Who's who?
- Reduce text size Decrease text size
- Increase text size Increase text size
- Print article Print
- Jump to comments Comment
- Share this article Share
- Email article to a friend Email
Identity management software has come centre stage now technology infrastructure providers have made it a core part of their portfolios.
Identity management (IdM) was born out of the complexity of modern IT application stacks. Employees in all sectors need access to an ever-increasing number of applications, databases and networks, with each requiring a separate username and password. Not only has that been a source of irritation for users as they switch between applications and resources, but the support tasks associated with setting up, resetting and deleting passwords has become a hefty overhead - as well as a security risk.
Over the past five years, such issues have spurred the rise of numerous specialists in single sign-on (SSO) and related authentication software, but more recently the major infrastructure technology providers (largely through acquisition) have made identity management a core part of their software portfolios.
That has elevated the argument for identity management beyond the realm of SSO. As central as it remains, SSO has become a given, with little differentiating the various offerings on the market, says Tim Pickard, vice president of international marketing at security software and services vendor RSA Security.
However, the role and value of identity management has broadened. As businesses have built more co-operative networks, IdM has become the basis for managing the identity and scope of access for employees, customers, partners and even physical resources across the corporate architecture.
That has driven extensive growth. Demand for identity and access management software grew by 10% to reach $719 million in 2004, according to IDC. And the industry research group predicts the market will almost double again in the next five years to hit $1.3 billion in 2009.
Anticipating the central role of IdM, the IT industry's largest vendors have been getting in on the act. In the last few years, IBM has augmented its IdM line-up with the acquisition of Access 360, Sun has bought Waveset Technology, HP has added TruLogica, and Oracle has absorbed identity specialists Phaos and Oblix.
Systems and network management software companies have also made their moves. Computer Associates has become one of the largest suppliers of IdM with the purchase of Netegrity and BMC Software has beefed up its IdM portfolio with the takeover of Calendra. Meanwhile, leveraging their strong histories in directory management, Novell has been offering NSure and Microsoft has developed the Identity Integration Server.
Although independent vendors had a technological headstart on these larger rivals, explains Donal Casey, a security consultant at IT services company Morse, "now those larger companies have caught up largely through acquisition."
That points to an impending battle for market dominance. In a recently published analysis of the extranet access management market (a subset of identity management), analyst firm Gartner found no clear leaders among the constituent companies, with vendors large and small very closely matched in terms of functionality, innovation and market coverage. What will make vendors stand apart, says Gartner, will be how well they meet the next challenges of IdM.
Wider scope
Managing all the user and device identities in an enterprise is a complex job. Traditionally tools have either been policy-based (ie application and network access is governed by features of the user account) or role-based (ie access rights depend on job descriptions), but both are complicated by changing roles, staff turnover and the use of outside contractors.
While the fundamental aim is use such structures to simplify and secure the administration of identity, IdM is performing another key role - in helping organisations show they are meeting the higher levels of governance required by new regulations.
"A lot of companies who are putting in an identity management platform are doing so as a legal requirement," says Tim Dunn, European director for IdM at business service management software vendor BMC.
With access to sensitive company and customer information under closer regulatory scrutiny, the ability to rapidly provision and de-provision user accounts ensures that employees who are sacked, say, lose their access privileges immediately. And that is the kind of action that many organisations would like to see automated as part of a business process. "For most companies, the process of creating user accounts is very time consuming and very error prone," says Alberto Yépez, CEO of IdM vendor Thor Technologies. "The different rights of access can be easily misunderstood, and ultimately someone will either make a mistake, or someone will take advantage of it. It's a repetitive process that can easily be automated."
But IdM's use in a compliance setting is not restricted to user account management. By keeping a single log of all changes to users' access rights (a capability of many IdM products), an organisation can preserve a fully auditable record of the levels of information access employees have been granted.
"Instead of having to go to each of the individual applications and resources to audit access history, [identity management] gives auditors a full trail of who has done what," says Peter Jopling, IBM's head of Tivoli security solutions.
That makes IdM a function that may soon be utilised directly by other departments.
Many IdM vendors envisage that the natural home for many identity management tasks is within the human resources department. That would tie the definition of an employee's role by HR with the individual's IT privileges - and in doing so it would remove the need for IT staff to implement instructions from elsewhere about the changing access levels of staff.
