Understanding a user's identity - their role and relationship to a company - is daunting. But it is a necessary evil that allows businesses to ensure only authorised users have access to the right resources at the right time.
Welcome to the world of identity theft and identity management (IM), the medicine that aims to heal a company's wound when it has fallen victim to a security breach.
Indeed, the growing threat of fraud and identity theft (the most common form is insider attack) is causing a fundamental shift in the identity management market, according to Forrester Research.
Today, simple passwords provide inadequate protection as a reliable means of authentication.
Given the increased threat levels, the goal is to arm an organisation with identity lifecycle management technology (helping a firm manage a user's identity and access across all of its myriad incarnations), marketing manager for HP's Software Global Business Unit, Paul Muller, said.
"It is not just about bringing identities onboard, but managing them through the whole process," Muller said.
"About 40 to 60 per cent of identity data is left floating around once someone leaves an organisation, and that presents a significant security threat."
And it is no longer just about managing the people, NetIQ's regional director A/NZ, David Taylor, said, but about managing the devices, applications and physical assets that all comprise additional identities.
"We have to manage an increasingly networked, interconnected and always-on society," he said.
Enterasys Networks' managing director, Gary Mitchell, agreed. While the industry had a fixation with the identity of people, he said the real growth area was on the non-human devices that were being attached to a corporation's infrastructure.
With this, a firm needed to consider how a device can be identified and managed in such a way that a set of rules are enforced.
IM in the house
"There are examples of IP-enabled cameras, phones and printers that have been hijacked or compromised and allowed to do things that are outside the realm of acceptable behaviour," he said.
"This happens because an organisation's compliance policy is not enforceable in the real world."
With businesses putting more of their resources online - dealing with increased complexity and a growing number of internal and external users - identity management will become more of a priority.
This year, regulatory compliance (in light of Sarbanes-Oxley legislation in the US) will be the primary driver for enterprise investment in identity management.
In addition to regulatory compliance, saving a buck or two is another primary market driver, Gartner managing vice-president, Victor Wheatman, said.
"Cost savings [cutting helpdesk and security administration costs]; gaining higher levels of trust for remote users; and granting trading partners access to systems and data are the main drivers," he said.
Reducing the total cost of ownership [TCO] through efficiency and consolidation; security improvements that reduce the risk of internal and external attacks; greater access to information by partners, employees and customers; along with greater business agility during events such as mergers and acquisitions are the other top market drivers, Wheatman said.
The identity management umbrella
According to Wheatman, the kitbag includes Web-based access management products, single sign-on (SSO), password management, user provisioning, federated identity management, role management and authentication software and hardware.
Directories, meta-directories, and virtual directories are also core underlying components of an identity and access management (IAM) architecture, he said.
Meanwhile, the use of USB tokens, smart cards and biometric technology was another extention of identity management and an added means to boost security prevention, HP's Muller said.
How does it all work? IAM software, appliances and services are used to create and manage user identities, provide authentication and to permit users access to system resources based on pre-defined criteria.
Essentially, the technology combines processes, technologies and policies to manage digital identities and to ascertain how they are used to assess resources.
The recent blend of the identity and access management markets had changed the landscape, Wheatman said. Improved technology and savvier, integrated offerings were giving resellers more to play with.
And the global IAM shopping spree was continuing, he said.
"Sun acquired Waveset, Computer Associates acquired Netegrity," Wheatman said. "Other surviving players have formed partnerships and alliances.
One component is not enough to gain the full benefits; integration and linkages between the various pieces is necessary."
What's on tap for 2005
Analysts predict a host of technology trends will come to fruition this year. Expect to see provisioning take centre stage in identity-enabled architectures; enterprise single sign-on (SSO) to come of age; and identity-based computing to become a reality.
On the provisioning front, the technology has shifted from the ROI around self-service password reset and IT efficiency improvements to the policy enforcement and auditability around role-based access controls and centralised process management, according to Forrester.
Federated identity management, meanwhile, is a big buzz word this year, Express Data's pre-sales manager, Eileen Espiritu, said. Moving beyond the firewall, the technology helped companies securely engage with business partners and customers.
In a nutshell, federated identity (formerly known as Internet single-sign-on) lets organisations share trusted identities across the boundaries of the corporate network - with business partners, separate business units and remote offices.
The technology got a boost recently with the Liberty Alliance Project, a consortium of 150 companies, non-profit and government organisations, releasing the second version of its framework for identity-based Web services.
The group is working towards an open, federated, single sign-on identity model, which will simplify and secure the process of conducting business on the Internet.
According to the group, the new release, dubbed ID-WSF 2.0, provides support for SAMJL2.0 and marks a significant step forward in the convergence of identity specifications. The standard helps organisations communicate identity information among identity-based Web services.
What does a federated identity world look like? For starters, it helps businesses or consumers manage their own data, and ensure that the use of critical personal information is managed and distributed by the appropriate parties, rather than a central authority.
Federated identity is one of a number of areas where HP was setting its sights in the IM world, Muller said.
"We're not planning on getting into the directory space," he said. "We started with Web-based single-sign on and access control. We are focusing on provisioning of identities and synchronisation of passwords, and a third play is on federated identity."
Calling it an important trend playing out in the industry, Muller said the technology let users establish a circle of trust between different businesses.
Expect to hear a lot more about federated identity, Computer Associate's senior consultant for technology services, Chris Thomas, said.
And while the top end of town would be first to take a shine to the technology, Thomas said the concept would trickle down into the SMB space.
Other plausible areas included employee benefit portals and healthcare.
