SAN FRANCISCO \u2014 Software and standards for building interoperable identity-management systems are evolving rapidly, but streamlining business processes and cleaning up personnel data remain major stumbling blocks to corporate adoption of the technology.At this week\u2019s annual Burton Group Catalyst Conference, IT executives said standards and the support for those standards in products is moving along rapidly, including adoption of Security Assertion Markup Language (SAML), which provides a common way to share end-user credentials.Boeing helped to validate that technology by detailing the deployment of a SAML-based integration project with Southwest Airlines that gives the airline\u2019s mechanics single sign-on access to repair manuals stored on Boeing\u2019s corporate networks.Also, Service Provisioning Markup Language (SPML), which is nearing ratification, is generating interest based on its promise to integrate systems for user-account provisioning. And IT executives are watching advancements related to the use of roles and rules in access-management software to control users\u2019 network privileges.Those same IT executives say aligning internal and external business processes with automated network functions \u2014 and cleaning up multiple repositories of user information \u2014 are issues the technology can\u2019t solve but that must get addressed before identity management can succeed.\u201cIt\u2019s clear identity has become a strategic business issue, not just a technology issue,\u201d says Jamie Lewis, president of consultancy Burton Group.The drivers are regulatory issues and legislation that require companies to protect user privacy, ensure the accuracy of corporate financial data, and audit and log their efforts to ensure compliance. Those pieces of legislation include the Sarbanes-Oxley Act, Gramm-Leach-Bliley Act, Health Insurance Portability and Act, and USA PATRIOT Act.\u201cWe are at the point where we have executive visibility,\u201d says Steve Linstead, directory services architect for Johnson Controls, a Milwaukee, Wis., supplier of automotive parts and building controls, including those for heating\/cooling. But he says he can\u2019t satisfy demands overnight, and it won\u2019t be the technology that holds him up.\u201cIt doesn\u2019t matter how slick the technology is, it\u2019s the data. We have data-integrity issues we are trying to solve. The common theme for identity management is that the data you start with has to be reliable.\u201d Linstead says the company has standard identities for e-mail, network access and voice, and is working on other applications.Data dilemmaOthers agree that user data is a pressing issue.\u201cMy executives are finally waking up to the fact that identity management is a data strategy,\u201d says an executive security analyst for a major insurance company. \u201cWe have master records for policy holders and processes for managing those records. We need a similar strategy for managing identity. It\u2019s a data-strategy issue and you have to know what you\u2019re doing. A fool with a tool is still a fool.\u201dEnd users are optimistic that work to clean up data and align business processes with identity-management goals will bear fruit. That thinking is due, in part, to the fact that standards such as SAML are starting to show their promise.Boeing has integrated\u00a0thousands of Southwest Airlines user accounts\u00a0into a federated identity environment using a Web-based authentication system supported by SAML. Similar integration projects are in the works with Boeing subsidiaries and partners.\u201cIf we can deliver services to our customers that they can integrate into their environments then we become indispensable,\u201d says Mike Beach, associate technical fellow for security and directory services at Boeing. \u201cWe think SAML is huge.\u201dIn fact, users say standards are the spark to ignite identity-management systems that can be integrated, or federated, across corporate boundaries.Fred Wettling, infrastructure architect for Bechtel in San Francisco, says standards compliance is climbing from No. 2 to No. 1 on the company\u2019s criteria list for product evaluation.\u201cInteroperability has to be built in, based on standards,\u201d he says.\u201cI\u2019m betting on standards,\u201d says George Dobbs, assistant vice president for infrastructure architecture at a major insurance company. \u201cWe need federated identity management. We have partners with employees that we need to bring onto our systems.\u201d Dobbs is looking at SAML to help support a single-sign-on environment to serve the army of agents that need data from the company\u2019s systems on a daily basis.But experts say the standards aren\u2019t the complete answer.\u201cThe thought is that standards will make things work easier out of the box, but there is still a lot of work to do to get identity management working right,\u201d says David Rusting, senior solutions architect for ePresence, a consulting firm in Westboro, Mass. \u201cThat leads to a lot of disillusionment. Folks who have been involved with directory projects have been through this.\u201dRusting says he finds users have lots of legacy systems, which he defines as anything that is currently deployed in production. \u201cThey have a lot of identities, access-management systems, and authentication and authorization systems, which means they don\u2019t know who has access to what.\u201cThat is the bottom line \u2014 companies don\u2019t know who has access to what, and that has to change,\u201d he says.Building toward identity management With business issues fueling the need for identity management, network and IT architects are putting together the necessary infrastructure.ChallengesStrategies\u2022 Regulatory issues and government legislation are forcing companies to accelerate identity management efforts to achieve compliance.\u2022 Prioritize efforts and evaluate best places to make investments of time and money in building identity infrastructure. \u2022 Business processes, such as steps to add or delete users, have to be automated.\u2022 Require vendors to deliver products that adhere to standards, and pressure those vendors to participate in the development of them.\u2022 Tight budgets still are forcing companies to make tactical strikes instead of implementing detailed, long-term plans.\u2022 Adopt Web services and a loosely coupled architecture to ease integration, reduce complexity and support identity management scalability.\u2022 Ongoing vendor consolidation can make it hard to choose products, set direction.