Local governments routinely acquire, store, modify and distribute some of the most sensitive personal information about residents’ medical histories, financial transactions, personal property records and more. While the careful collection and preservation of sensitive information helps governments deliver integrated services, unauthorized information distribution or inexcusable security lapses can foster a general mistrust of government. Moreover, it may have serious implications for personal privacy and national security efforts.
Most often, IT professionals are the first and last line of defense in information protection. They can grant secure access to employees who need sensitive information, and they can establish barriers to keep unauthorized users away from it. To help with the critical task, governments should employ a prerequisite for granting secure access, commonly known as identity management. A cyclical process, identity management systems should be managed throughout the duration of workers’ employment.
Managers should consider identity management during the three chronological phases of an employee’s service to an organization: initial hire (provisioning), ongoing authorized usage (role-based management) and identity retirement (deprovisioning). The “circle of life” for identity management gives a holistic and balanced view of employees’ roles and responsibilities that can be integrated with current IT components.
Provisioning new user identities should be an automated process — creation of a user identity in a payroll or human resources system should automatically create network logins and passwords. Connecting current IT systems reduces the effort required to sign on an employee and eliminates the risk of data entry errors. Software is available to inexpensively integrate disparate systems.
In role-based management, employees’ access to information should be connected to their roles in the organization, which most likely will change as the user moves to other jobs or new applications are introduced. Daily care of complex identity management systems requires software tools to automate routine processes and comply with regulations. Role-based security can be implemented with current commercial technology.
When users leave an organization, their identities and access must be purged from all relevant systems, a process known as deprovisioning. Unfortunately, it is common for a user to have access to internal systems for extended periods after leaving an organization. The connection between HR and other IT systems used during provisioning should work in reverse to remove an identity when an employee leaves. Automating the process reduces potential for human error and can help verify compliance with regulations.
The complexity of identity management will grow exponentially as the potential for security violations increase. Prevention and detection of unauthorized data access requires a consistent identity management methodology, regular oversight and management involvement. Though a fail-safe solution is not yet available, technology exists that can remedy significant concerns in protecting the integrity of city and county governments’ critical infrastructures.
By Paul Christman
The author is director of state and local and higher education sales in the public sector group for Aliso Viejo, Calif.-based Quest Software.