IAM terminology and vendors
Identity and access management (IAM) offerings fall into the following broad categories:
Strong, or multifactor, authentication beefs up password protection by adding layers of identification to access a given system. For example, with two-factor authentication, users identify themselves in two ways: (1) typically by means of something they know, such as a PIN or password, and (2) by means of something they possess, such as a smart card or USB token that provides single-use, time-specific passwords. Biometric systems authenticate by means of the end user's fingerprint or retinal scan.
Vendors: Imprivata Inc., RSA Security Inc., Cryptocard Inc., Secure Computing Corp., VeriSign Inc.
Single sign-on (SSO) gives end users access to all applications and services for which they are authorized via a single procedure. It is often combined with multi-tier authentication, says Jonathan Penn of Forrester Research.
Vendors: RSA Security, Imprivata, Passlogix Inc., ActivIdentity Inc., IAM suite vendors.
IAM suites provide a combination of IAM applications integrated at least at the user interface level. While they rarely include strong authentication, they typically support a range of third-party authentication products. Suites typically include SSO, plus the following:
Vendors: CA, Hewlett-Packard Co., IBM Corp.-Tivoli, M-Tech Information Technology Inc., Courion Corp., Oracle Corp., Novell Inc., Siemens AG, RSA Security.
Still, Blue Cross and Blue Shield of Kansas City (BCBSKC) got the job done. The platform went live this fall, and Sparks has high hopes of achieving all his goals. He has already seen some payback: RSA Security Inc.'s Access Manager has eliminated many help desk calls by reducing the number of passwords end users have to remember from about 10 to one. As a result, the staffers dedicated to dealing with password-related problems -- the equivalent of two full-time positions -- have been redeployed to "high-value tasks," he says.
When it began its deployment, BCBSKC was something of a midmarket pioneer. But today, more and more midsized firms are adopting IAM if not whole hog, then one step at a time. Some are starting out with one comparatively simple IAM application. Others are taking advantage of a growing body of midmarket-oriented IAM suites. These products enable midmarket firms' IT staffs to meet progressively more stringent security and regulatory requirements for an increasingly diverse user base without overburdening IT administrators or end users.
How? IAM automates basic security tasks such as managing passwords and controlling user access rights. As applications and systems proliferate, performing such tasks manually becomes complicated and arduous; each directory or user database requires a manual login and a different set of tools for managing user accounts. As a result, "access controls build up over time like barnacles on a boat," notes Jamie Lewis, CEO of Burton Group, a Midvale, Utah-based consultancy. Furthermore, system access now often extends to business partners and contractors, widening the pool of users for administrators already struggling to keep up with growing or shrinking corporate rolls.
This was first published in November 2006