Compliance pushing identity management in new directions

SAN FRANCISCO – Compliance issues are moving the focus of identity management from administration of users and shifting it more toward access control and authorization to meet regulatory mandates.

The recognition of that shift was one of the highlights of this week’s Digital ID World conference, which is put on by Network World parent company IDG.

Identity management has not finished cutting its teeth on password synchronization, single sign-on, provisioning and privileges, but it is now more aligned with supporting access control, management, verification and authorization, according to Jamie Lewis, CEO of the Burton Group, who delivered a keynote presentation on the second day of the conference.

“Compliance has changed the landscape; it has changed enterprise identity management,” says Lewis. He says the foundation of identity management remains business processes and a supporting infrastructure but that the current trends suggest that users are focused on using those foundational elements for identity-based access control to systems and resources in accordance with company policies. In other words, to lock down access and log and audit such things as who is using their systems, when and what data they are accessing.

The trend has given rise to identity-based risk management, auditing and policy enforcement tools from vendors such as Aveksa, Sailpoint and Vaau.

Some users say the changes are contributing to a slowdown in the evolution of identity technology, which they say is not living up to original expectations, especially around federation.

Compliance is part of the slowdown, users say, but it is also caused by new user-centric identity models, which are fostering questions around where the true value lies in identity projects.

“We’re still at the beginning four or five years after we started,” said one IT architect for a Fortune 500 company who requested anonymity. “Progress is slower than anticipated and there is a lot of uncertainty. By this time we thought federation would be commonplace.”

The IT architect says there is no question identity is a required infrastructure technology but that evolving past his company’s first major project has been frustrating.

He says developments around foundation elements like the Liberty Alliance, Security Assertion Markup Language, WS-Federation and open identity technologies have created a lot of churn.

He says Microsoft’s push around its new claims-based authorization model is making the picture cloudier, not more clear.
Experts add that the evolutionary slowdown also is a byproduct of the difficulty in executing identity management projects, especially federation, which requires coordination and trust models that can be complex when they cross corporate security boundaries and multiple countries.