First a Definition
Identity and access management represents a convergence of technical and business procedures designed to enable workers to have access to all the information—but only the appropriate information—they need to do their job at a certain point in time. It is composed of two primary functions: identity management (IM), which refers to the administrative and intelligence aspects of managing identities, and identity access management (IAM), which refers to the ways in which users access information.
According to Gartner analyst Earl Perkins, each of the two halves of identity and access management can be further subdivided into two sections under Gartner’s preferred taxonomy: Identity administration, such as user provisioning and credential management, and identity intelligence, such as compliance reporting and auditing, are parts of identity management. On the IAM side, Perkins continues, "It really consists of verification and authorization. Verification would be the SmartCards and passwords that confirm you’re who you say you are, and authorization is the management tools that say, ‘Now that we know who you are, what information do you get to access and what are you allowed to do with it?’"
Done properly, an enterprise’s identity and access management system should automate, accelerate, and simplify account access and management while keeping data protected. The reality is that as the number of business systems within an enterprise expands over time, each system may have strata and substrata of IM tools that are vendor-specific, though they seek to accomplish the same function for the same set of people. Symplified, Inc., a company that provides unified access management systems designed for cloud architectures, found in a December 2008 survey of its customers that 37% of enterprises counted 7–12 passwords per employee, while 12% had 12 or more passwords per employee.
More Important Than Ever
There are a number of reasons why enterprises are taking a fresh look at their identity and access management solutions. First and foremost is the economic pressure that is causing firms to reduce staffing, do more with less, and focus on core competencies. Eric Olden, CEO of Symplified, says, "With the recession, companies are looking at anything that can be outsourced or done at a lower cost. It makes sense to revisit identity management because while every company has identity management problems, it’s just overhead, not a core competency."
Perkins agrees, saying that the "efficiency play" is the oldest driver for identity management. "Companies want to run things with less time, effort, and money. The classic example is calls to the help desk for password resets; if that process can be automated, you streamline and simplify the process." As an indicator of the hidden costs of identity management, a 2004 Gartner report estimated the cost of resolving password problems at between $10 and $31 per phone call to the help desk.
Another factor is increased attention to compliance, as regulations such as HIPAA and SOX place pressure on enterprises to have verifiable audit trails for information and physical access. Perkins believes that enterprises will come under even more scrutiny for transparency in the months and years to come. "Just think of the $700 billion financial bailout, and the fact that no one really knows where that money went," Perkins says. "A good identity management system could have helped track that."
Guy Vancollie, director of marketing for CoreStreet, Ltd., which offers infrastructure and application solutions for credential validation in IT and physical security environments, says that increased attention to compliance is also driving the demand for "strong identity credentials" as defined by Homeland Security Presidential Directive 12 (HSPD 12). The directive, issued in 2007, calls for a mandatory, governmentwide standard for secure and reliable forms of ID issued by the federal government to its employees and employees of federal contractors for access to federally controlled facilities and networks.
The standard, Federal Information Processing Standards Publication 201 (FIPS 201), calls for logical credentialing that takes both identity and transaction-specific details into account. "Say you log in to a specific computer at your workplace," says Vancollie. "A FIPS 201 compliant system will check to see whether you’ve entered that physical location using your SmartCard before allowing you to log in. If it sees you haven’t entered the building, strong identity credentials would recognize that and block access." These days access isn’t limited to a handful of building locations, either. Among CoreStreet’s product offerings is the FIPS 201 compliant PIVMAN system, which provides mobile identity verification for use in securing perimeters for homeland security incidents or natural disasters.
A third trend influencing the accelerated uptake of identity management solutions is what Perkins terms "business transformation," and it too is very much an effect of the recession. As enterprises are transformed by mergers, layoffs, or acquisitions, it is crucial to ensure that the right people—and only the right people—have access to enterprise applications. "Especially during times of rapid downsizing," Perkins says, "it’s important to know who is able to see what and to be able to shut access on and off instantaneously."