Identity Management in Government


This month's issue of Governing Magazine is a special issue on Online Privacy. There's three articles: one on privacy, one on surveillance, and one on managing identity. All three are topics I enjoy, but the one that caught my eye was the identity article. It starts out:

There are ghosts in government, and they're lurking in databases and applications throughout the online universe. That should be pretty scary for the caretakers of the information that governments are supposed to safeguard. The specters are actually real people -- employees who were given access to computer applications so that they could get information they needed to do their jobs. Only now they've moved on: They've either changed jobs or left government altogether. But their names and accounts linger. A former employee or other knowledgeable person could use that opening to gain entry to a program or database and steal personal information, change data or simply see information he or she has no right to see.

Of course, government isn't the only enterprise with this problem. Many large organizations suffer from the same problem. I've heard stories of companies with "zero-day" start plans, but no reciprocal "zero-day stop" plan. Its a great efficiency boost to get employees turned on and working quickly, but its just as important to turn down authorizations when they're no longer needed.

The article highlights two states and what they're doing: North Carolina and Washington, but oddly, neither case study really addresses the overall identity management problem and what states ought to be doing. The North Carolina case talks about how they've got a secure portal for documents that require authorization and the Washington case talks about their use of certificates for businesses accessing some of their services. There is a nod to single sign-on, but neither addresses the real problem: managing identities.

To really get out in front of this requires a lot more than certificates or a secure portal, it requires an identity management strategy. A digital identity strategy is a long-term plan that models how identity information will be used by your business, taking into account the key stakeholders in identity: your partners, customers, and employees. There are several important steps:

  • creating an enterprise information architecture (EIA) to determine the business context for your strategy,
  • determining the digital identity life-cycle in your organization
  • developing a authentication and authorization policy consistent with the EIA and your digital identity life-cycle,
  • planning and implementing enterprise directory services and other infrastructure necessary to support your policies, and
  • publishing and maintaining a privacy policy based on the authentication and authorization policy along with relevant laws and stakeholder expectations.

Enterprises who implement an identity management strategy stand to reap significant benefits. Among these are a consistent and systematic approach to customers, improved security for corporate applications and information, lower user administration costs, and better compliance with internal and external policies.