Lack of interoperability and liability hold back identity management IT

An identity management strategy is vital to allow businesses to collaborate with business partners and support regulatory compliance, but the technology poses challenges for IT directors, analyst firm Burton Group said last month.

An identity management strategy is vital to allow businesses to collaborate with business partners and support regulatory compliance, but the technology poses challenges for IT directors, analyst firm Burton Group said last month.

In his keynote presentation at the Burton Catalyst conference in Barcelona last month, Burton Group chief executive Jamie Lewis, said, "Identity management is fundamental to enable business."

However, there are several barriers that limit how companies deploy identity management, including the inability of products to work across company boundaries, lack of common standards, and unclear contractual obligations.

Identity management comprises multiple systems that allow businesses to grant users access to networks and data, including federated services, single sign-on, authentication and directory services.

Although most large IT suppliers offer identity management suites, research from Burton Group found that 75% of users purchase individual identity management components from multiple suppliers.

Burton Group splits identity management into three core areas. The first area is application-centric identity management from companies such as Oracle, SAP, and Microsoft. These companies offer application and platform integration of identity management features and offer identity management tools for software developers, such as authorisation services.

The second area is management and compliance identity management software from companies such as IBM, CA, Hewlett-Packard, Sun Microsystems, Novell and BMC.

The third area is information-centric security, which EMC specialises in through its RSA products.

However, no single product can provide all the functions businesses require for identity management, according to Burton Group.

Markus Salo, concept owner for identity and access management at mobile phone maker Nokia, discovered this when he began a project to provide identity management for several thousand users in a partnership between Nokia and Siemens.

"We needed to establish an identity exchange to allow user identities to be shared between the two companies," he said. But Salo could find no product to support identity exchange. Instead, he had to adapt existing technology.

Lack of liability is another limitation of existing identity management providers. Anne Terwilliger, director of security projects at credit card firm Visa International, said suppliers working on identity management need to take on greater responsibility, using something similar to the authorisation system employed by credit card networks. "There is a legal liability to protect user data and privacy," she said.

Another area of concern is the lack of compatible products. June Leung, senior manager of security and business recovery at FundServ, a company specialising in applications for the financial services industry, said, "Businesses are paying a lot of money for different products." Leung believes this cost could be reduced if there was a single standard.

Eve Maler, technology director at Sun Microsystems, said, "There is a lot of opportunity to bring standards such as PKI and SAML together to enable users to build applications faster and avoid security and quality issues."

government data sharing: concerns over privacy

Most implementations of government data sharing lack adequate privacy protection for citizens, a member of the data privacy and advisory council at the US Department of Homeland Security has warned.

Speaking at the Oasis ID Trust Workshop running at last month's Burton Group Catalyst conference, John Sabo, who is also president of the International Security Trust and director of government relations at software firm CA, said, "Chief security officers are not looking at data privacy. Policies on security and privacy are unclear."

Addressing delegates at the workshop, he said governments had no desire to support privacy. "Everyone wants to collect information. Most countries have data laws that enable people to see what data is stored about them but do not have sufficient identity management to support this requirement."

Without sufficient identity management to protect citizens' privacy, data could be misused. Sabo warned that the problem not only affected government systems. "Flows of information in business are being caught up by government policy," he said.

Sabo said that even though businesses would normally be able to provide a level of "privacy protection" implemented through strong authentication and identity management within enterprise systems, this trust model is damaged when the data is shared with governments.

Read more on IT risk management