Identity management (IDM) is no longer what it used to be. From the most basic access management IDM has become a way to ensure data integrity within any organisation.
“IDM has evolved the simple concept of access to control how trust is established between applications, data, systems and users. IDM is increasingly being used outside the enterprise to manage specific employee, contractor, partner and customer usage of systems. Federated identities allow a trusted organisation to specify users and processes that share login and role information between systems, allowing for a more seamless usage experience,” says Kurt Roemer, chief security strategist, CTO office at Citrix Systems.
Every enterprise – small or large – uses IDM to a certain extent, and most often this is linked to simple access procedures. However, the full spectrum of IDM involves much more.
“IDM includes several components including user provisioning, enterprise single sign-on, authentication, access management, reporting, auditing and compliance, directory services, web single sign-on, federated IDM and identity lifecycle management. In all of these componenets, enterprise single sign-on remains the most popular choice for regional enterprises,” says Premchand Kurup, CEO of Paramount Computer Systems.
“One of the biggest misconceptions is that IDM is a fancy term for access control. In reality, IDM specifies the properties of a user, their role, their rights and constraints, and information that allows a level of trust for the user to be determined. This same concept can be expanded beyond user management to indicate the trust of applications, data, processes and systems. In this way, the user can be positively identified at all times and through all actions, entitlements can be verified, and any attempted policy violations can be properly logged and managed. Having the full context of Identity available for entitlement decisions and exception management allows for fine-grained control and extraordinary visibility,” says Roemer.
While most IDM technologies are being used for internal employee and data control, it can also be used for external partners and customers as well. One of the biggest users of external IDM are banks and financial institutions.
“The concepts of IDM are identical whether used internally or externally, but the assignment of trust and administration can require more due care and coordination when multiple organizations are involved. When identity information is shared between organizations, one of the biggest issues is Transitive Trust. Transitive Trust is the concept where if A trusts B and B trusts C, then A trusts C. Obviously, the implications of another organization having an assumed level of trust and access to applications and data must be carefully considered. Policy must clearly show where an assignment of implicit trust is required and where transitive trust cannot be extended. Likewise, the administrators of both organisations must coordinate to ensure that policy is enforced, moves/adds/changes are timely, and that logging and auditing regularly seek out exceptions and policy violations,” says Citrix’s Roemer.
Parts of IDM
Not all enterprises need all elements of IDM to function effectively. In fact, confusion on what constitutes IDM, the elements that are really necessary within specific organisations and complexity of deploying some of the technologies associated with IDM has kept most regional organisations from investing in them.
“Enterprises in the region still require a lot of education and guidance and not many vendors out there have the competencies to provide them. To really address enterprise issues with identity, vendors should be ready to have detailed discussions with all the right stakeholders in an organisation, understand the situation and then recommend the components of IDM that will address the problem,” says Kurup.
According to him, vendors should also veer away from making IDM deployments too tech-centric. A fair understanding of change and a consideration of all the things that need ot be done once the tool has been established has to be part of the conversation with the end-user.
At the organisation end, other issues such as decisions on who owns the IDM project and inability to achieve RoI from the project can cause many projects to fail. And in fact, many IDM projects do fail miserably in the region.
The shocking failure statistic and other complexities associated with IDM has kept many enterprises coming out of the recession from taking to the technologies, despite the benefits, and often critical nature of IDM. Result – over the last year many vendors have pulled solutions off the market and others are trying hard to deny they ever had any products available.
Meanwhile, IDM delivery mechanisms are becoming easier everyday.
“The emerging trends include more seamless ways for identity information to be shared and managed between sites, along with greater automation of the management aspects. OpenID allows a single ID to be used for Facebook, Flickr, Myspace, Google and Yahoo, and is extensible into small businesses and enterprises. OAuth defines interfaces for authenticating to applications and data. Workflow is increasingly being used to manage the complex interdependencies of identity and trust management – especially the exception and escalation processes inherent in multifaceted and dynamic systems,” says Roemer.
Providers like Paramount wish for more vendors to enter the IDM market in the region as they believe increased competition will pave the way to an increase in awareness about IDM and its benefits among end-users in the region.
However, all indications point to the fact that IDM is going to remain a rather limp market in the region across 2010. The market will have to wait for the new year to dawn to see any rising interest – if it does rise among enterprises.