Identity management market at crossroads

Queenie Ng

The identity management market is approaching a crossroad: The awareness of the need for identity management is increasing but the options for such solutions are shrinking as the market goes through consolidation.

Identity management has begun to appear in more enterprises, primarily as a operation-support element but increasingly as a move to support information security policy and streamline application support services.

Many IT organisations today either have already implemented comprehensive identity management solutions or are at least in the midst of defining identity as an asset and the pain points that such management services can address.

Research firm, The Yankee Group, predicts that sales of identity management products and services will hit $3.3 billion in 2008, up from $2.3 billion last year.

Steve Ng, director, emerging business software sales director, Software Global Business Unit, HP Asia Pacific, attributed the growing awareness of the need for identity management to regulatory compliance requirements.

“It is often regulatory requirements which can drive the need for implementing an identity management solution, to allow proof of compliance to government regulators or industry bodies on managing data according to privacy acts,” he noted.

In January 2004, the Bank of Scotland was fined about $2.5 million for failing to keep proper records of customer identifications as stipulated by the UK’s Financial Services Authority’s money laundering regulations.

“Ineffective control of identity can lead to serious security breaches such as loss of confidential information and fraud that will negatively impact customer trust, staff productivity, business opportunities, and possible violation of legal and regulatory requirements.”

Improving efficiency

Another key driver in identity management is operational efficiency. Kang Meng Chow, chief security & privacy advisor at Microsoft Asia Pacific and Greater China, said identity management—which includes better security management and enforcement of security policies—can help in saving operational costs.

“For example, having a self-serviced password reset function would reduce the number of calls to help desk services significantly,” he suggested.

According to research firm Gartner, costs for identity-and access-management systems range from $5 to over $25 per user, depending on the features installed. A company with 10,000 employees that automates provisioning for 12 applications can save about $3.5 million over three years and see a 295 percent return on investment. The savings come largely from slashing time spent managing user access by 14,000 hours annually and cutting help desk hours by 6,600 hours annually.

Overlapping features

The benefits are easy to see, but selecting the right products is tough.

Sometimes, companies may even get confused when shopping for software to manage access rights to applications for employees, customers, and business partners—not only because of the number of vendors to choose from but also because of overlapping features across products.

Many databases and directories have their own access-control features. And some of the same capabilities can be found in employee-provisioning software and applications to manage access to Web-based applications. In the past few months, the wave of mergers and acquisitions have made things easier for business-technology managers by cutting down the number of vendors they will need to work with.

Firstly, Sun Microsystems bought Waveset Technologies, which offers provisioning software, to bolster its identity-management platform. Then Web-access identity-management vendor Netegrity acquired Business Layers for $42.5 million. Netegrity customers can use its provisioning software SiteMinder and IdentityMinder applications to manage workflow and provisioning of internal apps as well as Web access.

Complete solutions ahead

Peter Skoufis, director of Security Solutions, BMC Asia Pacific, noted how the identity management space is experiencing phenomenal growth, and how vendors are striving to provide a one-stop shop.

While consolidation has limited the selection of products, it ties together authentication, directory services, provisioning, and user- and access-management technology.

Skoufis said customers today want to reduce the complexity of integrating various technologies.

Microsoft’s Kang agrees. From the technology standpoint, consolidation shows that there is now a better understanding of what an identity management solution should entail. “The growing maturity in the solutions space means that customers or enterprises would in the near term be able to have a more complete solution,” he said. This wave of acquisitions also shows a convergence of provisioning and access management technology.

Today, identity management tasks are typically under the purview of several departments in an enterprise. Access management tasks are also typically handled manually and can take staff over several departments many man-hours to manage.

With the convergence of provisioning and access management technology, HP’s Ng suggested that companies can achieve an automated, consolidated structure for identity management.

TruLogica is the result of HP’s latest buying spree to give itself technology for federated identity management, which essentially means being able to provide network users with access to multiple applications with one user ID and password.

This way, Ng said, enterprises can now automate the full range of IT user-lifecycle management and access control tasks.

This article first appeared in Asia Computer Weekly