A key to security

By Robert Lemos
Staff Writer, CNET News.com
October 28, 2003, 4:00AM PT

A glass-replacement services contractor for insurance companies, Safelite used Siebel Systems products to manage customer relations, Cognos technology to organize its data warehouse, Oracle systems to arrange its financial records and a half dozen other applications to run the business.

So Safelite turned to "identity management"--technology that allowed it to centralize and simplify security operations, giving the technical support staff access to a single system that could change any resource. The result: fewer administrators, fewer expenses and fewer headaches.

"There was quite a bit of administration and overhead cost to maintain multiple people in disparate systems," said Dean Riviera, director of enterprise architecture and security at the company. "What people wanted was to not have to remember all the passwords. Not only passwords, but the roles and responsibilities."

Identity management is the latest security technology to gain popularity in the corporate world--mostly for its efficiencies. The technology allows new employees to be set up with network resources in minutes, rather than days, while requiring them to have only one password for access to servers, printers and other proprietary equipment. Because of significant savings in time and money, manufacturers say, identity management systems can pay for themselves in a year.

The current generation of identity management systems brings together four major components: directories that hold the personal data that's used to grant access; a management system to add, modify and delete the data; a security system that regulates access; and an auditing system that's designed to ensure company compliance with privacy regulations.

"Identity management has one simple goal: one identity per individual, at least in the corporate setting," said Chris Christiansen, a security analyst at market researcher IDC.

Simplicity, however, can come at a price. Centralized operations could become an alluring target because, if compromised, they could allow an intruder to create valid accounts for numerous resources by way of a single security breach.

Companies adopt identity management systems to trim costs from a variety of business processes and to reduce potential liabilities.

Access privileges can be set up fast. Companies don't have to pay for worker downtime, saving days' to weeks' worth of salary expenses.

On the other side of the same coin, automated setup of systems means that administrators spend less time maintaining resources. The size of a company's dedicated information technology staff can thus be smaller.

Users that have a single password for all resources are less likely to need to reset their access codes, thus saving support call costs.

The accounts of workers who leave the company can be shut down immediately, plugging potential security holes and decreasing liability.

Auditing software can automatically ascertain whether a company is complying with data-handling and privacy regulations.

Source: CNET News.com interviews

Nevertheless, judging from industry projections, it seems that cost-conscious companies are willing to take the chance. IDC predicts that sales of identity management systems will grow to $4.6 billion in 2007, nearly doubling the $2.4 billion in revenue they generated in 2002.

"What people are dealing with now is trying to keep costs down," said Deepak Taneja, chief technology officer at identity management software seller Netegrity. "All the administrative issues around managing identity cost a ton of money, and people want to find efficiencies."

Another factor that's driving demand is new legislation that's punishing companies that fail to adequately protect customer information. Laws such as the Sarbanes-Oxley Act, the Health Insurance Portability and Accountability Act (HIPAA) and California's Security Breach Information Act require companies to track how restricted information has been accessed.

Among the early adopters of the technology are the major accounting firms, said Joe Duffy, lead partner of PricewaterhouseCoopers' Security & Privacy Solutions practice, which counsels companies on how to handle security and identity management systems.

"It's the single fastest-growing thing I have, doubling every year," Duffy said. "The ability of having a single view of a user across the enterprise is dramatic."

Putting the pieces together
In essence, identity management brings together various software packages that were separate systems just a few years ago. Companies no longer need piecemeal identity technologies such as single sign-on applications, directory management software and auditing or accounting packages. Not surprisingly, many manufacturers of these technologies are now rebranding themselves as identity management businesses.

Several companies, such as Oblix, Netegrity, Phaos Technology and Blockade Systems, specialize in identity management software. Other large tech outfits, including Computer Associates International, IBM, Microsoft, Novell and RSA Security, are entering the market with their own offerings. IBM has bought several businesses, such as Access360 and Tivoli, that specialized in one or more of the components, while Microsoft has partnered with Oblix to augment the software giant's own Active Directory, Metadirectory Services and Identity Integration Server products.

By connecting human resources systems directly to the servers that control access to corporate network resources, companies can significantly reduce the time it takes to get new employees set up to access all necessary systems. A study Stanford University conducted with Hong Kong University of Science & Technology and software company Novell found that almost half of all businesses take more than two days to set up a new user. Ten percent of companies take more than two weeks.

"How unproductive are people going to be when they have to wait for authorization to get on the network?" said Joe Anthony, program director of IBM's integrated identity management group. IBM, which sells its own identity management system, estimates that a single employee costs $400 a year on average to support, most of which goes toward simply resetting passwords that are lost, forgotten or need to be changed. The Stanford study found that 86 percent of workers are required to remember two or more passwords and that a quarter must remember four or more.

Given those kinds of numbers, large companies that have thousands of employees have taken a keen interest in ID management. Fast food chain Burger King, for example, which has an employee turnover rate that can reach 250 percent annually, uses the technology to manage its far-flung work force.

ID management has important uses beyond a company's rank and file as well. General Motors uses the technology to help track the employee credentials of some 17,000 suppliers who log on to the company's system to bid on contracts.

"A company with 100 different stores of data means that an administrator has to enter the data 100 different times," said Wendy Steinle, director of solutions marketing for Novell's Nsure and exteNd product lines, which include identity management software. "Moreover, how often does he get them all right, without making a mistake?"

The adoption of identity management within companies will likely lead to consumer uses as well. Microsoft's .Net Passport service, for example, lets consumers store personal information with the software giant and reap the advantages of single sign-on at Passport-affiliated sites. In turn, a group of companies collectively known as the Liberty Alliance has developed a competing "federated" identity system that gives consumers a choice as to where they can store their ID data. The key idea is to create a single identity for a consumer that can be used for hassle-free interactions on a variety of Web sites.

"Customers don't want to have to log on to each service differently," said Michael Stephenson, lead product manager for Microsoft's identity management group. "It really reduces the number of customers that will use the service."

Still, persuading companies to buy identity management software can be a challenge. Much of the time, installing a new system entails ripping out custom-made software for handling business processes.

"Usually, you are talking to someone who owns the existing process, and they are too wedded to it," IBM's Anthony said. "It's a little frustrating."

But as the technology's advantages become known, Anthony and others say, such obstacles will likely subside.

When salespeople from Oblix touted the company's identity management products to potential clients in the late 1990s, they'd spend the first 45 minutes talking up the need for the technology, said Prakash Ramamurthy, vice president of products and technology at Oblix. That's no longer the case.

"We don't need to evangelize it anymore," Ramamurthy said. "People get it. It is becoming more and more mainstream."