"Although our solutions are optimised for internal audits at the moment, I think there are tremendous opportunities in human resources," says Thor's Yépez. "In a multinational enterprise, you might have 1,000 employees leaving every day, and another 3,000 changing role. That's 4,000 changes to be made per day. It would be great if HR could control that automatically."
That is not beyond the realms of possibility, agrees RSA's Pickard. With employment contracts and individual's relationships with organisations becoming much shorter, there needs to be a more flexible means of provisioning IT access rights, he says. "And the crossover point between users and IT resources is HR," he adds.
But Ray Wagner, research vice president at analyst group Gartner sees some problems with moving control of digital identities to the HR department.
"Firstly, not all identities represent employees; they might be devices such as laptops, which have their own access rights. Secondly, job roles [as defined by HR] do not map onto IT rights precisely. Someone working on a particular project might need an application that someone else with the same job description does not. And thirdly, I'm not sure departments such as sales and marketing would appreciate having HR control what systems they can access."
Nevertheless, the point stands that organisations need more automated and flexible tools if they are going to cope with the management and auditing of information access - even within their own boundaries. The challenge becomes even more acute when they need to manage the access rights of customers and partners coming into systems from outside or when privileges are passed between partners.
Federating identities
Web services have allowed organisations to build retail platforms that are a combination of their own and partners' product offerings. A user, having signed on to purchase an airline ticket, for example, may be passed to another company's application when they decide to purchase travel insurance - and their authentication is 'handed on' to that affiliated site automatically. Such 'identity federation' is the heir to single sign-on, reducing the requirement for user authentication across multiple systems. But rather than a skeleton key to all systems like SSO, federation is a way of establishing trust between systems that all have access to identity information.
The Liberty Alliance is a group of software and hardware vendors that has developed a secure interoperability standard for federation technologies - Security Assertion Mark-up Language (SAML) - that is used in co-operative B2B arrangements.
Roger Sullivan, chair of the Liberty Alliance conformance programme and vice president of business development for Oracle's identity management division, explains that federation will have particular value to industries such as financial services.
"If a financial services firm has a partnership with a manufacturer, say, where it manages the client's employee benefits programme, currently those employees might have to sign into the financial services portal in order to look at their account details," says Sullivan. Even if the manufacturer has a traditional SSO, the information accessed is held externally on the financial services company's portal.
With federated identity, the financial services partner can embed its services in the manufacturer's portal, because it can trust that the user has already been authenticated and had their access rights set. This also enables relatively unknown companies to sell online by leveraging the brand of higher profile web partners.
"A lot of brands in the retail industry are making use of this technology," says BMC's Dunn. "For example Tesco.com's finance division sells products for the Royal Bank of Scotland, but the customer doesn't need to know that they are getting a loan from RBS. As far as they are concerned, they are always dealing with Tesco."
Of course, the federation of users' identity needs to be balanced with regulatory concerns: who owns the information when access is permitted from multiple sources, and who is to blame if that sensitive data falls into the wrong hands? Sullivan insists that a key part of Liberty Alliance's development schedule has been co-ordination with regulatory legislation.
Federation will also prove a cost-saving technology in highly acquisitive sectors. After an acquisition or merger, companies have to compile new directories of identities. With federation, however, that is not necessary as authentication in one existing system can be securely passed to another.
Identity in the walls
The broader application of identity management is also being seen elsewhere. One of the more imaginative directions in which IdM is being pushed is into the world of physical security. In principle, the provisioning and de-provisioning of building access cards is the same process as managing application access. So why not manage both from the same application?
Alberto Yépez of Thor says his company has already worked with building management systems providers such as Honeywell to create access card management tools.
Again, Gartner's Wagner is sceptical about this joint security management taking off any time soon. "What happens when the system shuts down and everybody is trapped in the building?" he asks. But he believes this is a good example of how the independent IdM vendors might forge ahead - licensing their technology to a different set of vendors.
Alongside such opportunities, independent vendors continue to play up their advantage as infrastructure agnostics. This means they can more readily integrate their IdM solutions into a whole variety of customer and partner applications.
"If you are a large infrastructure vendor, you would rather your customers didn't use your competitors systems," says Wagner. "Smaller companies will make more of an effort to be heterogeneous."
That said, 60% to 70% of potential purchasers of enterprise identity management products already have a commitment to a major infrastructure vendor, and that will surely sway their choices of IdM products.
However, with identity management still a costly and complex problem for most organisations, there is considerable scope for innovation - a fact that will encourage the emergence of new companies and further industry consolidation.
| |||||
| |||||
