Closing the ID loophole

In the current atmosphere of heightened security, technologies that give agencies tighter control over who can access computer networks and online information are getting some well-deserved attention.

In the past few months, several systems integrators have partnered with technology companies to provide identity management software to federal agencies.

Identity management software helps organizations consolidate user profile data and use customizable policies to automate the management of employee, contractor, business partner and customer access rights to software applications and network resources.

"Identity management systems have been out for a while — the last two-and-a-half years — but only recently do you see large enterprise customers understand why they need these solutions," said Brenda Toonder, vice president of marketing at Atreus Systems Inc., a Cupertino, Calif.-based developer of user provisioning software.

But the identity management market can be confusing, encompassing a wide range of products with "slightly different and overlapping value propositions," according to a report by Pete Lindstrom, research director at Spire Security, a Malvern, Pa.-based consulting firm.

Product categories include: consolidated user administration, directory management, password management, single sign-on, strong authentication, user provisioning and Web access control (see box). More integration among the categories will be a theme this year and beyond.

Customers "want an end-to-end solution for identity management, not just Web single sign-on," which lets users log on once and have access to multiple applications, said Kevin Cunningham, vice president of marketing at Waveset Technologies Inc., a provider of secure identity management products.

Waveset's Lighthouse product consists of provisioning software that automates many aspects of managing security controls, including password management.

An important new feature in the software is called Identity Broker. It automatically detects when a change is made to a profile in one application — a customer relationship management program, for example — then takes that revised information and synchronizes it across other enterprise applications.

Others see the need to go beyond "basic-level" user provisioning, which focuses on setting up user accounts and IDs. There is a need to take it to the next level of advanced provisioning, in which security settings are aware of network performance and configuration factors.

In this scenario, based on bandwidth and security settings, high-priority traffic can take the quickest route to the intended person, Atreus' Toonder said. "That's where we're focused."

Identity management no doubt will be a focus of the new Homeland Security Department as federal officials seek to weave together 22 agencies under one umbrella, noted Lou Casal, director of product marketing at Computer Associates International Inc. The department will need an "integrated comprehensive approach" to deploying identity management, he said. The Islandia, N.Y.-based CA has a suite of software that includes user provisioning, password management and directory management.

The challenges facing managers who want to deploy identity management software across departments or agencies are political, not technical, experts say.

When managers try "to synchronize personal information across agencies, each agency believes it is the data source" and should be the one to approve the exchange of information, Waveset's Cunningham said. It is because of these political barriers to deployment that Waveset is "looking to marry technology with [an organization's] business processes," he added.

***

Gaining control

Identity management solutions span several product areas that may overlap but still have unique roles. Here are the key features:

* Consolidated user administration — Provides a single platform to manage user accounts and profiles.

* Directory management — Manages user accounts in a central Lightweight Directory Access Protocol directory.

* Password management — Allows users to update their own profiles and passwords and synchronizes passwords across multiple applications.

* Single sign-on — Authenticates the user for multiple applications so that the user needs to log on only once.

* Strong authentication — Validates the owner of a user account with several forms of protection such as a personal identification number, password and digital token.

* User provisioning — Creates and deletes user accounts from systems throughout the user life cycle.

* Web access control — Provides user account authorization for use by Web applications.