30 minute interview

“Identity Management solutions offer dramatic cost savings”

Mark Bower on the challenge of managing secure access to information and applications scattered across internal and external computing systems

What’s fuelling the growth of identity management?

Mark Bower Worldwide Sales Manager HP OpenView ID Management Solutions

Progressive organisations have started implementing comprehensive identity management (IM) solutions or are in the process of evaluating these tools from a strategic standpoint. A key driver for IM is the savings it brings in terms of operational costs from greater efficiency in data management.

The market factor that determines this is compliance. Enforcing and auditing authentication practices and access control policies are critical elements of compliance projects. The Yankee Group has predicted that sales of IM products and services will hit the $3.3 billion mark in 2008.

Companies evaluate solutions across various parameters, especially when there are overlapping features among products. For instance, many databases and directories have their own access- control features. Since IM tools can be used to provide access to applications, they save considerably on IT management. IM tasks are typically under the purview of several departments. Because an IM solution enables access to many applications across the network, it reduces time spent on managing user access and answering queries put to the technical help-desk.

Take the case of an employee who has left the company; his e-mail access is removed. However, this isn’t always enough. He may have been given access to other IT systems. Unless access is denied, ex-employees could penetrate internal networks. The Meta group (now taken over by Gartner) estimates that on an average, only 62 percent of a user’s access is removed when the concerned employee leaves the organisation. Put this into perspective and you realise how important IM is.

We feel that it is not an issue of complexity or cost. Organisations should understand that IM is an issue that needs to be dealt with sooner rather than later. Recent findings reveal that most threats come from within an organisation.

Do you think security vendors will be able to address this need better than others?

The drive for IM is coming from all directions. Security vendors have also jumped onto the bandwagon. However, we do not think that it is an exclusive domain. IM is about running different programmes across operating systems, directories, application servers and applications from different vendors.

Let’s take the example of companies that have multiple IT systems. An IM solution is necessary as managing a log-in for each and every application and computing system can turn out to be a difficult proposition. Implementing features of a solution gives an enterprise the ability to manage user rights more effectively as it is easier for users to log on to all applications using a single log-in. It is expected that most organisations will have identity-based IT infrastructure where all applications are aware of identities.

But this is only one aspect of IM. It has gone beyond single sign-on. Our solutions include features such as user security management, which deals with how to provision and consolidate users into a single directory to enable access to diverse applications.

IM solutions support features such as self-service password, IM where passwords are reset, and personal identity updates.

When these tools are in place on a network, each user only has to keep track of a single password rather than a handful. That simplification, as well as automation for password recovery, reduces the costs of help desk calls for forgotten passwords.

Companies are storing such identifiable data and digital IDs in more transparent directories and LDAP-accessible systems rather than stowing them in the back-end. Much of the information being stored—in an HR or customer-order database, for example—is being pulled any time it is needed. For HP, IM is an integral part of OpenView.

The OpenView Select Identity will be integrated with HP OpenView Select Access to form an IM solution that automates access control along with security aspects.

Would an assessment that IM is evolving be a fair one?

Yes. In the nineties, the Lightweight Directory Access Protocol (LDAP) was used in IM solutions. LDAP is a protocol for accessing information directories such as those of organisations, individuals, phone numbers and addresses that support TCP/IP for Internet usage. Because LDAP did not fully meet the demands of identity management, new technologies were considered and adopted. SAML (Security Access Markup Language) is intended to provide a session-based security solution for authentication and authorisation across different systems and organisations through the use of XML.

Security Provisioning Markup Language has been proposed as a standard for managing the process of provisioning accounts across different systems. Then there is XACML, an XML specification for defining the rules that specify which, when and how users can access information. There are other industry initiatives such as the Liberty Alliance Project that allows cross-system interaction through single sign-on.

Today, identity information can be synchronised across a range of directory and non-directory identity stores using technologies such as Active Directory, LDAP Interchange Format (LDIF) and Directory Services Markup Language.

Where does IM fit into HP’s Adaptive Enterprise strategy?

It adds yet another piece to it. We achieved this by acquiring TruLogica. Their automated user provisioning, combined with the breadth and depth of the HP OpenView management software portfolio, will help customers drive down costs and time associated with managing changes in user IT privileges.

Is there a particular sector in India that is likely to benefit more from IM?

Compliance is driving the market for IM solutions. Enforcing and auditing authentication practices and access control policies is a critical element of compliance projects. Multiple regulations such as Sarbanes-Oxley and HIPAA mandate different aspects of privacy or accountability. This requires organisations to have IT systems to ensure that employees get access only to resources they have been granted permissions for.

Consider an industry such as BPO, where companies are subject to multiple regulations that mandate privacy and accountability. Privacy
regulations such as the EU directive or American sector-specific legislation such as the Gramm-Leach-Bliley Act of 1999 create controls on how personal identity information can be processed in IT systems. These regulations establish requirements for the privacy policy control component of an IM system and impose constraints on how businesses can use identity information. With advanced auditing features, it is possible to provide a log of users with the time that they log in. This can be used to detect patterns and single-out exceptions.

How does the TruLogica acquisition help HP compete in the security space?

The release of IM solutions represents our entry into one of three security markets. In addition to IM, we have groups working on computing infrastructure, creating computers that use encryption to better secure data and improve defences against online intruders.

Further, we have invested in proactive security management such as a digital immune system that tests computers connected to the network for susceptibility to the latest online threats.

IM software can bring dramatic cost savings for large companies relying on multiple operating systems. Additionally, for companies with a variety of systems and network resources, these tools simplify the job of security management because they give the administrator a single view of each user. For instance, in a network that uses IM, it’s easier for an administrator to disable the accounts of an employee who is fired or leaves. The software also makes it easier to establish new employees’ access to network resources such as printers, thus reducing the amount of time they need to get it up and running.

—Venkatesh Ganesh