Anidentity management strategyis vital
to allow businesses to collaborate with business partners and
support regulatory compliance, but the technology poses challenges
for IT directors, analyst firm Burton Group said last
month.
In his keynote presentation at the Burton Catalyst conference in
Barcelona last month, Burton Group chief executive Jamie Lewis,
said, "Identity management is fundamental to enable business."
However, there are several barriers that limit how companies
deploy identity management, including the inability of products to
work across company boundaries, lack of common standards, and
unclear contractual obligations.
Identity management comprises multiple systems that allow
businesses to grant users access to networks and data, including
federated services, single sign-on, authentication and directory
services.
Although most large IT suppliers offer identity management
suites, research from Burton Group found that 75% of users purchase
individual identity management components from multiple
suppliers.
Burton Group splits identity management into three core areas.
The first area is application-centric identity management from
companies such as Oracle, SAP, and Microsoft. These companies offer
application and platform integration of identity management
features and offer identity management tools for software
developers, such as authorisation services.
The second area is management and compliance identity management
software from companies such as
IBM, CA,
Hewlett-Packard, Sun Microsystems, Novell and BMC.
The third area is information-centric security, which EMC
specialises in through its RSA products.
However, no single product can provide all the functions
businesses require for identity management, according to Burton
Group.
Markus Salo, concept owner for identity and access management at
mobile phone maker Nokia, discovered this when he began a project
to provide identity management for several thousand users in a
partnership between
Nokia and Siemens.
"We needed to establish an identity exchange to allow user
identities to be shared between the two companies," he said. But
Salo could find no product to support identity exchange. Instead,
he had to adapt existing technology.
Lack of liability is another limitation of existing identity
management providers. Anne Terwilliger, director of security
projects at credit card firm Visa International, said suppliers
working on identity management need to take on greater
responsibility, using something similar to the authorisation system
employed by credit card networks. "There is a legal liability to
protect user data and privacy," she said.
Another area of concern is the lack of compatible products. June
Leung, senior manager of security and business recovery at
FundServ, a company specialising in applications for the financial
services industry, said, "Businesses are paying a lot of money for
different products." Leung believes this cost could be reduced if
there was a single standard.
Eve Maler, technology director at Sun Microsystems, said, "There
is a lot of opportunity to bring standards such as PKI and SAML
together to enable users to build applications faster and avoid
security and quality issues."
government data sharing: concerns over privacy
Most implementations of government data sharing lack adequate
privacy protection for citizens, a member of the data privacy and
advisory council at the US Department of Homeland Security has
warned.
Speaking at the Oasis ID Trust Workshop running at last month's
Burton Group Catalyst conference, John Sabo, who is also president
of the International Security Trust and director of government
relations at software firm CA, said, "Chief security officers are
not looking at data privacy. Policies on security and privacy are
unclear."
Addressing delegates at the workshop, he said governments had no
desire to support privacy. "Everyone wants to collect information.
Most countries have data laws that enable people to see what data
is stored about them but do not have sufficient identity management
to support this requirement."
Without sufficient identity management to protect citizens'
privacy, data could be misused. Sabo warned that the problem not
only affected government systems. "Flows of information in business
are being caught up by government policy," he said.
Sabo said that even though businesses would normally be able to
provide a level of "privacy protection" implemented through strong
authentication and identity management within enterprise systems,
this trust model is damaged when the data is shared with
governments.