Larry Whiteside's IT security budget is determined by which projects he can sell to his business and IT peers, based on the risks they mitigate. And for 2010, topping the risk agenda is identity and access management.
"This is something we really want to knock out next year," said Whiteside, chief information security officer at Visiting Nurse Service of New York, a not-for-profit home health care organization with some 12,000 health service employees.
Whiteside is in health care, where employee access and customer privacy are regulated by ever tougher breach notification mandates. But he and his IT director are not alone in seeing identity and access management (IAM) as a pressing concern.
Economic, demographic and technology forces are not only reshaping how businesses must deal with identity and access management but also ushering in a new crop of identity service providers, according to Bob Blakley, director of research of the privacy and security group at Midvale, Utah-based Burton Group Inc. Indeed, Burton predicts 2009 and 2010 will prove to be "watershed years" in the identity and privacy market, as companies look beyond traditional IAM software to a network of service providers that can address their changing needs.
Not your daddy's identity management
Why is identity management changing? First, an economic recession continues to drive major structural business change through acquisitions, mergers, bankruptcies and layoffs, generating a need for identity management systems that can handle sudden change. The financial crisis is also ushering in tougher privacy regulations. In addition, a new generation of employees continues to move work out of the enterprise, with Web-based business apps and smartphones in tow, while business partners, contractors and even customers agitate to move in.
The employee identity, once thought of as a corporate "asset" of the human resources and IT departments, is morphing into a "composite artifact" that is "always in motion, frequently changing," and shared piece by insecure piece with the many organizations an employee interacts with, Blakley stated. Making matters even more hair-raising, the current identity management solutions are not up to the task of this new reality.
"Businesses no longer have the luxury of leaving the CIO to manage a simplified, cartoon version of identity. Businesses at all levels must start managing real identities in all their messy complexity," he cautions in his recent 2010 identity and privacy strategies planning guide.
His advice: Organizations should consider using identity service providers to meet these increasingly complex and dynamic identity management needs, especially if they have large, shifting populations of nonemployee stakeholders who need corporate systems access.
Forrester Research Inc. analyst Andras Cser agreed that organizations are struggling with the cost and complexity of existing identity and access management solutions. Tight budgets make it difficult to justify the up-front investment in IAM, which Forrester pegs at easily $500,000 for the first phase. But the emergence of hosted identity and access management providers promises to reduce operational and staffing costs of IAM. Forrester expects these services to grow by as much as 90% during the next year, driven by expansion into the health care and financial services industries.
The identity management vendor landscape
Blakley said that many types of identity service providers have emerged over the past two years, with offerings ranging from identity vetting and risk assessment to authentication. The services are delivered using name-branded, cloud-hosted models and "white-labeled" on-premise models, he said. But with either model, customers are tending to contract with a variety of providers or providers who subcontract some tasks to other providers. "Consumers of identity services don't go to vertically integrated, one-stop-shop identity providers," he said.
That hasn't stopped companies like Facebook Inc. and Google Inc. from stating their intentions to become the provider of choice of identity on the Web, Blakley noted, citing Google's recent deal with Ping Identity Corp. to extend the reach of Google Apps login credentials to Software as a Service (SaaS) applications from vendors including Salesforce.com Inc. and WebEx Communications Inc. Other providers, like Covisint and Exostar LLC, are expanding beyond their traditional expertise (automotive and aerospace, respectively) to offer similar sets of services for other industries.
But Blakley said he's skeptical that these efforts to establish one-stop identity shops will pan out, "because no one organization can support all the relationships necessary to gather all the information" required to become a sole provider for a company's diverse user population.
In fact, the main reasons companies are moving away from in-house identity management suites to service providers are the ability to react quickly when services need to change and the need to verify identities of people who are not employees of the organization. Then there is also the issue of getting value out of the investment.
According to Gartner Inc., few other IT security technologies can match identity and access management's track record of failure. One perennial reason is that these projects require an enormous amount of time and participation by business -- not IT -- to define work roles and the access needed to perform that work.
The major vendors in the enterprise identity management suite market have failed to keep pace with these splintered identities, or the expanded pools of users that companies need to manage, Blakley said. Identity service providers have relationships for verifying identities that enterprises don't, allowing them to manage populations like outside partners more cheaply than the company can. In addition, some vendors of identity management suites, like Hewlett-Packard Co., have gotten out of the market altogether, while others have been acquired (Sun Microsystems Inc.), raising concerns about vendor and product viability.
Yet Blakley and others caution that serious concerns remain about identity service providers, including a lack of audit standards for assessing a provider's business continuity standards and regulatory compliance. Service-level agreements are not yet standardized. Liability for security, privacy and compliance failures is not well understood. And many identity service providers are still small, raising questions about their longevity.
Indeed, Whiteside said he will likely tap his organization's development team before looking to external providers. "This is something we will tackle over the next 12 to 18 months," he said.
Let us know what you think about the story; email Linda Tucci, Senior News Writer.
This was first published in October 2009