Trust is a risky proposition in the business world. If a valued partner tells you John Smith is a trusted employee and authorized to do business with you, how much will you trust Mr. Smith? Can he look at confidential customer lists? Check inventory levels in your warehouse? Order millions of dollars of products? Change the technical specs of an engine design or a drug under development?
Those are issues confronted every day by business-technology managers in charge of developing identity-management and access-control systems. Those systems, if implemented properly, promise to improve security, boost worker productivity, cut costs, and reduce the "integration friction" usually connected with giving employees, business partners, customers, and suppliers access to internal systems. However, businesses without strict identity-management procedures risk having attackers use old employee passwords to gain illegal access to applications and information, or they could run afoul of government data-privacy regulations.
ID-management vendors such as BMC Software, Computer Associates, IBM Tivoli, Netegrity, Novell, Oblix, and RSA Security have promised for years that their software would deliver those benefits. However, there are few industrywide standards and most applications are proprietary. This forces companies to install a hodgepodge of software and devote a great deal of time to getting the apps to work together--even before making them work among businesses.
Simplified access can improve employee productivity, American Express VP Barrett says.
Photo by Jon Gipe
But an increasing number have more ambitious goals: tightly integrating ID-management systems with those of partners and suppliers. Those ambitions will help fuel a growing market for identity-management products. Worldwide sales of identity-management software are expected to grow from around $2 billion in 2002 to more than $3 billion in 2007, the Yankee Group research firm predicts.
Costs for identity- and access-management systems range from $5 to more than $25 per user, depending on features, research firm Gartner says. A company with 10,000 employees that automates provisioning for 12 applications can save about $3.5 million over three years and see a 295% return on investment. The savings largely come from slashing time spent managing user access by 14,000 hours annually and cutting help-desk hours by 6,600 annually, according to Gartner.
The management of electronic identities includes the software and procedures needed to know with certainty the identity of a user, company, device, or application seeking access to systems, networks, and applications, and to manage their access rights. In addition to the basic user name and password required by most systems, some require a smart card, token, or other device to help users prove they are who they claim to be.
The long-term objective is clear: Build a series of interconnected systems so an employee logged on to his company's intranet can access a business partner's systems and have those systems automatically trust the employee's digital credentials. The way to do this is through standards.
But at the moment, there may be too many security specifications and standards. There's the Security Assertion Markup Language, an XML-based framework for exchanging security information. The Liberty Alliance, a consortium of more than 150 companies developing an open ID-management standard, is developing a security spec that extends SAML. IBM, Microsoft, and VeriSign also are pushing their own security specifications. Unfortunately, most of those standards don't speak directly to each other.