In The Boardroom Press Room About Us Research Reports Contact Us
Hewlett-Packard Company

In The Boardroom With...

Mr. Todd Musselman
Senior Manager, Global Identity Practice
HP Enterprise Services, U.S. Public Sector
Cybersecurity for U.S. Public Sector Identity Management has been a big topic for organizations for the last 15-20 years. I'm sure in that time the problems customers face and the technologies to address them have evolved, but what are organizations struggling with today in terms Identity Management?

Todd Musselman: The problems customers are trying to solve with regards to Identity Management have changed dramatically over the years. Fifteen years ago, customers were simply trying to reduce the number of IDs and passwords a user had to use to log into an application or enable self-service password reset capability, to avoid costly help desk calls to reset forgotten passwords. Organizations now focus on challenges such as:

  • ensuring only authorized users are able to access the network or applications;

  • providing greater control, management and oversight into privileged user accounts;

  • increasing collaboration between organizations, which necessitates an increased need for federation between organizations and their systems;

  • ensuring compliance and process improvements for the renewal or revocation of system access, and;

  • preventing fraud during online interactions with citizens/customers.

    Overall, by shifting resources to better align and utilize technology in new ways, organizations can obtain cost reductions while simplifying their identity management process. You've mentioned 'fraud prevention', 'cost reduction' and 'simplification' as a major themes across your customers - What is HP doing to address concerns with its customers?

    Todd Musselman: HP offers extensive Identity and Access Management solutions to help our clients address the challenges unique to their risk tolerance and environment. We assist customers in addressing fraud prevention by reducing risks related to the insider threat of privileged users, as well as the prevention of fraudulent activity through Identity Proofing and Identity Verification. For cost reduction and simplification, we help customers realize significant benefits in automating the business processes for requesting, approving, granting, and revoking user account access to applications and systems. We provide identity compliance solutions that automate and enhance the user/system access review and recertification processes. In addition, we offer many of our solutions in a cloud model, which simplifies the IT infrastructure and reduces heavy upfront investment costs. For organizations that are facing these issues but have limited funding, what recommendations do you have?

    Todd Musselman: Budget pressures are a constant challenge, but that does not mean that security has to take a back seat. We work with clients to develop comprehensive identity and access management strategies along with roadmaps that are aligned to their mission. For those organizations where funding is scarce, budget considerations are made to devise a workable strategy to meet their business or mission needs. The strategy enables clients to ensure their organization and IT objectives are aligned to their current and future security needs. This in turn, allows them to prioritize their key business risks and bring the greatest value to the organization.

    In many cases, we find organizations with existing technology investments that simply need advice on how to maximize the value of these investments. It's surprising to see how small modifications to a business process, or even minor enhancements to an existing system, can dramatically improve an organization's overall security and identity posture. The best recommendation to clients in this situation is to take stock of what identity assets are currently in place, and to build a plan to improve or enhance those assets. HP is involved in addressing Identity Management issues for both commercial and public sector organizations. Given your experience in providing services in both arenas, how different are the identity issues these customers are facing today?

    Todd Musselman: At face value, a number of differences exist. Public sector clients, specifically U.S. Federal Government agencies and state governments, are currently investing in or strongly considering investing in, credentialing for more secure authentication to systems. These considerations address the need of public sector organizations to have a high level of assurance and greater control around who is accessing their data. Additionally, as more public sector services are made accessible to citizens online, the opportunity for fraud has increased dramatically. Public sector organizations that have significant online interaction providing services to citizens are well aware they are vulnerable to the threat of fraud through identity theft. As scrutiny around public sector spend continues, ways to cost effectively prevent fraudulent transactions are imperative.

    From a commercial perspective, greater cooperation with business partners has ushered in a new era of sharing data and systems. Federating access across environments seems to be a top driver for most businesses. Many in the commercial space were quick to adopt provisioning technology over the last 10 years, which helped them automate their process to connect business partners' end user accounts across various systems. Now, their focus has shifted to addressing provisioning and controlling access for privileged users, such as a UNIX system administrator. Privileged users represent a small number of people, but they have extremely powerful privileges. These accounts need a greater level of scrutiny and control to protect an organization from the insider threat or remote access.

    There is, however, a great deal of commonality in the issues facing both the public and private sectors; for instance, they are both looking to streamline and simplify user management/access processes that over time, in large organizations, have become cumbersome and unwieldy. They are also looking for the greater security and interoperability that a centralized identity and access control system can provide. We've seen a lot of recent talk about the National Strategy for Trusted Identities in Cyberspace (NSTIC) and its goal to protect individuals, businesses and public agencies - where do you see this initiative going?

    Todd Musselman: The National Institute of Standards and Technology (NIST) has made great strides by creating the NSTIC National Program Office and an Identity Ecosystem Steering group. They have funded five pilots designed to test and overcome the barriers that exist today in this arena and recently held an Applicant's Conference for companies interested in applying for the next round of pilots. Everyone is aware of the problems related to identity, such as protecting passwords, preventing data breaches and identity theft, and the inability to trust as it relates to doing business in cyberspace. Stakeholders, including Federal Government agencies, private sector organizations and associations such as the Smart Card Alliance, among others, have rallied around this initiative.

    As NSTIC pilots continue to be implemented, the concept of trust will become the driving factor in its success. Trusted credentials issued by trusted providers to complete trusted authentication, will replace basic user names and passwords. Perhaps, one single credential is not the answer. There will likely be more than one type of credential available for a user to choose from that will be commensurate with the level of risk associated with the transaction. If it is your Facebook account, the authentication level may be low while online banking, accessing healthcare information or submitting your tax return to the IRS, may require a higher level of authentication. Multi-factor authentication will most likely be required for even stronger levels of trust needed for national security information and other tightly controlled data.

    While momentum is high today and the need is great, the development of solutions will remain an ongoing process to embrace the changes in technology. Since cyberspace is global, the international community will also need to embrace this type of effort to protect global commerce. How would you recommend that privacy of individuals, businesses and public agencies be protected as NSTIC initiatives mature?

    Todd Musselman: One key area that will support privacy within an Identity Ecosystem is to follow the Fair Information Practice Principles. First, identity proofing should be handled on a one-time basis without the need to retain the data to reduce the possibility of that information being revealed to unauthorized users. Next, reduce the number of individual credentials needed, which will reduce the requirement of sharing personal data with multiple entities. In addition, well-designed, trusted credentials that can be used by more than one relying party will help to eliminate requests by websites or applications for specific personal information that is unnecessary for access, and to conduct business as a trusted individual. It is also important to minimize data collection to only what is needed. Following these principles will help protect privacy for individuals, businesses and public agencies, and in turn, can diminish identity theft.