Identity Management at Credit Unions

Jose Carmichael and Alfonso Gutierrez
October 9, 2007 | COMMENTS

Identity management (IdM) is a system and associated processes and policies used to manage a user's digital identity including how the user can access electronic resources such as networks, files, or services from creation to removal. A user may be a credit union member, an employee, or a business partner. A user's digital identity, such as a password, is the user name and associated attributes, such as a password or role.

In credit unions, IdM is applied as a method of addressing electronic security issues. This may include tasks as simple as managing how an employee logs onto the credit union intranet to combating problems as complex as identity theft and federated networking.

Through surveys, focus group discussions, and a case study this report identifies the most common identity management issues and concerns facing credit unions today and the current IdM tools and techniques being practiced at credit unions and other organizations. This information can be used to improve a current IdM system, or to create a new one using the experiences of their peers as a guide. This report will be useful to both the executive who wants to further understand their organization's IdM needs and to the IT manager trying to communicate the importance of IdM to executives.

This study was a collaboration by the Credit Union Information Security Professionals Association, the CUNA Technology Council, CUNA Mutual Group, the Education Credit Union Council, the University of Wisconsin-Madison 's Division of Information Technology, and the University of Wisconsin-Madison 's E-Business Consortium.

Key finding include:

• IdM is in its early stages and is rapidly evolving. Many implementations of new IdM technologies, such as biometrics, are changing how identities are managed. These new implementations at credit unions seem to be more experimental than mature, though, and will likely see many changes before they become standard.

• The cost of IdM is far outweighed by the risks of not implementing IdM security measures.

• The biggest vulnerabilities lie not in faulty software or hardware packages, but in how users protect their passwords and credentials outside the system.

• Interoperability between disparate platforms or applications is a major hurdle.

• IdM is being managed by high-level governance bodies such as boards of directors. This is good, as it quickly elevates identity management and security issues to the top of the organization. However, this model tends to leave out the more technically-savvy members of the IT staff.

• Many IdM processes are performed manually, even though tools for automation exist that can reduce the number of errors made in creating and managing identities.

• Regulations demanding multiple layers of authentication are slowing down the validation process for each online user by seconds, adding up to thousands of hours each year. Focus-group participants state that more are likely on the way.

• Members are not proactively requesting IdM tools or security features until they are directly affected by identity theft. They generally don't use the tools they are given, even when they were specifically requested.

• Microsoft appears to be the most dominant player—primarily through the prevalence of its Active Directory.

• Although there is much interest in biometrics and single sign on, few substantial implementations of these technologies stand out.

This executive summary is from a white paper by Joe Carmichael and Alfonso Gutierrez entitled “Identity Management at Credit Unions.” Read the complete paper in the CUNA Technology Council White Paper section of the website.