The hottest business you never heard of

Just before Christmas, Computer Associates bolstered its portfolio by grabbing Netegrity. BMC doubled the ante by buying Calendra and OpenNetwork, and even Oracle decided to take a break from acquiring application vendors when it snatched up Oblix.

What's behind the renewed interest?

First, there are those bothersome Sarbanes-Oxley Act regulations, which mandate that executives certify their financial results, lest they wind up in the pokey. But that's not all. A recent ESG Research report found that 55 percent of users surveyed believe that access control is their organization's highest security priority in relation to Sarbanes-Oxley compliance.

Then there's the security angle. Some 46 percent of users in the same ESG Research survey said they had found active accounts belonging to ex-employees after auditing their networks. This is the equivalent of leaving your front door wide open while you sleep.

So it's not surprising to find renewed interest in tools that provide the ability to quickly provision accounts for new hires and deprovision accounts for problem employees. That's the point of identity and access management technology, which can restrict what a user can actually do after they log on, and audit each action.

Effective? Yes. Big Brother? No, just good security.

One other thing: If you want to let outsiders--that is, customers, offshore developers, suppliers and so on--use applications to boost productivity, you had better know who they are, define what they can do and watch every move they make.

That's the dirty secret about industry "blue sky" concepts like dynamic Web services and "extended enterprise" applications. Great promise, but dead on arrival without access management.

Fly in the ointment
Users need these tools, so vendors are bulking up their portfolios. Supply meets demand, economic nirvana and an industry match made in heaven?

Not quite. There are still several problems. First, who "owns" user identity and access management? No one and everyone. Business executives, compliance officers, human resource managers, IT and legal counsel--all have a vested interest, but no one group can claim ownership. Second, where there's no ownership, there's no money, and no organization I know of has anything resembling an access management budget.

With no ownership and no dough, each group scrapes together enough funding to solve its tactical problems, but few companies ever move on to business needs and implementation strategy. This is sort of like addressing a broken leg by taking four Advil. With so much at stake, this pitiful situation has to change.

On the demand side of the equation, someone has to take a strategic view and build a solution that meets business, security and compliance needs. I'm not going to take the typical analyst cop-out and suggest that companies create a "Chief Identity Officer" post (Note: This is the type of unrealistic hyperbole that makes people hate analysts). Rather, organizations should establish an access management committee with representatives from business units, HR, IT, security and legal for a collective needs assessment and architectural solution.

There's certainly a lot of questions to address: Are there business processes or initiatives where outsiders need network and application access? Who needs which systems? Which managers need to approve user provisioning and deprovisioning, and who needs to be alerted? What type of monitoring should be done? Who should be alerted to possible abuses? Are there legal issues here? (The answer to that one is yes.)

This committee should drive for two things: First, a strategic and access management project, broken into defined phases based on business priorities; and second, a series of metrics to gauge success.

Supply-side companies can't sit back and wait for this to happen. Access management vendors should provide services and blueprints to help their customers achieve goals in a manageable and mutually beneficial way. IBM, Novell, RSA Security and Unisys are already providing some of these services, but where are the big brainy consulting shops like Accenture, Ernst & Young and KPMG International? These guys tend to let the technology vendors dig the initial ditches and establish a market before they come in with gold-plated backhoes and smooth talk. The time has come.

Let me net this out. In three to five years, every large organization will have an access management middleware layer that knows the identity of every user and device, and manages who can talk to what, when and how. We can either recognize this absolute fact and intelligently plan accordingly, or wait two years and act like a bunch of idiots in a house fire. I suggest the former, but won't be surprised by the latter.