
'ID management' could cut bureaucracy--and costs
By Robert Lemos
Staff Writer, CNET News.com
October 28, 2003, 4:00AM PT
A glass-replacement services contractor for insurance companies, Safelite used Siebel Systems products to manage customer relations, Cognos technology to organize its data warehouse, Oracle systems to arrange its financial records and a half dozen other applications to run the business.
So Safelite turned to "identity management"--technology that allowed it to centralize and simplify security operations, giving the technical support staff access to a single system that could change any resource.
"There was quite a bit of administration and overhead cost to maintain multiple people in disparate systems," said Dean Riviera, director of enterprise architecture and security at the company. "What people wanted was to not have to remember all the passwords. Not only passwords, but the roles and responsibilities."
Identity management is the latest security technology to gain popularity in the corporate world--mostly for its efficiencies. The technology allows new employees to be set up with network resources in minutes, rather than days, while requiring them to have only one password for access to servers, printers and other proprietary equipment. Because of significant savings in time and money, manufacturers say, identity management systems can pay for themselves in a year.
"Identity management has one simple goal: one identity per individual, at least in the corporate setting," said Chris Christiansen, a security analyst at market researcher IDC.
Simplicity, however, can come at a price. Centralized operations could become an alluring target because, if compromised, they could allow an intruder to create valid accounts for numerous resources by way of a single security breach.
Source: CNET News.com interviews
Nevertheless, judging from industry projections, it seems that cost-conscious companies are willing to take the chance. IDC predicts that sales of identity management systems will grow to $4.6 billion in 2007, nearly doubling the $2.4 billion in revenue they generated in 2002.
"What people are dealing with now is trying to keep costs down," said Deepak Taneja, chief technology officer at identity management software seller Netegrity. "All the administrative issues around managing identity cost a ton of money, and people want to find efficiencies."
Another factor that's driving demand is new legislation that's punishing companies that fail to adequately protect customer information. Laws such as the Sarbanes-Oxley Act, the Health Insurance Portability and Accountability Act (HIPAA) and California's Security Breach Information Act require companies to track how restricted information has been accessed.
Among the early adopters of the technology are the major accounting firms, said Joe Duffy, lead partner of PricewaterhouseCoopers' Security & Privacy Solutions practice, which counsels companies on how to handle security and identity management systems.
"It's the single fastest-growing thing I have, doubling every year," Duffy said. "The ability of having a single view of a user across the enterprise is dramatic."
Putting the pieces together
In essence, identity management brings together various software packages that were separate systems just a few years ago. Companies no longer need piecemeal identity technologies such as single sign-on applications, directory management software and auditing or accounting packages. Not surprisingly, many manufacturers of these technologies are now rebranding themselves as identity management businesses.
By connecting human resources systems directly to the servers that control access to corporate network resources, companies can significantly reduce the time it takes to get new employees set up to access all necessary systems. A study Stanford University conducted with Hong Kong University of Science & Technology and software company Novell found that almost half of all businesses take more than two days to set up a new user. Ten percent of companies take more than two weeks.
"How unproductive are people going to be when they have to wait for authorization to get on the network?" said Joe Anthony, program director of IBM's integrated identity management group. IBM, which sells its own identity management system, estimates that a single employee costs $400 a year on average to support, most of which goes toward simply resetting passwords that are lost, forgotten or need to be changed. The Stanford study found that 86 percent of workers are required to remember two or more passwords and that a quarter must remember four or more.
ID management has important uses beyond a company's rank and file as well. General Motors uses the technology to help track the employee credentials of some 17,000 suppliers who log on to the company's system to bid on contracts.
"A company with 100 different stores of data means that an administrator has to enter the data 100 different times," said Wendy Steinle, director of solutions marketing for Novell's Nsure and exteNd product lines, which include identity management software. "Moreover, how often does he get them all right, without making a mistake?"
The adoption of identity management within companies will likely lead to consumer uses as well. Microsoft's .Net Passport service, for example, lets consumers store personal information with the software giant and reap the advantages of single sign-on at Passport-affiliated sites. In turn, a group of companies collectively known as the Liberty Alliance has developed a competing "federated" identity system that gives consumers a choice as to where they can store their ID data.
"Customers don't want to have to log on to each service differently," said Michael Stephenson, lead product manager for Microsoft's identity management group. "It really reduces the number of customers that will use the service."
Still, persuading companies to buy identity management software can be a challenge. Much of the time, installing a new system entails ripping out custom-made software for handling business processes.
"Usually, you are talking to someone who owns the existing process, and they are too wedded to it," IBM's Anthony said. "It's a little frustrating."
But as the technology's advantages become known, Anthony and others say, such obstacles will likely subside.
When salespeople from Oblix touted the company's identity management products to potential clients in the late 1990s, they'd spend the first 45 minutes talking up the need for the technology, said Prakash Ramamurthy, vice president of products and technology at Oblix. That's no longer the case.
"We don't need to evangelize it anymore," Ramamurthy said. "People get it. It is becoming more and more mainstream."


Blockade's ManageID software provides self-service password registration and resets and synchronizes passwords across multiple systems, updating user access rights.
The company's Password Management software performs the same functions as those handled by Blockade's product.
Netegrity's software is designed to streamline account management by letting a company oversee the identities of employees and others who access its resources via the Web. Its IdentityMinder product helps administrators add, modify and delete user information Web applications and internal networks use. SiteMinder communicates with Web applications to regulate access to corporate data.
The company's NetPoint software manages the identities of employees and customers. NetPoint is designed to enable easy record modification, single sign-on and group-based access. The software can be used for both Web sites and internal networks.
Phaos makes software and tools for companies that want to create their own custom identity management systems or to open existing ones for partners and customers to use.

CA has separated identity management and access control into two pieces of its eTrust family of software. The identity management application adds, deletes and modifies user information, while the access-control application supports policy-based user restrictions.
Big Blue divides its products into four categories. The directory software holds identity data. Tivoli Identity Manager lets administrators manage that data, and Tivoli Access Manager enforces user identity-based security. Finally, Tivoli Privacy Manager enables a company to determine if its employees are following data protection regulations by checking on who has accessed what.
The software giant's Active Directory data server holds identity and access information. Its Metadirectory Services application is designed to let a company use other, non-Active Directory data in its identity management system, and its Identity Integration Server is designed to help companies bring together disparate data.
Novell's Nsure software consists of individual components that can be linked together as needed, including directory software, secure log-in, account management and auditing.
RSA is basing its identity management software around the secure-access technologies for which the company is known. Its RSA ClearTrust technology enables companies to automate and easily manage how customers and business partners access their Web sites, and it has several technologies for internal users.
Sun Microsystems offers a standards-based identity management product, Sun ONE Identity Server 6.0, which allows companies to manage access to Web and internal corporate applications. The product enables a customer to use a single identity (username and password) across many sites, also known as a federated identity framework.

Copy editor: Zoë Barton
Design: Ellen Ng
Production: Meghan McDowell

This interactive Webcast will help you recognize and learn to deal with the latest security threats. ZDNet's Dan Farber is joined by Howard Schmidt, chief information security officer for eBay; Phyllis Schneck, national chairwoman of FBI InfraGard; and Mark Graff, chief cybersecurity officer at Lawrence Livermore National Laboratory. You'll see three scenarios based on real security breaches, learn how the experts deal with the crises, and test your own security knowledge. Watch the webcast.
Be respectful, keep it civil and stay on topic. We delete comments that violate our policy, which we encourage you to read. Discussion threads can be closed at any time at our discretion.