Identitätsmanagement

Identity and Access Management

25.09.2003
Mit der einsetzenden Vernetzung auch zwischen Unternehmen erhält Software für das Identitäts- und Zugangsmanagement der Anwender zunehmend Gewicht. Die Lösungen sollten sich flexibel in bestehende Portale einpassen lassen, fordert die Butler Group und gibt eine Übersicht über den noch jungen Markt.

Identity and Access Management lays the foundations for the building of an extended trusted environment, along with providing flexible, policy-based, user lifecycle management. It is essential that companies move to an identity-centric approach where the focus is on authentication to reduce risk, rather than relying on the current mechanisms of perimeter control and detection. The move to Internet-based business processes and collaboration, and the Web services framework, means that it is not a question of if, but when, enterprises must implement an integrated security management solution, based on the principle of identity and trust.

Many organisations consider that they are sufficiently protected by the piecemeal security technology they have implemented around the IT infrastructure. Butler Group believes these enterprises are in for a rude awakening when, for example, either their personal information assets are compromised and litigious users seek recompense, or the costs of managing many users start to eat into precious IT resources. At the top of the IT Manager's wish list must be the phased deployment of a security framework aligned with company objectives and driven by the company security policy, including Identity and Access Management technology.

Business Issues

In the pursuit of cost efficiencies many enterprises are engaged in a strategy of evolving to an Internet-based business model that will, in turn, require the organisation to adopt a security framework organisation to allow safe collaboration and the sharing of services with other organisations. Without a mechanism for efficiently processing identities the Web services paradigm will never gain widespread adoption in the market place. It is important that an enterprise is able to simply and inexpensively establish an organisational stakeholder's identity, and there are processes and technology in place to manage the user identity by the organisation itself, a trusted partner, or an identity service.

Governments have started, and continue, to focus on an individual's personal privacy. The European Union has already put privacy legislation in place. In the future, organisations will have to be able to demonstrate that personal information is secure and has not been shared with any other organisation without the individual's express approval. This potential risk of litigation will undoubtedly raise the profile of Identity and Access Management capabilities within the boardrooms of many enterprises.

In addition to regulating in this area, governments have a role in providing a lead in the deployment of the security technology and infrastructure capable of bringing common identity mechanisms to the mass market. After all, there will be no e-Government without superior e-security. It is in the public sector's own interest to provide leadership, and to seed the market with the required strong authentication technology.

The ability to reduce costs remains an important requirement for all organisations. There is a danger that without an integrated security infrastructure then the standalone security solutions will proliferate in each application silo. Whilst Identity Management provides the required security, it is the Access Management functionality that can supply the necessary Return On Investment (ROI) and enable the justification of the project. Just as the employees provide the value to the organisation, it is identity capability that can add value to the security infrastructure.

Technology Issues

A personalised portal interface, taking into account the current context and device type, is seen as the most likely way for the majority of users to interact with an organisation. In this environment any Identity and Access Management solution should be able to interact with portal technology. Flexibility is another important attribute, with the capacity to interoperate with many different platforms and applications for particular significance.

The automation, workflow, self-service, and delegation features of Identity and Access Management solutions enable the organisation to keep up with the ever-changing business environment and the growing number of users that need access to enterprise services - no matter how quickly the organisation is required to adapt to new conditions.

Many vendors claim to offer an end-to-end Identity and Access Management solution, when in reality, they can only offer part of this. IBM Tivoli, Oblix, and RSA Security were vendors found by Butler Group to offer products that most closely meet the requirements of a total solution, including a full feature set, and strong capability in the areas of flexibility, management, standards, deployment, and future vision.

A security framework, containing this Identity and Access Management functionality, is capable of bringing together the disparate security services into one shared platform for user identity and access control, allowing one infrastructure to be developed to meet all the security requirements of the organisation. Competitive advantage can be gained from the lower cost of operation, and the ability to deploy new services without adding to the security overhead.

Market Issues

The main protagonists in the IT market, such as Microsoft, IBM, Computer Associates (CA), and Hewlett-Packard (HP), are continuing to develop an integrated Identity and Access Management solution to fit within their platform offerings, by either organic growth, acquisition, or partnership. Last year IBM acquired all the assets of Access360 to integrate into the Tivoli software portfolio, expanding the user lifecycle management, access control, privacy management, provisioning, and meta directories functionality. More recently, HP announced the proposed purchase of Baltimore's SelectAccess Web-based SSO software. HP is planning to incorporate the SelectAccess product within its OpenView adaptive management platform.

Microsoft recently announced the availability of Microsoft Identity Integration Server 2003 (MIIS). Within many organisations the use of directories has mushroomed. In order for a security framework to operate successfully there is a need to link different directories to provide a unified view of information. Microsoft is able to supply additional functionality outside the current scope of its offerings through product partners such as Oblix and OpenNetwork.

It is becoming increasingly unacceptable for Identity and Access Management software vendors to say they are only focused on enterprise system security and access. Butler Group believes the business of the future will be enmeshed with the Internet, and even internal users will use the Web as a communication channel. An Identity and Access management solution must be able to cater for multiple access channels.

The overall market size for Identity and Access Management solutions remains relatively small, probably due to the early adopter phase in the market lifecycle, and the immature standards in this area, along with the perceived difficulty in implementing this technology in an already complex IT environment. Industry standards are now emerging which will enable a much less painful deployment experience. Butler Group believes that over the next two years everyone will need to have a strategy in place to evolve to a security architecture including federated identity and better access management.

Der vollständige Bericht kann bei der Butler Group bestellt werden.