Policy key to

Spending in the identity management market is set to rise significantly within the next four years, according to a recent report – but security experts differ in their opinions whether enterprises will put the money into IT, policy creation or education.

A study, titled Worldwide Security 3A Software Forecast Update and Competitive Vendor Shares, 2002-2007: Identity Management Takes Shape, released earlier this month by Framingham, Mass.-based analyst firm IDC, predicts that the identity management market will reach nearly US$4 billion by 2007 – up from US$593 million in 2002. That represents a 46 per-cent compound annual growth rate, wrote author Brian Burke, research manager of IDC’s security products program.

Robert Garigue, chief information security officer at Bank of Montreal (BMO) in Toronto, said the findings of the report are a “sign of the times.” BMO started doing identity management proof-of-concepts two years ago but decided that the technologies available at the time – such as the software from Irvine, Calif.-based Access360, which was acquired by IBM in 2002 – weren’t mature enough. Now the bank is revisiting the idea. “We’ve been working on this, and now we think we’re converging to where we want to be,” he said.

Garigue pointed out that corporate policy formation is only one piece of the puzzle. By now, “most corporate policies are mature. But they only specify ‘what we would like you to do’ – they don’t tell you how to do it….The expectancies need to be addressed, but then you need the resources to carry them out, and you need to know when is the right time to do it.”

Integration activity and licensing will probably be the biggest spending areas, Garigue predicted. “Integration…(is) all about aligning your processes (including employees, HR and operational support)…to the same level of maturity as your identity management framework. You need a very mature view of your organization.”

Andreas Faruki, a partner with Deloitte & Touche’s security services practice in Toronto, runs the consulting firm’s identity management group for Canada. He said he definitely foresees a rise in spending in the identity management space. “Organizations are revising their forecasts for the end of this fiscal to allow for large capital expenditures,” for such identity management solutions implementations, which could cost $250,000 or more.

Faruki said that at the moment, his firm is starting to see a spending uptake on the policy side, “because of changes in the regulatory environment,” such as the privacy laws which come into effect on Jan. 1, 2004. Sarbanes-Oxley, and its Ontario Securities Commission counterpart, Bill 198, are also drivers, he said.

Clients need solid policies before investing in the technology, he added. “You can’t figure out the solutions implementation until you know how to run it in your shop….It doesn’t matter how much you spend on technology; if you don’t have good policy and processes to support that, your technology will generally be wasted.”

Alan McLaren, president of WhiteHat Inc., a security solutions provider in Burlington, Ont., agreed that policy creation and education would be the ideal place to start – but he thinks the biggest spending spike will be around front end technology. The “critical components” IDC listed in its report include single sign-on, provisioning, authentication, legacy authorization, PKI, security management, automated self-service/delegation, and directory services. These pieces will require integration to knit all the pieces together into one solution, he said.

Garigue suggested the best way to implement an identity management solution is as a part of a company’s overall architectural renewal investment strategy. “[Do this] as part of an enterprise directory refreshment or a new HR support infrastructure – there are opportunities to integrate while doing other projects.”