A key to security

'ID management' could cut bureaucracy--and costs

By Robert Lemos
Staff Writer, CNET News.com
October 28, 2003, 4:00AM PT

Safelite Glass had a common business problem: Its information systems were a morass of products from different manufacturers, requiring the company to employ nearly a dozen administrators for security alone.

A glass-replacement services contractor for insurance companies, Safelite used Siebel Systems products to manage customer relations, Cognos technology to organize its data warehouse, Oracle systems to arrange its financial records and a half dozen other applications to run the business.

So Safelite turned to "identity management"--technology that allowed it to centralize and simplify security operations, giving the technical support staff access to a single system that could change any resource. The result: fewer administrators, fewer expenses and fewer headaches.

"There was quite a bit of administration and overhead cost to maintain multiple people in disparate systems," said Dean Riviera, director of enterprise architecture and security at the company. "What people wanted was to not have to remember all the passwords. Not only passwords, but the roles and responsibilities."

Identity management is the latest security technology to gain popularity in the corporate world--mostly for its efficiencies. The technology allows new employees to be set up with network resources in minutes, rather than days, while requiring them to have only one password for access to servers, printers and other proprietary equipment. Because of significant savings in time and money, manufacturers say, identity management systems can pay for themselves in a year.

# The current generation of identity management systems brings together four major components: directories that hold the personal data that's used to grant access; a management system to add, modify and delete the data; a security system that regulates access; and an auditing system that's designed to ensure company compliance with privacy regulations.

"Identity management has one simple goal: one identity per individual, at least in the corporate setting," said Chris Christiansen, a security analyst at market researcher IDC.

Simplicity, however, can come at a price. Centralized operations could become an alluring target because, if compromised, they could allow an intruder to create valid accounts for numerous resources by way of a single security breach.

Companies adopt identity management systems to trim costs from a variety of business processes and to reduce potential liabilities.

Access privileges can be set up fast. Companies don't have to pay for worker downtime, saving days' to weeks' worth of salary expenses.

On the other side of the same coin, automated setup of systems means that administrators spend less time maintaining resources. The size of a company's dedicated information technology staff can thus be smaller.

Users that have a single password for all resources are less likely to need to reset their access codes, thus saving support call costs.

The accounts of workers who leave the company can be shut down immediately, plugging potential security holes and decreasing liability.

Auditing software can automatically ascertain whether a company is complying with data-handling and privacy regulations.

Source: CNET News.com interviews "It's the same thing if you put your car, home and office all on the same key. It is easier, yes, but it can be dangerous," said Bruce Schneier, chief technology officer for network protection company Counterpane Internet Security. "If you never lose your key, it is a great idea."

Nevertheless, judging from industry projections, it seems that cost-conscious companies are willing to take the chance. IDC predicts that sales of identity management systems will grow to $4.6 billion in 2007, nearly doubling the $2.4 billion in revenue they generated in 2002.

"What people are dealing with now is trying to keep costs down," said Deepak Taneja, chief technology officer at identity management software seller Netegrity. "All the administrative issues around managing identity cost a ton of money, and people want to find efficiencies."

Another factor that's driving demand is new legislation that's punishing companies that fail to adequately protect customer information. Laws such as the Sarbanes-Oxley Act, the Health Insurance Portability and Accountability Act (HIPAA) and California's Security Breach Information Act require companies to track how restricted information has been accessed.

Among the early adopters of the technology are the major accounting firms, said Joe Duffy, lead partner of PricewaterhouseCoopers' Security & Privacy Solutions practice, which counsels companies on how to handle security and identity management systems.

"It's the single fastest-growing thing I have, doubling every year," Duffy said. "The ability of having a single view of a user across the enterprise is dramatic."

Putting the pieces together
In essence, identity management brings together various software packages that were separate systems just a few years ago. Companies no longer need piecemeal identity technologies such as single sign-on applications, directory management software and auditing or accounting packages. Not surprisingly, many manufacturers of these technologies are now rebranding themselves as identity management businesses.

Several companies, such as Oblix, Netegrity, Phaos Technology and Blockade Systems, specialize in identity management software. Other large tech outfits, including Computer Associates International, IBM, Microsoft, Novell and RSA Security, are entering the market with their own offerings. IBM has bought several businesses, such as Access360 and Tivoli, that specialized in one or more of the components, while Microsoft has partnered with Oblix to augment the software giant's own Active Directory, Metadirectory Services and Identity Integration Server products.

By connecting human resources systems directly to the servers that control access to corporate network resources, companies can significantly reduce the time it takes to get new employees set up to access all necessary systems. A study Stanford University conducted with Hong Kong University of Science & Technology and software company Novell found that almost half of all businesses take more than two days to set up a new user. Ten percent of companies take more than two weeks.

"How unproductive are people going to be when they have to wait for authorization to get on the network?" said Joe Anthony, program director of IBM's integrated identity management group. IBM, which sells its own identity management system, estimates that a single employee costs $400 a year on average to support, most of which goes toward simply resetting passwords that are lost, forgotten or need to be changed. The Stanford study found that 86 percent of workers are required to remember two or more passwords and that a quarter must remember four or more.

