Companies worldwide no longer consider bringing their business to the Internet a luxury or a novelty. Tacking an "e" onto their business model is a necessity, and that means granting system access to users -- like customers, business partners and the supply chain -- who ordinarily would not have it.
That places greater importance than ever on identity and access management, said Gartner research director, information security strategies, Roberta Witty.
"The big change is the migration to an e-business model, moving from inward-facing to global applications," Witty said last week during a Webinar sponsored by Gartner, RSA Security and Business Layers.
Witty, however, points out that managing user access and provisioning is a tall order as enterprises become more heterogeneous and the number of users who need access grows.
"As enterprises create virtual enterprises and create more collaboration with trading partners, this reinforces the need for an automated process to manage these resources," Witty said. "Spending on technology is moving out of the enterprise and toward using more managed services. Security is a prerequisite to deliver transactions on the Internet. Companies are looking for ways to automate that process and achieve ROI (return on investment)."
Witty points out five business drivers companies are facing when it comes to taking the leap into identity management:
- Business facilitators -- Enterprises will need to have customers, business partners and the supply chain self-register in order to get to interactive sites and solutions and have access to what they need, Witty said;
- Cost reduction -- Automated identity management products cut costs because fewer people are needed to run them and help desk calls are reduced;
- Improved service levels -- Witty points out that internal service level agreements are shrinking, and before lone, the only way to support them is through automation;
- Security risk management -- Keeping tabs on who has access to what is vital to securing enterprise data, networks and applications;
- Regulatory compliance -- Legislation like the Health Insurance Portability and Accountability Act (HIPAA) and the Gramm Leach Bliley Act (GLB) are forcing enterprises to standardize their management of users in many cases.
Witty explained that enterprises need to consider provisioning products, security administration tools for IT resources that allow companies to manage user accounts, user groups and the privileges associated with those groups. Also, enterprises need to look at extranet access management, Witty said. These products are real-time authorization engines that manage user access to Web-based resources.
Password synchronization and reset software is also a must, Witty said. These products focus on the end-user experience and Witty said they can reduce help desk calls. She added that 30% of help desk calls are related to password management.
"Companies that implement a solution here, see ROI in anywhere from three to six months," Witty said.
Single sign-on is the final product piece of the puzzle, Witty said. They have to be enterprise-wide and grant access to applications, both Web-based and internal, and grant extranet access.
Witty said that several factors guarantee success. First, enterprises must focus on bringing identity management across an organization and to be aware that identity management forces internal political, as well as technological, business changes.
"Understand your enterprise's strategy for Web-based applications, directory services and portal usage," Witty said. "Know all these strategies and this will help you focus on what particular markets you need to focus on first."
Witty also said that identity management projects must be phased in over time.
"Don't underestimate the time required to integrate home-grown applications with access management solutions," Witty said.