Users make headway in identity management

SAN FRANCISCO -- Rolling out a complete identity management system is virtually impossible today, given the immature state of the tools, frameworks and standards available. That doesn’t mean you can’t tackle discrete pieces of the identity management puzzle, however, with projects that target single sign-on, two-factor authentication, automated provisioning or role-based access control.

That was the central theme of this year’s Burton Group Catalyst Conference, where the research group’s CEO Jamie Lewis noted that progress has been made since last year’s event, primarily in the area of application frameworks and tools. He added, however, that these frameworks haven’t reached even 1.0 status and probably won’t be ready for prime time for quite a while.

Still, Lewis said, “cautious optimism is warranted.”

Major vendors such as CA, HP, IBM, Juniper, Microsoft, Novell and Oracle have made a commitment to identity management. Regulations like Sarbanes-Oxley are driving companies to beef up their internal controls. And online customer authentication has become a hot topic in light of new banking regulations and the security problems associated with identity theft and online fraud. Given that there is no all-in-one identity management product today, companies are forging ahead and trying to solve specific problems with point products.

For example, TransCanada Pipeline has 3,000 end users who used to average 13 passwords each. Password problems represented 20% of help desk calls. The company set out to implement single sign-on and two-factor authentication to boost security, make life easier for end users and reduce help desk calls, according to technical architect Martin Vant Erve. TransCanada chose a single sign-on product called V-Go from Passlogix and went with RSA SecureID — which was already in use by about 20% of the company — for two-factor authentication.

Vant Erve approached the rollout gingerly, creating multiple pilot groups and even making signup voluntary in the beginning. Eventually the whole company bought into the program, which accomplished two goals: improved security and easier end-user navigation among the company’s 3,000 applications and Web sites. But Vant Erve found help desk calls increased. “I forgot my token” is now one of the top three reasons people call the help desk, he said. Still, the company views the project as a success, and a bonus is that TransCanada has one building block in place as it moves forward toward full-blown identity management.

Compliance was the driving factor behind Toro Co.’s move to role-based access control, according to Michael Drazan, vice president of corporate information services at the $1.8 billion company. He had a variety of issues to address. First, if he had graded his access control system relative to Sarbanes-Oxley compliance, it would have scored between a C- and a D. Another problem was that his security team spent most of its time dealing with password problems. And Drazan had a financial constraint: He did not want to spend additional money on security, because his overriding strategic goal was to use IT resources, not on operations, but to help drive the business forward.