Businesses are building systems to manage access to applications and data.
Just how much risk is there?
Trust is a risky proposition in the business world. If a valued partner tells you John Smith is a trusted employee and authorized to do business with you, how much will you trust Mr. Smith? Can he look at confidential customer lists? Check inventory levels in your warehouse? Order millions of dollars of products? Change the technical specs of an engine design or a drug under development?
Those are issues confronted every day by business-technology managers in charge of developing identity-management and access-control systems. Those systems, if implemented properly, promise to improve security, boost worker productivity, cut costs, and reduce the "integration friction" usually connected with giving employees, business partners, customers, and suppliers access to internal systems. However, businesses without strict identity-management procedures risk having attackers use old employee passwords to gain illegal access to applications and information, or they could run afoul of government data-privacy regulations.
ID-management vendors such as BMC Software, Computer Associates, IBM Tivoli, Netegrity, Novell, Oblix, and RSA Security have promised for years that their software would deliver those benefits. However, there are few industrywide standards and most applications are proprietary. This forces companies to install a hodgepodge of software and devote a great deal of time to getting the apps to work together--even before making them work among businesses.
Simplified access can improve employee productivity, American Express VP Barrett says.
Photo by Jon Gipe
It can take as long as nine months for two companies to integrate separate ID-management apps well enough to allow employee authentication and authorization across company borders, says Michael Barrett, VP of Internet systems at American Express Co. That's why most businesses are focused on improving their internal ID-management controls to make it easier to identify and authenticate employees and customers seeking to access internal information.
But an increasing number have more ambitious goals: tightly integrating ID-management systems with those of partners and suppliers. Those ambitions will help fuel a growing market for identity-management products. Worldwide sales of identity-management software are expected to grow from around $2 billion in 2002 to more than $3 billion in 2007, the Yankee Group research firm predicts.
Costs for identity- and access-management systems range from $5 to more than $25 per user, depending on features, research firm Gartner says. A company with 10,000 employees that automates provisioning for 12 applications can save about $3.5 million over three years and see a 295% return on investment. The savings largely come from slashing time spent managing user access by 14,000 hours annually and cutting help-desk hours by 6,600 annually, according to Gartner.
The management of electronic identities includes the software and procedures needed to know with certainty the identity of a user, company, device, or application seeking access to systems, networks, and applications, and to manage their access rights. In addition to the basic user name and password required by most systems, some require a smart card, token, or other device to help users prove they are who they claim to be.
The long-term objective is clear: Build a series of interconnected systems so an employee logged on to his company's intranet can access a business partner's systems and have those systems automatically trust the employee's digital credentials. The way to do this is through standards.
But at the moment, there may be too many security specifications and standards. There's the Security Assertion Markup Language, an XML-based framework for exchanging security information. The Liberty Alliance, a consortium of more than 150 companies developing an open ID-management standard, is developing a security spec that extends SAML. IBM, Microsoft, and VeriSign also are pushing their own security specifications. Unfortunately, most of those standards don't speak directly to each other.
Search the InformationWeek Media Network for more stories about this topic:
Until there's a single ID-management standard, businesses are making do with the tools available today. "There are a lot of companies doing what we're doing," says American Express' Barrett. "They're kicking the tires and deploying it in an internal way." American Express is working on an ID-management initiative designed to deliver its business credit-card and travel services directly to the customers' intranets. "We're getting pressure from our corporate clients to be able to use our services in such a way that they can link [them] into their identity-management systems without having to create and manage a separate user name and password for each service," Barrett says.
5 Top Federal Initiatives For 2015As InformationWeek Government readers were busy firming up their fiscal year 2015 budgets, we asked them to rate more than 30 IT initiatives in terms of importance and current leadership focus. No surprise, among more than 30 options, security is No. 1. After that, things get less predictable.