Because the importance of enterprise IAM is only increasing, the technology is evolving to offer administrators more functionality. Compliance pressures have pushed enterprises to adopt IAM "suites" with features ranging from user provisioning to user access and user activity auditing. (Regulations like SOX, HIPAA and GLBA, and industry guidelines like PCI DSS require auditing, so it's a standard feature of most IAM products.)
But compliance is only part of the story. An untethered workforce, less office bound than ever, is demanding remote access from a host of devices. And with those demands come requirements to secure those devices, as well as the networks to which they connect. Today, there are laptops, BlackBerrys, PDAs and even iPhones, so products that secure and authenticate such devices will continue to drive the market.
Closely related to providing authentication for remote devices is endpoint security and network access control (NAC). Since each device could have only one user, it might seem the two are different sides of the same coin, but traditional IAM authenticates people, while one of NAC's functions is to authenticate endpoints, or hardware.
NAC products aren't as mature or clearly defined as IAM products. NAC is not only about access management, but also securing remote device configurations and interfaces. As NAC products evolve and become better at role-based authentication, they will become part of the IAM scene. Expect this segment to grow in the coming years. Oracle Corp.'s IAM suite has already been cited by Gartner Inc. as a leader in this area.
SSL VPNs, which basically just secure websites for logging in remotely to a network, will also continue to grow in popularity because they're easier to use and deploy than traditional IPSec VPNs. Leaders in this space are products from SonicWall Inc. and Citrix Systems Inc.
SSL VPNs are only following the trend toward Web-based (rather than network-based) applications. Over the long term, Web authentication will continue to be a growing section of IAM. Again, compliance is playing a key role. Requirements like those of the Federal Financial Institutions Examinations Council (FFIEC) demand multifactor authentication for Web banking, so besides traditional two-factor authentication devices, like one-time password (OTP) tokens and biometrics, companies are looking at back-end systems that authenticate transactions rather than users.
This is an area to watch as companies get creative with Web authentication. The market for two-factor devices for Web logins may stabilize, unless users demand to see stronger authentication on the front end of fraud detection systems rather than behind the scenes.
Single sign-on (SSO) is an old-time favorite expected to remain popular. Federated identity management, which is SSO between companies, holds promise for growth once it has mutually agreed upon standards in place. Major vendors like Novell Inc., Imprivata Inc., ActivIdentity Inc. and Citrix will continue to thrive in this market.
If the picture for IAM is so rosy, what are the pitfalls? What should enterprises look out for when shopping for products?
IAM deployments always require a lot of planning. Rolling out a new IAM system to every user in the organization can be expensive in terms of time, money and staff resources, so rollouts should happen in stages with selected groups of users, rather than with the entire company at once. A successful deployment for a large company can take anywhere from six months to two years.
Check to make sure the IAM suite or products are compatible with the company's architecture -- and with each other. Many suites grew through acquisitions, combining disparate pieces that might not necessarily be designed to work well together. Does the user provisioning piece, for example, work with the management GUI? Do the IAM products mesh with directory services, such as Active Directory or LDAP? Some products work well with existing systems, but some don't. Check before making that purchase decision. An inventory of the current network architecture and directory services should be the first order of business.
Enterprise role management is a growing part of IAM, since it transcends traditional business units within a company, and is flexible to adapt as the company grows, either internally or through acquisition. Roles and user groups familiar to the old organization may become obsolete, so make sure any IAM product or suite can handle role-based access management.
Lastly, make sure the IAM system is centralized. Not only is a single IAM system a best security practice, it provides centralized control of user access, which auditors and regulators require to provide full accounting of users and their activities. Users on different access control systems are only an invitation to chaos. And that's not what access management is all about.
About the author:
Joel Dubin, CISSP, is an independent computer security consultant. He is a Microsoft MVP, specializing in web and application security, and the author of the recently released Second Edition of The Little Black Book of Computer Security. He hosts a regular radio show on computer security on WIIT and runs The IT Security Guy blog at http://www.theitsecurityguy.com.
This was first published in July 2008