- BlackBerry Storm vs. the iPhone
- Digg's Kevin Rose: "We have to do better"
- Blogger warns: "Nortel doesn't make it out alive"
- Financial quagmire bringing out the scammers
- Verizon plays with the wrong e-mail addresses
Newsletters | Podcasts | Chats | Opinions | RSS Feeds | This Week In Print | IT Careers | Community | Reports | Downloads | Slideshows | New Data Center
Partner Sites:Application Performance Solutions | App Performance | Networking Solution | SafeGuard Enterprise Solution Center | SOA | Test your Web Filter | Value of WDS
Dave Kearns provides the information you need to evaluate, install and maintain your corporate identity management system.
Last week's newsletter about the Identity Bus raised a number of issues in the Network World forums, some of which I addressed last newsletter. But there was another issue raised that deserves its own discussion.
The method I suggested of identifying employees who were hired in the past two years was called into question by a couple of readers. What I said was: “I will assume that the HR system assigns an employee number to each new hire and that these numbers are sequential using a known sequencing technique. … To find all employees hired in the last two years, I simply query the employee database for the one earliest record that is later than two years ago yesterday. I can retrieve this record and note the employee number. That number and all subsequent numbers represent all the employees hired in the past two years.”
A reader, identified as ‘mchiles,’ writes: “In the scenario you propose, I would suggest it breaks down under the condition where an employee separates from the company and is later rehired. If your system re-assigns the original identifier, that identifier can no longer be used as an indicator of when the employee was hired. Rather, it now indicates when the employee was first hired.” While an anonymous poster notes: “If someone works here, then leaves, then returns, they tend to get their original employee number. The number may have been issued more than 2 years ago, but the employee has not worked here for 2 years.”
That certainly would upset my assumption, as noted by reader Stuart Thompson, but he also said, “With respect to re-hire situations in some of the other posts, I think you will find that some auditors will have a field day with the re-use of old employee ID's. From a compliance perspective this is a real can of worms.” I couldn’t agree more.
The re-use of identifiers (and the issue has been heatedly discussed by the OpenID community, for example) is at best a “can of worms” and frequently a source of security breaches, identity fraud and other criminal activity. It was just a year ago, in fact, that I addressed this issue in the newsletter (“Uniqueness, hotels and OpenID”).
But the re-use of an employee number to identify the same individual after a re-hire presents us with a dilemma. On the one hand, we’d like the same identifier to indicate one and only one entity while also reflecting all activity by that entity. On the other hand, we’d like each “new” hire (and that includes re-hires) to start with a fresh identifier. For example, a re-hire would have training records attached to their old identifier. But if the training has changed then they should be required to re-train, also. Only a new, unique identifier could indicate this automatically. Still, if a regulatory agency wished to see all activity by a particular individual, then there should be a way to link all of that individual’s activities – spanning all hiring periods – efficiently and automatically. So what’s the answer?
Dave Kearns is a consultant and editor of IdM, the Journal of Identity Management.
| NetworkWorld, Inc. | About Network World, Inc. | Advertise | Careers | Contact us | Terms of Service/Privacy | Reprints and links | Partnerships | Press room | Subscribe to NW |
| IDG, Inc. | CIO | Computerworld | CSO | Demo | GamePro | Games.net | IDGconnect.com | IDG World Expo | Infoworld | JavaWorld.com | LinuxWorld.com | MacUser | Macworld | PC World | Playlistmag.com | The Industry Standard | IDG List Services | IDG TechNetwork |
 |
Copyright © 1994-2008 Network World, Inc. All rights reserved. |
Partner Content
Brilliantly simple security and control solutions for email, web and endpoint
www.sophos.com
Stopping data leakage
Learn how to exploit your current security investment to control the information that flows into, through and out of your network.
Download the white paper.
Why detection rates aren't enough
Evaluating endpoint security products is a time-consuming and daunting task. Learn the six critical questions you need to ask prospective vendors to get the right endpoint solution.
Download the white paper.
Applications: taking back control
Employees installing unauthorized applications is a growing threat to business security and productivity. Cost-effectively reduce this threat by integrating control into your malware protection.
Learn more today.
Comments (9)
ExactallyBy Anon on June 25, 2008, 1:38 pmThis hits the nail on the head. "Former Employee" is a different affiliation from "Complete Stranger". Now there may be deprovisioning rules as to when someone would...
Reply | Read entire comment
Double user identitiesBy PeterHolbech on June 22, 2008, 4:42 pmBesides the rehire problem the are situations when a person has several positions in a company with separate user identities. This means that you have to distinguish...
Reply | Read entire comment
Linking IDs and new IDBy tuomoks on June 20, 2008, 2:25 pmYes, a re-hire could be given a new ID but it just would multiply the relations in many cases and sometimes it might even be beneficial but also a headache for DBA,...
Reply | Read entire comment
Linking IDsBy Anonymous on June 20, 2008, 11:57 amI would imagine assigning a new ID at the time of re-hire and linking the old ID to the new ID can be a fix to the re-hire issue. This can be a one-to-many relationship...
Reply | Read entire comment
Re-hires?By Allan Milgate on June 18, 2008, 7:50 pmHi Dave, great debate, but it all seems a bit off-topic. The real answer is that identities are usually created in trusted sources as a result of a business...
Reply | Read entire comment
View all comments