Convergence In The Identity Management Space
by Fran Howarth, Partner
All companies manage identities. But many still do not realize the costs and effort involved in managing disparate systems, or how not managing identities properly hurts productivity and affects the bottom line. Indeed, many are struggling with isolated HR systems, spreadsheet-based customer lists, proprietary links to major suppliers and so forth.
Failure to manage such identities can also cost more than the obvious administrative burden associated with managing identities. If you can?t see who is doing what to documents within a corporate network, you cannot be sure that sensitive information, such as product blueprints or financial information, does not leak out of a company. The same holds for business resources, such as laptops, mobile phones and office passes. If you are not managing your entitlements, these resources can walk out of a company. And it is far from uncommon for ex-employees to fail to return office passes which can lead to unauthorized access to office premises.
But help is at hand in the form of automated identity management technologies. Over the past few years major technology players in this space have been building out their portfolios?a lot of it through acquisition. Virtually all major players in this space have made acquisitions of point solutions or product suites, as is the case with CA, Sun, BMC, IBM, HP and Oracle. This means that most vendors now have capabilities within the identity management space that include application and account provisioning, access control and single sign-on, and some capabilities in the federated identity management space.
Identity Management and Strong Authentication
In the past couple of months, a new convergence trend has emerged in the identity management space?vendors of strong authentication technologies are making identity management acquisitions. Strong authentication players have long been important in this market, with RSA Security and Entrust both being major players with strong offerings that are endorsed by governments and large commercial companies. Now, some of the smaller players are entering the fray.
In August 2005, ActivCard, a vendor providing identity assurance technology, announced its acquisition of Protocom in order to strengthen its enterprise single sign-on (SSO) capabilities. This acquisition makes a great deal of sense since strong authentication goes hand in hand with SSO technologies, providing a higher level of assurance. And this level of security can be extended to physical assets as well, such as tying physical identities to enterprise access cards to provide a higher, auditable level of security.
In October 2005, nCipher, a vendor of cryptographic security solutions, announced its intent to acquire Abridean, which offers provisioning technologies. Prior to proposing this acquisition, nCipher had extensively researched the market, concluding that identity management technologies would be key to its strong authentication technology sales for the next decade at least. It believed it could combine the two product types. The combination of technologies will allow customers to more securely define and enforce access rights, as well as prove who accessed what and when – in order to help with governance and regulatory compliance goals.
Strong authentication technologies have long been used by organizations?primarily in the form of tokens providing one-time passwords. But increasing security threats and the need to better manage identities?partly owing to increased regulatory requirements demanding higher standards of information control?are pushing a wider range of companies to consider deploying stronger forms of authentication than previously. Strong authentication is less susceptible to the threat of social engineering. It is not as easy to get someone to part with a token as it is to get them to tell you their password. In addition, the cost of security tokens is decreasing?as are other strong authentication methods, including biometrics.
Government Mandates Adding Impetus
Governments are also adding momentum to this area with mandates that strong authentication must be employed in certain circumstances, including the use of smart cards for identity purposes for all federal state employees. Most recently, US regulators have demanded that banks improve security measures for authenticating customers who access Internet services, requiring that dual-factor authentication be used, such as tokens and smart cards, as well as user IDs and passwords.
Even before this demand was made, most major banks in industrialized countries were trialling the use of strong authentication for their banking customers. Initiatives such as these will add greater impetus to the market for strong authentication for some time. As identities are more commonly tied to security devices, it will lead to greater use of strong authentication in conjunction with identity management technologies.