The company had released a fully integrated suite (combining administration, single-sign-on) and offers a phased-in approach that was ideal for resellers, he said.
In the wake of the Netegrity buyout, CA has released its IAM roadmap. As part of the plan, the company saw opportunity in federation, compliance and policy management, Thomas said. Key products, including eTrust IAM Suite r8 and eTrust SiteMinder support for SAML 2.0, addressed the trend towards integration, he said. Integrated offerings simplify administration, monitoring and audit processes.
Indeed, the investment in identity management would increase alongside the growing need to prove a user's identity in the computing system, Juniper Networks channel director, Brian Allsopp, said.
The need to manage identities (and adequately secure the network) is even more pressing given the feverish push for enterprises to adopt a mobile computing platform.
"The notion of a trusted network is now a reality," he said.
As such, identity-based computing was already a reality for remote access (VPN) users, Allsopp said.
This year, he said the security industry would work towards extending these types of capabilities to all network access including LAN and wireless.
"New developments in IM no longer focus on how to establish identity; instead they concentrate on defining a role for an identified user/device, and what capabilities should be granted," Allsopp said.
Juniper has rolled out the Juniper Endpoint Defence Initiative (JEDI), which integrates provisioning, auditing and policy definition. The technology gives role and resource permission based on multiple criteria.
Partners in crime prevention
So where do partners fit into the picture? Gartner's Wheatman said an IAM project could be very complex, requiring several inter-relationships.
And while it shouldn't stop dealers from jumping into the game, partners should start small, he said.
"Traditional resellers may not be able to deliver a full-blown vision of what IAM plus user provisioning and audit capabilities can provide," Wheatman said. "But a reseller can play in the individual component markets quite successfully - identity management, Web access management [or extranet access management], password management and single sign-on."
While tricky, partners could get their feet wet by looking for opportunities with auditing [determining access control, policies and procedures] along with consulting services, HP's Muller said.
"With auditing, an important point is access control and provisioning and tracking changes," he said.
Look for opportunities in the government, telco and financial services sectors, Muller said.
Enterprise manager for VeriSign Australia, Ed Elliff, said agreed these three sectors were attracted to a host of solutions and services including corporate access, secure remote access, secure Web access, simplified sign-on and trusted messaging.
"The key is to provide access to users, devices and applications without compromising their security posture," Elliff said.
Indeed, over the last 12 to 24 months, partners started seeing real business opportunity in these markets thanks to a spate of technology developments, along with the integrated offerings in the wake of vendor consolidation, Muller said.
For starters, the move from a single directory-centric model to a multi-directory approach was opening doors for resellers, he said.
"The issue today is managing and synchronising the credentials and access rights between different directories," Muller said.
"There are multiple levels of identities in business today, which all need to be managed."
And while the technology development towards multiple directories meant increased opportunity, it also represented some challenges, Juniper's Allsopp said.
"The challenges of IM are moving away from a single user ID towards centralised management and provisioning which, along with a move towards interoperability, is the sign of a maturing market," he said.
Other top challenges included the increasing consumer demand for privacy and protections, analysts claim.
So as the market finds its footing and determines the opportunities and challenges, partners can start down the IM path by offering business consulting, Muller said.
The top consideration should be "What corporate assets do we have and how can we get better access to resources?" he said.
Specifically, he said resellers need to get savvy about provisioning (how do I provision a new identity into the environment and add a new user), synchronisation (ensuring passwords and user names) are synchronised across different departments including HR and payroll), and access management (how to gain access to services). System integrators with directory technology expertise were better positioned to design and map the business processes into an IM environment, Muller said.
Security as a managed service as it relates to IM is a hot area of opportunity for resellers, Firewall Systems marketing director, Nick Verykios, said.
"Security as a product is a non-existent thing," he said. "If there are no managed services, it's useless."
Partners can help put the pieces together, Verykios said.
The challenge was turning the technology into something useful and linking it back into systems and applications including ERP and CRM, he said.
"Partners should think in terms of business continuity and risk mitigation," Verykios said.
"Resellers can help customers install policy-based procedures - checking for anomalies, movement and behaviour," he said. "Everything has to do with behaviour. Resellers can't simply think in terms of IT, but need to think about a policy-based approach and consulting. They can put in a system that constantly monitors and updates for change."
But the industry needed to move beyond the known threats and prepare for what lies ahead in order to provide proactive protection against emerging threats, Verykios said. This was particularly difficult for resellers given that vendors haven't always covered all of the bases.
"Products need to include more than threat management and virus detection, but also take into account heuristic technologies," he said.
A focus on heuristic and neural technology - networks learning to detect anomalies and protect themselves against them - was needed, Verykios said.
"The big problem is users unknowingly giving away their identities for others to borrow," he said. "Worse still, users unwillingly exposing their identity to spies and other such threats. But that's what we know about now. What about what we don't know? How could users protect themselves from phishing attacks when vendors weren't even aware so they could create technology to suit."
Given the rising threat levels and growing uncertainty, resellers could help allay some of the fears by offering ongoing management and support (thereby creating a co-dependence with the customer in terms of recurring management), Verykios said. This fitted nicely into the managed services model and went beyond a pure product play.
Beyond product selling, partners needed to provide process engineering, CA's Thomas said.
"IM is more than a technology sell, it is about the processes and the people," he said.
Part of the challenge is identifying and stopping bad behaviour.
"It's not the data that's the problem, it's the people," Verykios said. "So we can't solve user identity threat issues with a data management approach, but rather translating inappropriate human behaviour into an IT scenario and going from there."