Given those kinds of numbers, large companies that have thousands of employees have taken a keen interest in ID management. Fast food chain Burger King, for example, which has an employee turnover rate that can reach 250 percent annually, uses the technology to manage its far-flung work force.

ID management has important uses beyond a company's rank and file as well. General Motors uses the technology to help track the employee credentials of some 17,000 suppliers who log on to the company's system to bid on contracts.

"A company with 100 different stores of data means that an administrator has to enter the data 100 different times," said Wendy Steinle, director of solutions marketing for Novell's Nsure and exteNd product lines, which include identity management software. "Moreover, how often does he get them all right, without making a mistake?"

The adoption of identity management within companies will likely lead to consumer uses as well. Microsoft's .Net Passport service, for example, lets consumers store personal information with the software giant and reap the advantages of single sign-on at Passport-affiliated sites. In turn, a group of companies collectively known as the Liberty Alliance has developed a competing "federated" identity system that gives consumers a choice as to where they can store their ID data. The key idea is to create a single identity for a consumer that can be used for hassle-free interactions on a variety of Web sites.

"Customers don't want to have to log on to each service differently," said Michael Stephenson, lead product manager for Microsoft's identity management group. "It really reduces the number of customers that will use the service."

Still, persuading companies to buy identity management software can be a challenge. Much of the time, installing a new system entails ripping out custom-made software for handling business processes.

"Usually, you are talking to someone who owns the existing process, and they are too wedded to it," IBM's Anthony said. "It's a little frustrating."

But as the technology's advantages become known, Anthony and others say, such obstacles will likely subside.

When salespeople from Oblix touted the company's identity management products to potential clients in the late 1990s, they'd spend the first 45 minutes talking up the need for the technology, said Prakash Ramamurthy, vice president of products and technology at Oblix. That's no longer the case.

"We don't need to evangelize it anymore," Ramamurthy said. "People get it. It is becoming more and more mainstream." 

Large corporations and smaller boutique security companies have targeted the identity management market. Here are a few hopefuls:

Blockade Systems

Blockade's ManageID software provides self-service password registration and resets and synchronizes passwords across multiple systems, updating user access rights. Critical Path
The company's Password Management software performs the same functions as those handled by Blockade's product.

Netegrity
Netegrity's software is designed to streamline account management by letting a company oversee the identities of employees and others who access its resources via the Web. Its IdentityMinder product helps administrators add, modify and delete user information Web applications and internal networks use. SiteMinder communicates with Web applications to regulate access to corporate data.

Oblix
The company's NetPoint software manages the identities of employees and customers. NetPoint is designed to enable easy record modification, single sign-on and group-based access. The software can be used for both Web sites and internal networks.

Phaos Technology
Phaos makes software and tools for companies that want to create their own custom identity management systems or to open existing ones for partners and customers to use.

Computer Associates International

CA has separated identity management and access control into two pieces of its eTrust family of software. The identity management application adds, deletes and modifies user information, while the access-control application supports policy-based user restrictions. IBM
Big Blue divides its products into four categories. The directory software holds identity data. Tivoli Identity Manager lets administrators manage that data, and Tivoli Access Manager enforces user identity-based security. Finally, Tivoli Privacy Manager enables a company to determine if its employees are following data protection regulations by checking on who has accessed what.

Microsoft
The software giant's Active Directory data server holds identity and access information. Its Metadirectory Services application is designed to let a company use other, non-Active Directory data in its identity management system, and its Identity Integration Server is designed to help companies bring together disparate data.

Novell
Novell's Nsure software consists of individual components that can be linked together as needed, including directory software, secure log-in, account management and auditing.

RSA Security
RSA is basing its identity management software around the secure-access technologies for which the company is known. Its RSA ClearTrust technology enables companies to automate and easily manage how customers and business partners access their Web sites, and it has several technologies for internal users.

Sun Microsystems
Sun Microsystems offers a standards-based identity management product, Sun ONE Identity Server 6.0, which allows companies to manage access to Web and internal corporate applications. The product enables a customer to use a single identity (username and password) across many sites, also known as a federated identity framework.

Unisys picks up ID management technology

Oracle builds in single sign-on
Feds nab suspected online conman
Study: Regulations driving security spending
Study: Millions hit by ID fraud
Law aims to reduce identity theft
Will Americans learn to love smart cards?
Passwords: the weakest link?
Intensive care for medical data

Editors:

Mike Yamamoto, Edward Moyer
Copy editor: Zoë Barton
Design: Ellen Ng
Production: Meghan McDowell
 

Secure your systems: Digital Defense Test 2003

This interactive Webcast will help you recognize and learn to deal with the latest security threats. ZDNet's Dan Farber is joined by Howard Schmidt, chief information security officer for eBay; Phyllis Schneck, national chairwoman of FBI InfraGard; and Mark Graff, chief cybersecurity officer at Lawrence Livermore National Laboratory. You'll see three scenarios based on real security breaches, learn how the experts deal with the crises, and test your own security knowledge. Watch the webcast.