The Compliance Card and Other Benefits
While midmarket figures are hard to come by, the total IAM market is growing at a quick clip of about 20% a year, according to research firm Gartner Inc.
And IT executives at midsized firms are dealing with the same internal security concerns and regulatory pressures that are driving enterprise adoption, notes Burton Group's Lewis.
Take Unicco Service Co., the Newton, Mass.-based $700-million firm that provides janitorial and landscaping services. It doesn't come directly under the Health Insurance Portability and Accountability Act or Sarbanes-Oxley (SOX), "but our customers do," says Bill Jenkins, the firm's senior director of IT. "They're always asking us questions about what controls we have in place, how we're managing user accounts, how people get access. If we are not [complying with security regulations], we become a liability for them. It's not a big issue yet, but our CFO wants us to move in the right direction." Jenkins recently deployed a limited, prepackaged version of IBM Tivoli Identity Manager.
At Financial Engines Inc., a financial consulting firm based in Palo Alto, Calif., "We're subject to Gramm-Leach-Bliley, but we also are increasingly coming under SOX, because while we're not public, we provide services for public financial firms," says Matthew Todd, CISO and vice president of risk and technical operations. The company has set up formal processes for terminating departing employees' access rights and automated workflow procedures for hiring and firing using Serena Software Inc.'s TeamTrack. It also uses two-tiered authentication for critical applications: To gain access to important financial applications, end users must key in a password and a onetime code supplied by an RSA SecurID fob.
But regulatory compliance is just one benefit of IAM; another is quick payback from fewer help desk calls. "We've seen real instances where a company eliminates about 80% of [password-related] help desk calls by putting in password management," says Lewis. "It can be as simple as a self-service password reset console." Given Burton Group's estimate that 30% to 40% of help desk calls are password related, self-service password management can save a lot of IT man-hours, even at a midmarket company. "Seven-hundred-million-dollar companies have lots of people and a lot of help desk calls," Lewis notes.
Single sign-on (SSO) can also minimize help desk calls as well as boost security and end-user satisfaction. In mid-2005, an RSA Security survey of approximately 1,700 end users found that 25% of respondents keep their passwords on a spreadsheet or other document stored on a PC; 22% on a PDA or handheld device; and 15% on a piece of paper. By enabling employees to access all applicable systems with one password, SSO not only makes life simpler for employees but also makes these insecure practices unnecessary. And it strengthens security by enabling IT staffs to enforce strong password policies -- frequent changes or complex character strings, for example -- without overburdening end users, says Jonathan Penn, a principal analyst at research firm Forrester Research Inc.
This was first published in November 2006