The Need for Identity Management


Information Week has a good article on identity management. The article talks about the benefits and barriers to achieving those benefits. Identity management promises to "improve security, boost worker productivity, cut costs, and reduce the integration friction usually connected with giving employees, business partners, customers, and suppliers access to internal systems."

ID-management vendors such as BMC Software, Computer Associates, IBM Tivoli, Netegrity, Novell, Oblix, and RSA Security have promised for years that their software would deliver those benefits. However, there are few industry-wide standards and most applications are proprietary. This forces companies to install a hodgepodge of software and devote a great deal of time to getting the apps to work together--even before making them work among businesses.

It can take as long as nine months for two companies to integrate separate ID-management apps well enough to allow employee authentication and authorization across company borders, says Michael Barrett, VP of Internet systems at American Express Co. That's why most businesses are focused on improving their internal ID-management controls to make it easier to identify and authenticate employees and customers seeking to access internal information.

From The Need For Identity Management
Referenced Tue Mar 23 2004 08:21:20 GMT-0700

The article makes a case for too many standards, SAML, Liberty, and WS-Federation, being one of the barriers, but doesn't mention that there are systems that can seamlessly handle all three. One such system is even open source: SourceID.

Michael Barrett talks about some of the things AMEX is doing internally.

Until there's a single ID-management standard, businesses are making do with the tools available today. "There are a lot of companies doing what we're doing," says American Express' Barrett. "They're kicking the tires and deploying it in an internal way." American Express is working on an ID-management initiative designed to deliver its business credit-card and travel services directly to the customers' intranets. "We're getting pressure from our corporate clients to be able to use our services in such a way that they can link [them] into their identity-management systems without having to create and manage a separate user name and password for each service," Barrett says. And while only a few companies have deployed the technology, there will be a significant number of deployments by the end of the year, Barrett predicts. "This stuff is real," he says.
From The Need For Identity Management
Referenced Tue Mar 23 2004 08:24:57 GMT-0700

This is a pretty interesting project that I've heard about in other venues. AMEX is making this stuff real, right now. From what I've heard, I think they're going to be way out in front on this front in comparison to their competition. There is considerable detail in the article concerning AMEX's plans and approach:

The potential cost savings and productivity gains are so large that it's important to move forward, even if standards are still being developed, Barrett says. American Express' internal ID-management architecture includes a homegrown Internet-authentication system, a mainframe-based access-control system known as RACF, Active Directory and LDAP databases, and Netegrity and Oblix tools. Almost all the applications are deployed as part of small departmental apps. Some are compatible with the Liberty Alliance identity-management specs.

It would be too expensive for American Express to implement a proprietary single-sign-on application that covers every network, system, and application company-wide, Barrett says. "It just isn't cost justifiable, and the effort would be enormous," he says. So American Express will move gradually, consolidating some identity databases and making other apps compliant with Liberty Alliance specifications to reduce departmental "islands of identity," Barrett says.

About 30% of employee calls to the financial-services company's help desk are because of forgotten passwords. So one of the first implementations of new standards is to reduce the number of user names and passwords employees must create, he says.

Implementing Liberty Alliance standards will "allow seamless flow of identity among our internal systems," he says. But good ID management does more than cut down on calls to the help desk and save money, Barrett says. Simplified access can improve employee productivity and reduce aggravation. "Multiple logons just drive employees crazy," he says. It's quite common for employees to be working on more than one application or in more than one system and have to switch between them. If they've been off one system too long, they have to log back on. "That's an employee irritant and a major productivity sink," Barrett says.

From The Need For Identity Management
Referenced Tue Mar 23 2004 08:29:06 GMT-0700

This approach reflects some tried and true principles. First, a single benefit, reduced internal help desk calls about passwords and identity issues, can offer enough benefit to justify many of the identity management system changes that lead to increased efficiency and new opportunities elsewhere. Since these latter benefits can be hard to quantify, its nice to have the upfront ROI. According to the Information Week article, research firm Gartner says a company with 10,000 employees that automates provisioning for 12 applications can save about $3.5 million over three years and see a 295% return on investment.

Second, identifying and then consolidating "islands of identity" is important. Equally important is to not feel like it has to be done all at once or separately. Metadirectories and federation are two solutions that allows identity islands to be consolidated without divisions giving up autonomy over identities, at least at first.

Third, reduce the number of identity credentials that a single employee must maintain (in most cases username and password) and automate, as much as practicable the provisioning of access information for existing identity credentials.

Basically, this strategy comes down to

  1. Justify the expense. Plan and sell the ID management project.
  2. Enable future ID initiatives. Federate identities across organizational boundaries.
  3. Offer increased benefit and value. Make it easy for legacy and new applications to use the consolidated identity credentials.