In what appears to be a boon for Sun Microsystems' fledgling software business, financial services giant AMP will this year migrate 45 of its core applications from an in-house proprietary system based on Lotus Notes to the open standards Sun Java System Identity Manager.
The move is a significant step in a three-year identity management journey that began without going near identity management technology, according to AMP risk management IT manager Mark Pigot.
"Before we did anything we identified what the context is and where it fits into our business," Pigot said, adding that a third-party vendor saying you have to have identity management "doesn't wash within AMP".
The company spent 18 months developing a policy framework for identity management with the anticipation of achieving same sign-on and password synchronization for some 4500 employees who access the core applications.
Pigot said the new standards-based system will go live at the end of April and was chosen for its technology fit because it had to support multiple systems and have the flexibility to support AMP's business processes.
"It will be a complete replacement of proprietary technology [and] phase by phase, we will progressively introduce password synchronization," he said, adding that AMP still has quite a few legacy systems.
"AMP has lots of pigs and lots of lipstick. Some systems are 25 years old. Linux is emerging in terms of open source, but we have mainframes, mid-range, and every combination of Wintel systems."
In addition to the 45 applications "that we care about", AMP has more than 100 other applications that are not integrated. Whether these are brought into a unified identity management infrastructure will depend on their risk profile.
"You need to ask what you need for ID management but also per application 'what am I controlling to mitigate operational risk'," Pigot said. "Two-factor authentication is a rather blunt ID management instrument to apply to the whole organization. It may be acceptable for your organization, but for AMP many apps don't justify it. Again, map it to the organization's risk profile. How you implement ID management to control access will depend on what [the profiles] look like."
Other factors driving AMP's identity management push are "straight compliance", because the company needs to know who authorizes what and why for Sarbanes Oxley, and a key IT risk management initiative as "that tends to legitimize compliance".
"IDM is a journey not a destination [so] know your business, know your technology, and know what you want from identity management," he said.
Pigot said he has seen identity management failures where a team seeks to enforce a new way of operation without understanding a context to embed the practices in.
"There has to be a balance struck between working practices and ID management purity," he said.
Sun Microsystems' identity management practice manager for Australia and New Zealand Gary O'Brien said this is the third deal in the local market where its product was chosen over an incumbent.