As we take security more seriously, as we put more obstacles between the outside world and the inner secrets of our PCs, we're complicating our lives -- in both good ways and bad. On the plus side, we are more securely guarding our private data. On the other hand, as we increase the number of permissions and passwords, we create a bigger job for corporate IT departments.

Identity management -- a strategy whereby companies centrally control all of a user's various accounts, access codes, passwords, etc. -- can simplify this task and, in theory, free up resources to work on network security services.

I recently heard this pitch from a PriceWaterhouseCoopers consulting team. I immediately questioned whether a centralised profile system would
actually be easier for someone to crack. They cited some persuasive counterarguments. Centralised security, which at first struck me as a bad idea,
appears to offer many benefits.

Consider your banking habits. You have a current account, a savings account, a money market account -- you may even have an online brokerage account. You might also have a joint current account with your spouse, under your spouse's name.

Now consider your office. You may have access to two or three printers, two or three internal servers, and perhaps a virtual private network (VPN). With all these accounts, you are the common denominator. A centralised identity management system could collect this data into one, easy-to-administer location.

Next, look at the risks of maintaining decentralised systems. A small corporate IT force can be overwhelmed with daily permissions requests. I've heard horror stories of IT workers granting users more access than necessary in order to limit their open call tickets, and of accounts vanishing overnight because the overworked IT staff made mistakes. Both cost their companies time and money.

Mistakes tend to coincide with times of rapid growth within a company, or when deploying new initiatives. For some reason, companies seem to loathe hiring more IT personnel during such times, leaving the existing IT staff with meagre resources and monumental tasks.

During an economic downturn, when large numbers of employees are laid off, security only becomes more complicated. Often there are no clear records of what permissions existed for each employee. IT might delete a former employee's main network login profile, but HR may not get around to removing his or her email account until much later. And what about the terminated employee's special access to the remote file server on the 4th floor? Or his special VPN privileges? There are "ghosts," fragments of past employees, swirling within most large corporate systems today.

Fortunately, these ghosts rarely cause harm. However, if someone gets advance word of his termination, he might set up dummy accounts and later try to ferret out these ghost permissions, and gain access to systems where he could do some real damage.

This type of "inside attack" -- an attack carried out against a company by its own employee -- is said to account for about 70 percent of all security breaches. An inside attack can be anything that costs the company time, money, or causes the loss of proprietary information. This includes the employee who shuts down the email server with spam or viruses, the employee who locks out colleagues from their accounts and privileges, and certainly anyone who sells or gives away propriety information. Inside attacks are often carried out by former employees, and companies usually
don't report them to the outside world, mostly to protect their corporate image.

Centralised control of employees' security information allows IT staffs to efficiently provision new employees as well as terminate past employees. In
theory, it should make the IT department free to run more audits, be more vigilant with existing accounts, and truly safeguard the primary point of entry into the core system.

Other selling points for centralised management: employees are less likely to become a future risk if they know their actions are being monitored, and in general, efforts to contain inside risks restrict outsiders from breaching security as well. Given the benefits, I think we're going to hear more about identity management in the near future.

By Robert Vamosi
ZDNet (UK)