The main force driving the evolution of the identity management (IDM) market is, in my opinion, the growing need for organizations to have a unified view of identity in the enterprise.
I emphasize “unified” because for a while now the enterprise has seen a steady rise in the number of IDs that people have to manage in order to access the systems they need to do their work. This trend has spread to the cloud and added a whole new layer of complexity, not only for end-users, but also for those whose job it is to manage access, monitor activity, and enforce compliance in IT systems.
Here’s a kind of simplified example to illustrate what I’m talking about. Let’s say Bob, an accountant, is “Bob” in the accounting system. At the same time, Bob is “Robert” in the HR system, and he’s “Acct_Bob” in the messaging system. Keeping track of these IDs and their relevant passwords may be a hassle for Bob, but thinking that “Bob” and “Robert” are two different people can cause real problems when it comes to enforcing “separation of duties” standards to stay on the right side of Sarbanes-Oxley.
So, at a very basic level, IDM is being called on to solve this problem by mapping IDs across the enterprise and ensuring that we know exactly who everyone is. However, knowing who someone is is just the beginning. In terms of compliance, with Sarbanes-Oxley or PCI or HIPAA or whatever, you also have to know what they are allowed to do.
Of course, there is another layer to compliance that involves event monitoring and logging so that you can demonstrate compliance in case of an audit. While there are separate systems available that can provide this sort of monitoring and reporting, in the interest of creating and sustaining a unified vision of identity, it’s making more and more sense to ensure that you can integrate this capability with your IDM system.
Compliance and monitoring become even more difficult when some of the “events” you need to track are actually happening in the cloud. The question becomes, “Where is the ‘Book of Record’ on who did what when?” Does the SaaS provider hold it? Does the hoster? Do you?
Thanks to some of the recent legislation, consequences for security breaches or non-compliant behaviors can be severe. Everybody wants to know just how much they need to control themselves and who is responsible if something goes wrong. Let’s face it – nobody looks good in a striped jumpsuit.
Long story short, IDM is being asked to do a lot more than simply save the company money by automating the set-up of user accounts. Instead, it is becoming the fabric for putting in place an entire security and compliance infrastructure that reaches beyond the vanishing walls of the datacenter
The good news is that IDM today can help enterprises create the unified view of identity they need. It’s also good news, from a cost perspective, that people are talking about “identity as a service,” meaning that access to these capabilities does not require the same intense investment it did five years ago.
What’s more interesting news to me is that no one know exactly what this will look like five more years down the road. Any thoughts on that?
Posted
Jun 02 2010, 09:29 PM
by
Jay