Internet Explorer 11 is not supported

For optimal browsing, we recommend Chrome, Firefox or Safari browsers.

The Inside Story

It's not just outsiders who need to be kept out of online files. Limits have to be set on what public employees can see.

There are ghosts in government, and they're lurking in databases and applications throughout the online universe. That should be pretty scary for the caretakers of the information that governments are supposed to safeguard.

The specters are actually real people--employees who were given access to computer applications so that they could get information they needed to do their jobs. Only now they've moved on: They've either changed jobs or left government altogether. But their names and accounts linger. A former employee or other knowledgeable person could use that opening to gain entry to a program or database and steal personal information, change data or simply see information he or she has no right to see.

That's not the only challenge for protecting online data from a government's own workers. Sometimes, it's a matter of making sure that bona fide employees with legitimate access to a system can get the information they need--and no more than that. A handful of states and localities have begun working on a variety of approaches to the problem.

In North Carolina, as soon as someone leaves a job, an automated system zaps his accounts from the system. "To be able to pull the plug on someone within a minute's notice is a tremendous advantage," says Ann Garrett, the state's chief information security officer. This is particularly important because, almost all technology officials say, the biggest threat to security of a system is not from outside hackers but from one's own employees.

One way of controlling what employees see is to make use of identity- management techniques. Identity management does several things. It sets policies on who gets to see what data, authenticates users who want to gain access to a system and creates IDs. It also configures systems and applications to recognize who's accessing the system, tracks who's come and gone, and enters and removes people from systems as necessary. The latest tweak is to control the process in one location and in one step rather than have various agencies notify their IT workers to remove people from--or set people up on-- applications.

The North Carolina Office of Information Technology Services is currently using identity management to protect a handful of resources. For instance, the state has a security Web portal, created after 9/11, that holds data about the state network, viruses and worms, and how to protect systems. "That's information we want to get out to our users," says Brent Roberts, identity administrator. "We don't want the whole world to have access to it." Identity management limits entry and who can see what.

Washington State chose a different tack. It turned to digital certificates and contracted with a private company to authenticate users.

The process works this way: Businesses that want access to information on the state's databases--say, medical claims information- -apply for a digital certificate and the company checks up on whether those business people are who they claim to be and whether they have legitimate business reasons to be given an entree into government databases. Once satisfied on those counts, the company issues a digital certificate. The holder of that certificate can now sign onto Washington's Web site and get information that others without a certificate cannot.

The unfettered access after the initial log on is a blessing for businesses. They sign in once and then can jump around to any or all of the departments or databases they've been given permission to see, without having to sign in and identify themselves over and over again during an online session.

Washington has expanded the program, which got underway in 2000, to 31 applications that can be accessed by those holding a digital certificate. The thought at one time was that everyone in the state would eventually get a digital certificate, but Washington no longer sees things that way. Most of the online data isn't particularly sensitive or personal, so it doesn't require a stringent level of identity authentication.

Special Projects