Saturday, March 08, 2003, 4:36 PM

Tough Questions

Here are a few questions I put together to give a sense of how far enterprises are from solving the identity management challenge:

What is your company's digital identity roadmap?

How do you ensure that you turn off all accounts of departing workers?

How do you audit the digital activities of an employee?

How do you enforce your password and access policies?

How would you transition to strong digital identities?
... and avoid a piecemeal approach which results in a patchwork of identity systems?
... and include your current/legacy systems?
... and show ROI along the way?
... and improve the security of password-based systems along the way?
... and avoid a system that has a single point-of-failure?
... and avoid a system that has a single point-of-attack?

Do you believe that passwords are good enough for application authentication?
... If not, what are your plans for moving beyond passwords?

How future-proof is your investments in digital identity?

You're about to spend a large part of your budget on tokens to increase the protection of your VPN
... how much of that investment will be re-useable as part of your future identity management system?
... Can you support future encryption systems and current secure email systems?
... Is it a standard strong authentication mechanism for Microsoft Windows?

Do you believe that you need to move to certificates for strong identities?
... If so, how do you avoid the high cost of implementing a PKI system (certificate issuance and distribution, integration, business continuity at transition) and still get its benefits of strong digital identity?

How does your IT department handle loss of tokens?
... What happens when the user is on the road?