Employees must also agree to some oversight of their devices. At Intel, employees have to sign a service agreement before using a personal device at work. They must agree to the company's terms for conduct, software licensing and information security policies. Employees are also warned to keep personal data separate from corporate data by creating separate partitions or data containers. "If it's lost or stolen, or if they leave the company, we'll have to remotely wipe it — which could be a problem if they've mingled corporate stuff with personal stuff," Harkins says.
Employees must also equip their devices with special apps that can be download from an internal application portal — much like an app store, but with guidelines on what they can download based on their use history and what additional security features they might need if they will be using the device to access sensitive company data.
Federated and single sign-on
Sales of Web single sign-on and federated systems, or single sign-on systems for partners or regular outside visitors to a network, are expected to reach $1.5 billion this year and make up about one-third of all IAM system purchases by 2016.
At HMS, which offers information and services to help healthcare providers minimize erroneous payments, CSO Scott Pettigrew knew a security upgrade was inevitable because the company has grown rapidly — from $55 million in revenue five years ago to an expected $520 million by the end of this year.
Security requirements spelled out in regulations governing the healthcare industry mandate that every account be automatically disabled every 30 days, requiring the help desk team to spend much of its time reissuing access rights to temporary staffers. The company used to manually keep tabs on the access rights of its portal users. But the portal is used by almost 20,000 outsiders, including more than 500 temporary employees working on Medicare claims and verifications, so provisioning processes began to take up a lot of time and it became nearly impossible to remain compliant with the Health Insurance Portability and Accountability Act.
"To meet those regulations, you've got to have some sort of identity management suite to make sure you're deleting people off your systems and taking away their access [in a timely way]," says Pettigrew.
Today, HMS is working through a more than three-year overhaul of its IAM structure that combines identity, governance and federation capabilities. The new identity system is a central point for access requests at HMS. To manage external contractors, HMS is deploying two-factor authentication to close a gap in access by self-certifying users through access to registered email. Users will be locked to one external device after being auto-enrolled in two-factor authentication. The process leverages existing identity information and technologies with two-factor certificates to maintain control of resources for noncaptive users.
Sign up for CIO Asia eNewsletters.