What customers are pushing for in identity management

At this year’s RSA conference in February, HP announced OpenView Select Audit. The product features a visual control modeling framework that provides a dashboard, which maps compliance guidelines to IT audit controls, and a centralized audit system to help prevent tampering of records with a digitally signed aggregation of every administrative action, user change, access request and authorization decision.

This was a major addition to HP’s identity management product line, so Sai Allavarpu, director, product management and marketing of HP identity and security management, set out immediately after the show to visit with HP customers to introduce the product while gathering information about the customers’ identity needs.

I had the chance to sit down with Allavarpu last week, while he was “visiting” home for a while and he shared with me the customers’ concerns and desires.

Regulatory compliance is still the No. 1 driver of identity management projects, he told me. But users are moving beyond simply auditing activity. They want secure audits, audits that are tamper-proof. Most audit logs, after all, are simply text files. They’re easily modified by anyone with access to them who knows what to look for. Customers are looking for encrypted, digitally signed, or read-only audit logs but will accept, at a minimum, audit logs that are themselves audited.

Additionally, there’s a strong push for separation of duties – moving some activities and monitoring outside IT and outside the office of the chief security officer. Independent, third-party security audits are becoming more commonplace.

Allavarpu did note that it’s not all about separating and breaking up functionality, though. The most widespread issue he heard about was what could be termed “enterprise change management.” Identity people have been involved in user change management for some time. Software engineers work on versioning and change management constantly. Manufacturing has long dealt with change management when it comes to processes and hardware. But what organizations want now, according to Allavarpu, is a wrapping together of management of all the changes that touch the various parts of the enterprise – people, things and processes. Users (people), that is, IT and telecommunications hardware (things) and the entire business lifecycle (processes).

We know about the identity of people, we’ve talked about the identity of things, but processes? I’m sure we can do something with the identity of processes – but before I spout off on that let’s hear what you have to say. Is there a grand unified theory of identity in the enterprise? Tell me about it.