Standards Development Helps
Another obstacle to faster adoption is the lack of unified standards governing the many moving parts of a comprehensive identity management solution, HSPD 12 notwithstanding. Hietala says that pinning down standards continues to be a big challenge. "The adoption of cloud-based services will run out in front of security standards. Functionality and business considerations always work faster than security concerns."
Hietala points to Security Assertion Markup Language (SAML), a protocol standard for authentication, as one identity management standard that is achieving broader acceptance, especially now that Microsoft has adopted it. Perkins expects SAML to be the de facto standard for authenticating federation within the next 2 or 3 years.
Similarly, eXtensible Access Control Markup Language (XACML) is being backed by OASIS, a consortium that drives the development, convergence, and adoption of open standards for the global information society, as a schema for representing authorization and entitlement policies. The Liberty Alliance is another industry group tackling the standards problem, using a business-centric approach to open identity standards, business and deployment guidelines, and best practices for managing privacy.
However, until clearer and more comprehensive standards are agreed upon, look for companies to continue to offer their own proprietary solutions. Perkins says, "the lack of standards holds back ubiquity, but allows companies to make money for as long as they can with their proprietary systems. They’re in no great hurry for standardization."
Complexity a Continued Problem
"If necessity is the mother of invention, then the recession is the mother of SaaS," quips Olden, as companies around the globe face financial pressure to adopt service and outsourcing models for business functions traditionally kept in-house. Companies that may have tried a single SaaS implementation a few years ago may be considering deployment of a dozen more by the end of 2010, and they will need the identity management solutions in place to make that viable.
In turn, this will put pressure on vendors of identity management solutions to reduce the complexity associated with implementing managed identity services. "IaaS is definitely a play in 2009," says Vancollie. "But what makes it complex is that there are a lot of moving parts."
Perkins agrees: "Right now the service models are a pain to implement." Also, because of the relatively higher value of the identity data, he adds, "If you think of all the front-end prep work you do for an ERP implementation, plan to double it." Perkins believes it is this complexity, in part, that makes it difficult for enterprises to quantify the value of IaaS against their existing identity management services.
For the foreseeable future, enterprises may find themselves running two identity management systems, one for applications inside the firewall and one for their SaaS applications. Symplified is one company trying to address this by offering a hybrid solution that complements in-house identity management systems and helps clients adapt and migrate to SaaS.
So security concerns, lack of comprehensive standards, and complexity still stand in the way of smooth growth in identity management market. Undoubtedly, though, the ongoing threat against enterprise data security and the reduced costs and greater flexibility inherent in IaaS means that vendors and customers alike have every incentive to get those problems solved.
Companies Features in this Article
Arcot Systems, Inc.
Covisint, a subsidiary of Compuware Corp.
The Open Group Security Forum
Oracle Corp./Wipro, Ltd.