Identity management is currently a buzzword in the security industry, but it's actually a misnomer. The technology oversees a user's access to applications and networks within an enterprise, rather than who the user is.
Despite the marketing spin on the term, it's difficult to deny its growing prominence on the radar screens of administrators within the enterprise, according to Gartner Research Director, Information Security Strategies, Roberta Witty. IDC agrees, noting that identity management will grow from $2.8 billion to $9.5 billion in 2005, 28% annual compound growth.
"With the growth of e-commerce applications, enterprises are starting to realize that there is a sea of users they have to manage," Witty said. "Companies are consolidating their entry points into the enterprise through portals. User management is central to delivering services to the enterprise and companies are looking at consolidating their entry points and how to manage them."
Economic factors, however, are forcing enterprises to trim their security budgets while the demand for heightened IT protection does not wane. Couple that harsh reality with the aftermath of the Sept. 11 terrorist attacks on America and security officers are feeling more heat than ever to control who has access to what inside the enterprise.
"It's definitely catching on now," said Chris King, program director of Global Networking Strategies at Meta Group, of identity management. "The thing I've seen since Sept. 11 is an interest in defensive technologies. One thing organizations get beat up over is poor user management process."
Cost reduction and meeting your SLAs
Witty points out that as more enterprises jump onto the Web to do business or open their virtual doors to remote workers or business partners via virtual private networks, each user's role-based access needs to be managed either automatically or by a warm body.
"The business driver is cost reduction and cost avoidance. Companies, as they grow, need to add people to manage all those users or they need to look for an automated solution," Witty said.
Tasks like password management have already been turned over to the user via automated means in many enterprises.
"Companies want to reduce the volume of calls to achieve a direct return-on-investment (ROI) on the help desk," she said. "Those calls are often outsourced or passed on to a different user. Companies need to automate the process to achieve their internal or external service level agreements (SLAs)."
Legislation has also indirectly helped identity management get off the ground. Financial sector regulations like the Gramm-Leach-Bliley Act and the Health Insurance Portability and Accountability Act (HIPAA) in the health care industry have mandated that companies in both spaces get a handle on data and keep it safe. Witty also notes that companies can use identity management to reduce costs by effectively managing employees who have been terminated, ensuring that their access to sensitive systems and/or data has likewise been terminated.
"It's all about meeting your internal and external SLAs and cost reduction," Witty said.
Vendors stepping up
Some vendors are stepping up, especially those in the systems management space, like BMC and Tivoli as well as security firms like Access 360, Courion and Waveset. Netegrity, RSA Security and Tivoli have also made strides in Web single sign-on technology, King said.
"There's been slow, steady growth in this space; It used to be called single-point user administration," King said. "Companies are getting a leverageable infrastructure for storing identification. You need to manage that stuff."
Tivoli is the latest to dip its toes into the identity management waters. Last week it released Tivoli Identity Director, provisioning software that manages user information and allows access to different entry points, like applications, the network or the system as deemed necessary by their pre-defined role within an organization. Identity Director interoperates with Tivoli Policy Director, released six weeks ago. This integration marries the front-end workflow and e-provisioning management.
"The traditional way this technology is deployed is that a company ships a console, agents and a database," King explained. "The new idea is to couple this infrastructure with front end workflow and make it easier to manage, like e-mail and Peoplesoft."
King believes, however, that the Tivoli product is just a signal that the IBM subsidiary is readying a future identity management splash.
"Tivoli realized their admin product was way behind. They decided that rather than trying to revamp its image, they changed it. The problem is, it's still based on the same core functionality and the same old problems. It still has issues concerning the weight of implementation, the time of implementation and the flexibility of implementation. It's got a better front end, but still needs some work," King said. "This is an indication that Tivoli is getting back in. I'm not ready to say to users, buy it now that it's the next best thing to sliced bread."