind of key is needed to open the door to a room, and what a person can do once inside.

A computer network is like the building, and each room represents a file, database or application on that network. The employees working in the building are the users. The keys are the privileges that the system administrator hands out to each person who works on the network, providing access to a file, database or application. The keys also determine what a user can do while accessing a specific file or application.

Like building security, identity management is the most essential form of information protection agencies use. It's also among the information security practices that are least used or properly implemented.

Identity management is more than simply permitting someone to log on; it controls what that user can do, similar to putting boundaries on where a person can go in a building. A systems administrator assigns a credential, usually a number, to a worker. That number allows the employee or contractor into the network and determines what resources can be accessed. It also can flag the administrator (through a monitoring tool) if the user somehow gains access to forbidden areas, or performs actions that indicate an attempt to enter prohibited areas.

Requiring a user name and password -- whether to pass through a firewall, to log on to a virtual private network or to open an application -- is identity management in its minimal form. At a more sophisticated level, it incorporates biometrics (such as hand, fingerprint or iris scans) to identify a user, to approve...