Identity Management: The Issues
by Robin Bloor, Partner
We have been expecting to see consolidation in the Identity Management (ID Mgt) market and it is now happening at quite a pace. If you have been watching you will have noticed that IBM, Sun Microsystems, HP, CA and BMC have all acquired ID Mgt companies or technologies in the past year or two. In the past month there has been further action, with BMC acquiring Open Network and Oracle acquiring Oblix. These companies, plus Novell and Microsoft can all be thought of as significant vendors in what has clearly become an important software market.
It is not difficult to understand why this has happened. The IT industry evolved from the mainframe, which was delivered with a perimeter security approach virtually built in. It wasn’t until networking became popular that anyone had any idea that there could be a problem with this and it wasn’t until the Internet proliferated that the chickens came home to roost. Suddenly we inhabited a world where there was no common standard for the identity of users or the definition of their access rights and IT Security was spinning out of control.
Most of the major software vendors are now competing to provide the foundation for Identity Management, which is a necessary part of the security layer that is being engineered to solve the problems of the past. It is also the foundation for provisioning and not just the provisioning of software applications.
So, what are the major issues in Identity Management? Here’s a quick summary:
? Password Management. Password management is a primary driver for many businesses, because it is a clear source of pain and cost. Unfortunately many businesses, especially small and mid-tier companies just buy technology to address the password issue without considering the need for more comprehensive ID Mgt solutions. Many of the pains caused by the lack of ID Mgt are distributed and not so immediately obvious, but they exist and will need to be addressed in time.
? Security and Compliance. Without ID Mgt you have security weaknesses that intruders or rogue staff can exploit. Regulatory action (Sarbanes Oxley, HIPAA, etc.) has done a great deal to focus attention on this, particularly in the US, and it has caused a number of companies we have talked with to implement ID Mgt. Without ID Mgt you can’t have solid audit trails of who did what and thus compliance procedures are inevitably weak.
? Authentication. Identities need to be authenticated. There is a whole range of technology for this, but few ID Mgt systems provide anything more than password authentication. Interfaces to authentication technologies (cards, token, biometrics, etc.) have become increasingly important.
? Identity Information. There are multiple identity stores in many places (user directories on different servers) and within many applications (email, HR, many business applications, telephone directories, etc.). Really good ID Mgt implementations can keep this type of information in step and ensure that it all stays current. Rather than keep a centralized database of identities they use a “meta directory” approach which harvests identity data from every identity store and proliferates changes between identity stores.
? External Identities. There are two issues here. The first is managing external identities effectively and securely (customers, partners, suppliers, etc.). ID Mgt solutions need to be web-capable and they need to scale well, as they may end up managing millions of identities. Some systems already do. The second issue is federated identity, which is now becoming a factor in business-to-business interactions. ID Mgt systems need to be able to interoperate with other ID Mgt systems to exchange reliable and useable identity information. Such interactions must be secure.
? Software Provisioning. The ability to provision and de-provision software automatically is an important benefit of ID Mgt. Management needs to makes changes in the provisioning of software when there are changes in an employees status such as joining or leaving the company and also for implementing new software applications or software upgrades. Good ID Mgt automates this whole activity and provides a workflow system to enable the responsibility of granting access to be distributed and delegated. It is often implemented in conjunction with a portal. If so, the portal technology fit needs to be good.
? Extended Provisioning. In addition to provisioning software, employees (or customers or partners) may need to be provisioned things that are not delivered through software. For example, the company may need to provision or de-provision cars, car spaces, lap tops, cell phones, or pension arrangements for employees. This means that there needs to be strong links between ID Mgt systems and many other applications, particularly HR applications.
? Identities That Follow Transactions. With the advent of Service Oriented Architectures we are seeing a rapid rise in situations where software interacts with other software. Thus software can act as a proxy for an identity. For the true authentication of a transaction, authentication data must be carried “end-to-end” and actively used with every process involved in the transaction. This is a tough requirement for any ID Mgt product to meet at the moment.
? SOA. ID Mgt products should implement an SOA so that identity services can be called by any other application. In our view this will eventually be a natural aspect of SOAs – they will have direct links to comprehensive ID Mgt systems.
If you are considering identity management technology then we suggest you dig in to find out what vendors are offering in all these areas. The customers that we have talked to that have implemented ID Mgt quickly discover that it is an on-going project. Relatively simple capabilities, such as password management can be implemented quickly, but a more comprehensive capability takes time to build. We are not currently aware of any 100 percent implementations or 100 percent solutions for Identity Management.