In The Boardroom With...
Mr. Todd Musselman
Senior Manager, Global Identity Practice
HP Enterprise Services, U.S. Public Sector
Cybersecurity for U.S. Public Sector
SecurityStockWatch.com: Identity Management has been
a big topic for organizations for the last 15-20 years. I'm sure in that
time the problems customers face and the technologies to address them
have evolved, but what are organizations struggling with today in terms
Todd Musselman: The problems customers are trying to
solve with regards to Identity Management have changed dramatically over
the years. Fifteen years ago, customers were simply trying to reduce the
number of IDs and passwords a user had to use to log into an application
or enable self-service password reset capability, to avoid costly help
desk calls to reset forgotten passwords. Organizations now focus on challenges
ensuring only authorized users are able to access the network or applications;
providing greater control, management and oversight into privileged
increasing collaboration between organizations, which necessitates an
increased need for federation between organizations and their systems;
ensuring compliance and process improvements for the renewal or revocation
of system access, and;
preventing fraud during online interactions with citizens/customers.
Overall, by shifting resources to better align and utilize technology
in new ways, organizations can obtain cost reductions while simplifying
their identity management process.
SecurityStockWatch.com: You've mentioned 'fraud prevention',
'cost reduction' and 'simplification' as a major themes across your customers
- What is HP doing to address concerns with its customers?
Todd Musselman: HP offers extensive Identity and
Access Management solutions to help our clients address the challenges
unique to their risk tolerance and environment. We assist customers in
addressing fraud prevention by reducing risks related to the insider threat
of privileged users, as well as the prevention of fraudulent activity
through Identity Proofing and Identity Verification. For cost reduction
and simplification, we help customers realize significant benefits in
automating the business processes for requesting, approving, granting,
and revoking user account access to applications and systems. We provide
identity compliance solutions that automate and enhance the user/system
access review and recertification processes. In addition, we offer many
of our solutions in a cloud model, which simplifies the IT infrastructure
and reduces heavy upfront investment costs.
SecurityStockWatch.com: For organizations that are facing
these issues but have limited funding, what recommendations do you have?
Todd Musselman: Budget pressures are a constant
challenge, but that does not mean that security has to take a back seat.
We work with clients to develop comprehensive identity and access management
strategies along with roadmaps that are aligned to their mission. For
those organizations where funding is scarce, budget considerations are
made to devise a workable strategy to meet their business or mission needs.
The strategy enables clients to ensure their organization and IT objectives
are aligned to their current and future security needs. This in turn,
allows them to prioritize their key business risks and bring the greatest
value to the organization.
In many cases, we find organizations with existing technology investments
that simply need advice on how to maximize the value of these investments.
It's surprising to see how small modifications to a business process,
or even minor enhancements to an existing system, can dramatically improve
an organization's overall security and identity posture. The best recommendation
to clients in this situation is to take stock of what identity assets
are currently in place, and to build a plan to improve or enhance those
SecurityStockWatch.com: HP is involved in addressing
Identity Management issues for both commercial and public sector organizations.
Given your experience in providing services in both arenas, how different
are the identity issues these customers are facing today?
Todd Musselman: At face value, a number of differences
exist. Public sector clients, specifically U.S. Federal Government agencies
and state governments, are currently investing in or strongly considering
investing in, credentialing for more secure authentication to systems.
These considerations address the need of public sector organizations
to have a high level of assurance and greater control around who is
accessing their data. Additionally, as more public sector services are
made accessible to citizens online, the opportunity for fraud has increased
dramatically. Public sector organizations that have significant online
interaction providing services to citizens are well aware they are vulnerable
to the threat of fraud through identity theft. As scrutiny around public
sector spend continues, ways to cost effectively prevent fraudulent
transactions are imperative.
From a commercial perspective, greater cooperation with business partners
has ushered in a new era of sharing data and systems. Federating access
across environments seems to be a top driver for most businesses. Many
in the commercial space were quick to adopt provisioning technology
over the last 10 years, which helped them automate their process to
connect business partners' end user accounts across various systems.
Now, their focus has shifted to addressing provisioning and controlling
access for privileged users, such as a UNIX system administrator. Privileged
users represent a small number of people, but they have extremely powerful
privileges. These accounts need a greater level of scrutiny and control
to protect an organization from the insider threat or remote access.
There is, however, a great deal of commonality in the issues facing
both the public and private sectors; for instance, they are both looking
to streamline and simplify user management/access processes that over
time, in large organizations, have become cumbersome and unwieldy. They
are also looking for the greater security and interoperability that
a centralized identity and access control system can provide.
SecurityStockWatch.com: We've seen a lot of recent
talk about the National Strategy for Trusted Identities in Cyberspace
(NSTIC) and its goal to protect individuals, businesses and public agencies
- where do you see this initiative going?
Todd Musselman: The National Institute of Standards
and Technology (NIST) has made great strides by creating the NSTIC National
Program Office and an Identity Ecosystem Steering group. They have funded
five pilots designed to test and overcome the barriers that exist today
in this arena and recently held an Applicant's Conference for companies
interested in applying for the next round of pilots. Everyone is aware
of the problems related to identity, such as protecting passwords, preventing
data breaches and identity theft, and the inability to trust as it relates
to doing business in cyberspace. Stakeholders, including Federal Government
agencies, private sector organizations and associations such as the
Smart Card Alliance, among others, have rallied around this initiative.
As NSTIC pilots continue to be implemented, the concept of trust will
become the driving factor in its success. Trusted credentials issued
by trusted providers to complete trusted authentication, will replace
basic user names and passwords. Perhaps, one single credential is not
the answer. There will likely be more than one type of credential available
for a user to choose from that will be commensurate with the level of
risk associated with the transaction. If it is your Facebook account,
the authentication level may be low while online banking, accessing
healthcare information or submitting your tax return to the IRS, may
require a higher level of authentication. Multi-factor authentication
will most likely be required for even stronger levels of trust needed
for national security information and other tightly controlled data.
While momentum is high today and the need is great, the development
of solutions will remain an ongoing process to embrace the changes in
technology. Since cyberspace is global, the international community
will also need to embrace this type of effort to protect global commerce.
SecurityStockWatch.com: How would you recommend that
privacy of individuals, businesses and public agencies be protected
as NSTIC initiatives mature?
Todd Musselman: One key area that will support
privacy within an Identity Ecosystem is to follow the Fair Information
Practice Principles. First, identity proofing should be handled on a
one-time basis without the need to retain the data to reduce the possibility
of that information being revealed to unauthorized users. Next, reduce
the number of individual credentials needed, which will reduce the requirement
of sharing personal data with multiple entities. In addition, well-designed,
trusted credentials that can be used by more than one relying party
will help to eliminate requests by websites or applications for specific
personal information that is unnecessary for access, and to conduct
business as a trusted individual. It is also important to minimize data
collection to only what is needed. Following these principles will help
protect privacy for individuals, businesses and public agencies, and
in turn, can diminish identity theft.