Like any other information security sector, the identity and access management market always has its eye on the horizon for new technologies. Unified digital identity is years away but major industry players already are laying the groundwork, said Sally Hudson, an analyst with IDC.
"Between access management and authentication products and different form factors you'll see more choice and a lot of smart cards and combinations of biometrics and smart cards," Hudson Said. "You'll also see more development in Web services and federation that will allow more companies to work securely together."
But it begins with the basics, says Ray Wagner, managing vice president at Stamford, Conn.-based research firm Gartner Inc. "We just sent out a note for 2007 that basically says, 'You need to get back to the basics and build that platform,'" he said. "Then you can build federation and identity."
Wagner suggests that companies document their current processes before throwing new identity and access management technology at the problem. It's all well and good to automate user provisioning, but creating roles in the enterprise takes a great deal of thought, he said.
"If you try to define every IT role you end up with more roles than you have employees," Wagner said. "Thirty to 100 roles is enough. If you have 800 roles then you're focusing too much on defining roles."
Parts of the identity and access management field, like Web access and platform access control, are mature, said Wagner. "If you were to look at heavy Microsoft-based enterprises or Oracle-based enterprises, this stuff is not a problem at all," he said.
The maturing market is driving vendors to seek new customers in the high-end, mid-market.
"What we've seen is a huge tightening of the market, a lot of acquisitions, a lot of platform vendors like IBM, Novell, HP and Sun, snapping up best-of-breed vendors who did Web access management," said Wagner. "Now they're starting on vendors who do federation and role management. You have large companies acquiring and deploying identity management suites that are integrated and should get better integrated over time."
Wagner estimates that 20% of the market has an access management infrastructure in place and another 30-40% are thinking about, ensuring plenty of growth in the years ahead.
Hudson believes the identity and access management will grow from $3 billion in 2005 to $5.1 billion in 2010. "There's going to be more full-fledged implementation," she said. "Larger enterprises will play more with full-fledged suite sellers like CA and IBM. A company like MasterCard uses products from CA and IBM."
Regulatory compliance is driving much of the growth, according to industry analysts.
"It's not the IT group that has the budget; people are trying to deal with SOX and HIPAA," Wagner said. "You wonder how long this compliance interest will last."
Even if HR, legal and accounting departments lose their zeal for identity access management, companies likely will need to upgrade anyway. That's because the quick-fix products they bought to comply with new industry standards won't meet new security threats.
"Many Band-Aids have been put into place that will be augmented or replaced over time," said Hudson. "That doesn't mean they're bad solutions; they're just not capable enough to meet new challenges. But that's the way IT is always run."
Ira Apfel is a freelance writer in Washington DC.