Identity management is predicted to be a major growth area: according to research from IDC, the anticipated worldwide sales for identity and access management systems will have approached US$550 million in 2005 and will rise to more than US$950 million by 2009.
This predicted level of growth is not that surprising: as organisations, supply chains and customers have become welded together in the digital networked economy, IDM has become one of the cornerstones of security. People need to prove they are who they say they are, and their claimed identity must be consistent with organisations’ previous knowledge of them.
On average, large companies have more than 75 applications, databases and systems that require authentication. The indirect cost of time spent repeatedly logging on has been estimated to be around US$670 a year for each member of staff. Furthermore it’s said that the average worker has to remember at least 15 user names and passwords, all with different expiry dates. Naturally, they tend to get forgotten, with the result that nearly half of all help desk calls are for password resets, costing upwards of US$22 a time.
The bigger the company, the bigger the problem. Fortune 1000 companies typically depend on around 200 databases, or directories, of user information to control access to their systems. Traditionally, a human administrator managed each system through a paper-based trail to decide access to each application.
This is both expensive and prone to error. Information about individuals, their changing roles and the organisation’s structure needs to be kept up to date. Links are also required between people: so that applications can work out who works for who, for example. Mistakes are the inevitable result of manually replicating these changes.
These errors rarely become public knowledge, but when they do the results are both comical and disquieting. For example, months after a CFO left one major company’s system administrators found a cleaner with the same name had been given access rights to all its financial systems.
However, in the current regulatory climate such errors are no longer acceptable. Under recent corporate governance legislation, organisations need to be able to prove the required steps have been taken to prove an individual’s identity, and that proper controls are exercised over access to applications and services. Along with data protection laws, this type of legislation addresses the rights of individuals when they interact with organisations, and requires organisations to make data available to their employees only on a need-to-know basis.
However, organisations may find the costs of administering IT systems and ensuring compliance go through the roof unless a reliable IDM infrastructure is in place and the data quality is good enough. Furthermore, to be truly successful, IDM needs to be integrated with an organisations networks, applications, security precautions and ways of working.
This is where up-to-date directories come in. Dozens of applications hang off these internal databases and tend to fall into two categories – those that put information into an organisation´s identity infrastructure and those that depend on it. The former typically includes HR solutions and systems that register partners and third party sub-contractors. The latter can embrace any application within the business including document management, finance and accounting, and e-mail.
An obvious problem with distributed systems and databases is information is entered in different ways – corrupted spellings and abbreviations are just two examples. Data cleaning and normalisation is therefore required before a directory can be used to drive automated processes, while a decent directory enables an organisation to create a single view of its activities to all approved users.
In larger organisations ´meta-directories´ aggregate all directories and other sources of information that enables a workflow engine to monitor data and business events across an organisation. They can generate massive economies of scale in comparison to more disjointed methods.
IDM also offers a number of associated benefits, and its introduction can be viewed as an excellent opportunity, particularly when a business is facing different regulatory controls, or is merging, restructuring or embarking on a new outsourcing project. IDM can cut administrative costs, speed the provisioning of access and pave the way for regulatory compliance. Consistent and reliable records that can be accessed quickly cut the cost of collecting data and managing the audit trails demanded in a tighter regulatory framework.
In addition, there is an instant benefit when it comes to launching new enterprise applications. Traditionally, 20 per cent of the development costs involved go towards data collection, administration and access control. IDM can ´point´ a new application towards a rich seam of accurate data and strip out a whole layer of unnecessary effort.
Furthermore, because it requires organisations to acquire deep understand their operations IDM helps overcome duplication, drive down costs, optimise supply chains and achieve other efficiencies. In addition, there is an instant benefit when it comes to launching new enterprise applications. As a result it is a major contributing factor in the shift of enterprise security from overhead to direct benefit.
IDM also changes things for an organisation’s customers, shoppers and citizens. No-one likes to be challenged for their personal details too often, but this is the experience many customers face, particularly when organisations merge and attempt to integrate customer bases and IT systems. Instead of dealing with a single organisation, customers are negotiating a maze of separate systems and web sites, all of which require them to prove their identity in different ways.
This then exacerbates the need for people to have a myriad of user names and passwords. Inevitably, people resort to using the same details to access different services, often based on easily remembered and obvious combinations. This puts their security at risk, making life easier for fraudsters.
Action is clearly needed. Hollywood has pushed the idea of biometrics in films like National Treasure where someone stole fingerprints from a computer keyboard to gain access to a vault, or Minority Report where Tom Cruise’s character had an eye transplant to foil an iris recognition system.
In real life, laptop manufacturers are promoting fingerprint recognition as a method of logging in. A similar system has been introduced on the door locks of Mercedes limousines, which can now detect living flesh to prevent owners having fingers amputated by determined thieves.
Some larger companies have also started to experiment with signature recognition to control access to buildings, and are evaluating speaker recognition systems, that can detect the almost unique characteristics of people’s vocal systems. These new systems take about a minute to create and store a voiceprint, and only a few seconds to check a speaker’s identity against a database.
Such solutions are still in their infancy, but the market is maturing rapidly and provides a clear indication of how identity management issues will be handled in the future.
In the meantime, organisations need to look beyond the immediate need for an IDM solution and ensure that identity management is properly integrated with the organisation’s wider security needs and practices. Unless this is done, there is a risk that improvements to identity management may simply shift the security threat to a less protected area or create an unexpected new risk.