The identity challenge

For many enterprises, however, the hardest part of rolling out an IDM suite isn't merely testing and deploying the software. The bigger challenges involve documenting business practices and defining who gets access to what.

"Having clear processes documented from the start was a huge help," says Cindy Sellers, chief information security officer at Principal Financial, which uses Thor Technologies' Xellerate to automate and track access for its 15,000 employees. "If we had to start from scratch by documenting our processes, it would have slowed us down tremendously."

No one understands that better than SunTrust's Callahan. "The hardest part for us has been defining the roles," he says. He estimates that the company has defined about 150 roles or levels of access based on business unit and job title.

SunTrust began the process of defining access control roles in February 2003. By the end of the first year it had assigned roles for 60 percent of its 35,000 employees. Callahan says he hopes to reach 80 percent by the end of this year.

There is no doubt that implementing an identity management scheme can be expensive, complex, and time-consuming, but it can also lead to greater efficiencies and cost savings over the long haul. More importantly, the alternatives aren't pretty.

Like insurance, the true value of an IDM infrastructure is often measured against the bad things that could happen if you don't have one -- from running afoul of federal regulations to inadvertently exposing sensitive data to unauthorized parties.

"What would you pay to avoid being featured in a negative article on the front page of the Wall Street Journal? You'd pay a lot," says Counterpane's Weir-Jones. "In the end, it's a lot cheaper to be well prepared than to recover from being ill prepared."

Ogilvy & Mather links its identity systems to those of its clients

When clients of advertising giant Ogilvy & Mather want to collaborate on budgets or watch rough cuts of commercials, they're likely to log on to the company's network and do it online. The process speeds delivery and saves on travel costs, but it can also add a big security and regulatory burden. Before deploying IDM (identity management), Ogilvy found itself managing user names and passwords for more than 23,000 external users, in addition to the company's 13,000 employees, says Andres Andreu, technical director of Web engineering and applications for the firm. The solution Ogilvy turned to was identity federation.

In September 2004, Ogilvy rolled out IBM TFIM (Tivoli Federated Identity Manager) to manage both internal and external access to its network. TFIM helped to relieve the management burden from Ogilvy's IT staff by allowing clients to maintain their own user directories. Using federation, client networks seamlessly exchange identity data with Ogilvy's, based on one of three major identity federation standards. Andreu says Ogilvy is currently federated with three big clients, representing roughly half of the agency's external users. He expects nearly all of its clients to join the federated network eventually.

Using a federated access system also reduces Ogilvy's burden under Sarbanes-Oxley. "If we were still storing data for those three clients, we'd have to become part of their compliance process," Andreu says. "Now we only have to make sure the transfer mechanism for credentials is secure." Still, if implementing identity internally is not a trivial task, taking the next step by moving to a federated system is even more challenging. Any enterprise hoping to bring more than one or two partners into federation would have to embrace all three major standards -- Liberty Alliance, Microsoft and IBM's Web Services (WS-*) architecture, and SAML (Security Assertion Markup Language), formulated by OASIS.

"Companies are accepting that they will have to deal with a mix of standards," says IDC analyst Sally Hudson. "Most major vendors can accommodate all three of the standards at some level."

Mike Neuenschwander, research director for the Burton Group, says most IDM vendors appear to be converging on SAML 2.0 for single sign-on, but provisioning and Web services standards remain less well defined. He's quick to point out, however, that when making the leap to identity federation, the biggest challenges lie in a different kind of interoperability.

"The real barriers aren't technological," Neuenschwander says. "They're working out the agreements and legal contracts to set up trust relationships across the organization. That tends to take more time than deploying the technology."