Firms bank on identity management

Financial services companies look to automate and protect information accessed by employees, partners and customers.

By Cara Garretson, Network World
February 07, 2005 12:01 AM ET

Click to see: Sector Spotlight: Financial Services

About four years ago, Chief Information Security Officer Denise DeAmore took a hard look at the number of people accessing State Street Bank's applications and told herself there had to be a better way. Keeping tabs on user access had become unmanageable.

DeAmore began searching for products to ensure that only the right people were viewing the right information. She was looking for identity management before the term was even coined. "The vendors knew what we were talking about, but our ideas were probably ahead of their time," DeAmore says.

Like many other financial services companies, State Street Bank became an early adopter of identity management to protect and control access to financial and personal information. In the case of State Street, which provides investment servicing and management, the bank must grant access to clients such as a mutual fund manager who would need a view into back-end operations to make investment decisions. Meanwhile, the mutual fund's customers require access to monitor their portfolio's value.

"Information security is all about access, who can get in and who can't," DeAmore says. "Protecting that is absolutely fundamental to the way we operate."

Related Content

Today, State Street has 460,000 identities under management, using tools such as Courion's PasswordCourier to let users reset their own passwords. Citing Gartner estimates that the average password reset call to an organization's help desk costs the company between $10 and $30, DeAmore says the rollout has helped the company cut costs. "If you can take 25% of what's being managed [by people] and automate it, that's huge," she says. State Street's identity management system also includes a provisioning product from IBM Tivoli, a homegrown workflow program developed with Lotus Domino and certificate authority services from Betrusted.

At investment bank Lehman Brothers, new employees are assigned what Vice President of Information Security Ramin Safai calls a Day One identity. This provides the worker with about 60% of the access required to do the job. The team that implements identity management worked into the equation the fact that it wouldn't know all the access a new employee requires.

The new employee can request additional access - referred to as Day Two identity - by visiting an internal Web site that uses identity management software to automatically route the request to the right manager, who then decides whether access is granted. On an employee's last day, that software also automatically cancels all access to the corporate applications, Safai says.

Identity management products provide reporting capabilities that keep track of which employees have had access to what data, proving particularly useful when these companies are audited for regulatory compliance.

When Lehman Brothers embarked on its identity management implementation about two and a half years ago, intrusion detection was the primary reason, Safai says. But now Sarbanes-Oxley compliance has become one of the project's most important aspects. "You have to show that you have control over the systems, and you have to demonstrate that you know how people got access and why people got access, and show the appropriate workflow," Safai says.

"Identity management means a good bit more to financial services companies because it gives them an insurance policy to ensure they're complying with regulations," says Earl Perkins, a security analyst with Meta Group. "It's a big issue for financial services. If they don't get it right the CEO can go to jail."