Comply or die

The network management benefits of IDM are attractive to any organization, but the biggest single driver for the adoption may be the lawmakers. IDC analyst Sally Hudson estimates that compliance is behind 70 percent of the revenue in the identity and access management market.

"There's a big rush to be compliant, especially around Sarbanes-Oxley," says Wynn White, senior director of technology marketing and security and identity products at Oracle. "Companies have put together these manual processes with chewing gum, baling wire, and glue. It's very expensive and not all that secure." White says IDM systems can standardize how enterprises segment users and control access, driving down the overall cost of compliance.

Rich Casselberry, CIO for networking security firm Enterasys, says its identity management system makes dealing with compliance issues a more pleasant experience. The company uses MIIS (Microsoft Identity Integration Server) 2003 to manage accounts for more than 800 full-time employees and up to 150 contractors.

Because Enterasys is a longtime Windows shop, integrating MIIS 2003 into its network was relatively straightforward, Casselberry says. It took the company less than three months to implement the IDM system, at a cost of $US125,000.

Using MIIS, Enterasys creates different types of accounts for contractors who need access to network resources -- help desk employees, for example -- and those who don't, such as building contractors. Casselberry says that comes in handy when its time for the company's annual Sarb-Ox audit.

The MIIS system "takes what used to be a two- or three-day conversation and reduces it to 30 to 45 minutes," Casselberry explains. "The challenge is convincing the auditors that our system really works. They say, 'It can't be that easy; we need to see the logs.' So we show them the logs."

Results like these are often enough to convince even the most budget-conscious executives, says Oracle's White. "One of the bigger pain points around identity management has been getting buy-in across the entire organization. In the early days you saw islands of deployment, but you ultimately hit a wall. Compliance concerns are helping push IDM out onto everyone."

Confronting complexity

Although a simple SSO scheme can be rolled out in a matter of months, implementing a full IDM suite within a large enterprise can literally take years, due to the technical complexity of managing access across multiple platforms and applications.

"When you have proprietary apps that maintain their own database of users and access restrictions, it becomes more difficult and expensive," notes Toby Weir-Jones, director of product management at Counterpane Internet Security. "Traditional infrastructure companies are populated with huge numbers of these applications. You can't just rip them all out and do something simple."

For example, Regions Financial began implementing Sun Microsystems' access management scheme for its 25,000 employees in January 2005, but only completed phase one of the project -- password management -- in August. Part of the challenge was making sure that Sun Java System Identity Manager could communicate with the many diverse applications Regions uses in its day-to-day operations, says Bruce Paterson, a senior project manager at the company's technology department.

To do this, Regions uses software "adapters" that log in to each application and sync user names and passwords with those in Identity Manager. Sun's IDM suite came bundled with adapters for such well-known systems as Lotus Notes and Microsoft Active Directory, but Regions had to build custom adapters for many of its other apps. The password management system had to be tested across Regions' individual PC and network environments, then incrementally rolled out across the company.

"We did a lot of testing to make sure Identity Manager would work with all the different environments in the company," Paterson says. "We tested it in our retail branches, back offices, and call centres over a two-month period before we started the rollout, then we took another six weeks to implement it across our different geographical regions. We did this so if a problem was detected, it wouldn't impact the entire company."

At press time, Regions was beginning to roll out Sun's account provisioning functionality. Instead of tackling the organization as a whole, the bank is only defining job roles as employees are hired or change jobs. Provisioning will initially be limited to the network, Lotus Notes, and the mainframe. In the next phase, slated to be completed in February, Regions plans to automate provisioning for its bank tellers.

Paterson says the project has cost around $US500,000 so far, including the cost of all internal labour, outside contractors, and consultants. "We believe in developing some functionality, then deploying it; developing a little more functionality, deploying that, and so on," Paterson says. "If you keep doing this type of spiral development, your customers can see your progress."