By Stephen J. Bigelow, Senior Technology Writer
Identity management (IdM) is an integral part of business planning and policy, usually involving matters of regulatory compliance and business governance that must be weighed individually for every client. IdM is not an ideal fit for the client in every case today, but it may become more suitable as new trends develop. The first part of this Hot Spot Tutorial presents an overview of identity management, its objectives and features and some of the technical requirements involved. The second installment examines IdM deployment considerations, practices and potential business opportunities for solution providers. This final chapter takes a closer look at identity management compliance and standards, along with identity management trends and alternatives.
Identity management compliance and standards
Although there are no identity management compliance regulations or corporate governance policies, IdM helps define and enforce compliance regulation policies. For example, regulations may address activity monitoring/logging, rights assignment (and the control of rights assignment), least privilege principles, remote access and so on. None of these concerns require IdM, but all can be addressed with IdM technologies.
"Compliance is definitely driving identity management, the need for identity management and the way that people implement identity management," said Jim Gerken, senior practice manager in charge of identity management at Novacoast, an IT professional services company headquartered in Santa Barbara, Calif. "But no identity management tool is going to make you compliant; they're tools you can use to become compliant." This poses both a challenge and an opportunity for solution providers. Providers with expertise in identity management products and deployment should consider expanding their knowledge of compliance in order to help clients develop and map compliant business rules into the IdM deployment. This adds value regardless of whether you perform the deployment or offer consulting after the fact.
There is little standardization in the development of IdM rules and underlying technologies. Compliance regulations are starting to drive the development of some common rules and best practices for IdM, but it's too early for standards. Each client is largely independent in their adoption of the technology and application of business rules. "At this point, it's the wild west," Gerken said. "There are not a lot of rules and standards for identity management because there's not a lot of rules and standards for business."
In fact, standard business rules for identity management may never fully develop, because clients question the value of standardized rules. From a practical standpoint, it doesn't really matter how a client conducts their business as long as they document their policies and adhere to them. "If that business does everything upside-down and backward, but they document it and always comply with the documented procedures … who's to argue?" Gerken said.
One of the few standards to really emerge in identity management is the security assertion markup language (SAML). SAML uses an XML framework to provide a standard means of exchanging authentication and authorization data between systems. "It's how multiple systems can talk together for exchanging authentication information," said Andrew Plato, president of Anitian Enterprise Security, a security solution provider located in Beaverton, Ore. The standardized authentication capabilities found in wireless LAN technology (802.11x) are also noteworthy in the IdM realm, but there are no other significant technical standards at this time.
Identity management tools, alternatives and trends
Identity management is evolving and spawning supplemental tools to offer solution providers more versatility and features. "The major tools come with different levels of automation," Gerken said, noting that the identity management software from Oracle and Novell are configured to work in many environments right out of the box. Oracle focuses more on database environments; Novell's IdM product is preconfigured for common networking environments.
Additional identity management tools are appearing to help solution providers define roles and better understand business processes within the client's organization. While most ancillary tools only meet the needs of niche situations, some tools are suited for general use. For example, Analyzer for Novell Identity Manager can be used to ensure data quality and adherence to business policies. "It attaches to all your data sources and lets you map out what all that data means," Gerken said.
Major IdM vendors like Sun Microsystems, CA, IBM, Oracle and Novell are not expected to release any significant new features or capabilities in the near future, but solution providers should expect to see the tools become more refined and polished. This reflects the ongoing evolution of identity management from a new concept to an increasingly accepted technology -- the push for vendors now is to make the various elements of their tools work seamlessly together across more diverse client environments.
There are few practical alternatives to identity management. A single-vendor environment with one Active Directory account simplifies identity issues, but it's not a feasible approach for most organizations that are large enough to justify IdM in the first place. The other common alternative is to do nothing. "Every application that's used has some way to add users to it and give them passwords and restrain access to what they're supposed to do," said Mike Rothman, president and principal analyst at Security Incite, an independent analyst firm near Atlanta. "So the alternative to identity management is to still do things in a one-off way for each specific system or application that you have to deal with." Smaller organizations can maintain control of a few applications and a limited number of users, but it's ultimately a matter of scale.
Plato advises that clients not yet ready to invest in IdM should at least develop the processes and internal procedures to establish and manage identities -- even if just on paper. This exercise can form the foundation for IdM rules and will save time when the customer decides to go ahead with an IdM deployment sometime in the future.
While IdM is primarily concerned with creating and controlling access, it doesn't keep the users' desktops from being cluttered with applications. Looking to the future, solution providers should expect to see identity management adopt single sign-on (SSO) capabilities as a means of improving the user experience. Instead of a user having to log onto every application individually, a single sign-on scheme provides the user with access to all of their applications through one login. Imprivata's OneSign product is just one example of SSO implemented as an appliance.
Another identity management trend to watch for is the integration of IdM and Software as a Service (SaaS). Software services offered externally (such as Salesforce.com) also require authentication. Solution providers must ensure that SaaS offerings also support identity management so that only authorized users can access the external service from within the local network. Plato points to TriCipher's Authentication Gateway as one emerging means of handling such integration. But internal integration is also an emerging area, and solution providers will need to consider integration of IdM with CRM, ERP and other internal systems within the client's business.
Finally, expect identity management to eventually extend beyond the classical IT environment, where user identity is tied to physical access and control. Consider IdM integrating with an employee badging system that will allow access to relevant offices or buildings and set their environmental preferences accordingly. Other examples include allowing only authorized employees to operate forklifts, make travel arrangements, issue print jobs at Kinko's and so on. This represents the ultimate expression of identity creation and management with real relevance to the client's business.