Tough new regulatory rules, coupled with the fear of IT security breaches, have done wonders for helping drive customers to adopt identity management technologies in the past year.
Regulations such as the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and Sarbanes-Oxley Act of 2002 forced businesses to keep track of sensitive data. At the same time, various technologies that fell under the umbrella of ID management have started to mature.
One example of such a company is a major oil and gas industry supplier, which took the initiative to create an ID management system that linked its many directories.
"We wanted to consolidate, have one consistent process across the corporation and have a security profile,"
Bridging disparate systems was one way to keep track of the audit trail. And this oil-business giant has plenty of company in this area. In fact, the larger the company, the more of an issue identity management appears to be.
"It's a market driven by fear," said Dan Blum, senior vice president and research director at the Burton Group, a Midvale, Utah-based consulting firm.
The good news today is that once a company goes through the trouble of setting up an ID management system across the enterprise, it can actually save a lot of money in the form of fewer help desk calls, having fewer sign-ons and accounts, Blum said. It also provides a general reduction of account management costs.
As little as six months ago, IT managers still wrestled with the question of what exactly constituted ID management. Today, most understand it to be far more than just password protection. Rather, they see it as an end-to-end provisioning infrastructure that tracks the life cycle of an employee's identity across a corporation.
Corporations want the ability to create identities, manage those identities and, when employees leave the company, retire those identities.
Building such a system involves pulling together a suite of technologies from areas of expertise, such as directory services and synchronization, authentication, user management and Web access management.
The market today has three different types of vendors selling identity management software. There are the suite vendors, which offer an all-in-one approach. Companies in this class include IBM/Tivoli, Novell Inc., Computer Associates International Inc., Hewlett-Packard Co. and Netegrity Inc.
Then there are the specialty vendors, which sell a variety of components acquired from various sources but haven't integrated them yet. And finally, there are component vendors, which may offer one item, such as a provisioning tool.
Microsoft is building its ID management offering around Active Directory through Microsoft Identity Integration Server, which was released last July, and Passport, its role-authorization manager. The company does not have a Web access management piece, which presents the core difference between Microsoft and other vendors that focus on a broader platform base, Burton Group's Blum said. Instead, customers can purchase that capability through a partner, such as OpenNetwork Technologies Inc., a Clearwater, Fla.-based software company, or Oblix Inc., of Cupertino, Calif.
A still youthful market
The market is still so young that most enterprises are still pulling together components, but as the suite vendors improve their product lines in a year or so, more large customers will be able to buy a comprehensive package from them, Meta Group's Perkins said.
Customers today can buy Web-based single sign-on with delegated administrative capability and authorization services. They can also do provisioning and user life-cycle management, but those functions are a little newer, and it will probably be a year or so before they reach the same level of adoption as access management, Perkins said.
At this point, integration can be difficult, particularly if a company has a mixed computing environment. For some, a big challenge in ID management is figuring out how all the different applications' ID systems work. "Each has its own way of doing things," said John McGlinchey , Active Directory administrator at New York-based Bristol-Myers Squibb Co. "So when an employee leaves, you have to close these accounts," he said. "Everyone agrees on closing the door, but how do you do it?"
This is a job for meta directories , but customers still have to decide what type of access an individual will have and how the directory should be managed. "Everything today is make-up-as-you-go evolutionary," McGlinchey said.
Customers still don't have a standard way to integrate their software, and each vendor typically has a different ID management system. "We will see a lot of diverse products for the next few years," he said.
It's the politics
But the real problems aren't so much the technology, as the politics of an enterprise. It can be very tough to get "buy in" from the many different departments across a company that have to submit information about end users to make an ID management system work.
"The technology is not rocket science, but you need to make sure you are all speaking the same language," Perkins said.
He recommends getting the information security team and the business teams to put forth their requirements if it's a joint effort. Also, from the start, companies should include the operational support staff that will be using the technologies.
"It's funny how a lot of this is planned in the beginning and then thrown at the operations people," Perkins said. "It's as if I wanted to sail around the world, but someone else picked out the boat."
Indeed, if the IT manager building the ID management system does not form a consensus across corporate departments, it can torpedo an entire project. In the case of the oil and gas industry supplier, it had previously failed in an attempt to establish an identity management system because of disagreements among stakeholders in the program.
That company's security officer started his own effort by engaging every group individually. "There is a lot of marketing and sales to the different stakeholders," he said. 'The biggest is [HR] because they own all the personnel records. We needed one source of record, versus multiple sources [of record]."
And creating a clear identity for an identity management project is a good place to start that buy-in process.