Software and standards for building interoperable identity-management systems are evolving rapidly, but streamlining business processes and cleaning up personnel data remain major stumbling blocks to corporate adoption of the technology.
At this week's annual The Burton Group Corp. Catalyst Conference, IT executives said standards and the support for those standards in products is moving along rapidly, including adoption of Security Assertion Markup Language (SAML), which provides a common way to share end-user credentials.
The Boeing Co. helped to validate that technology by detailing the deployment of a SAML-based integration project with Southwest Airlines Co. that gives the airline's mechanics single sign-on access to repair manuals stored on Boeing's corporate networks.
Also, Service Provisioning Markup Language (SPML), which is nearing ratification, is generating interest based on its promise to integrate systems for user-account provisioning. And IT executives are watching advancements related to the use of roles and rules in access-management software to control users' network privileges.
Those same IT executives say aligning internal and external business processes with automated network functions - and cleaning up multiple repositories of user information - are issues the technology can't solve but that must get addressed before identity management can succeed.
"It's clear identity has become a strategic business issue, not just a technology issue," says Jamie Lewis, president of consultancy Burton Group.
The drivers are regulatory issues and legislation that require companies to protect user privacy, ensure the accuracy of corporate financial data, and audit and log their efforts to ensure compliance.
"We are at the point where we have executive visibility," says Steve Linstead, directory services architect for Johnson Controls, a Milwaukee, Wis., supplier of automotive parts and building controls, including those for heating/cooling. But he says he can't satisfy demands overnight, and it won't be the technology that holds him up.
"It doesn't matter how slick the technology is, it's the data. We have data-integrity issues we are trying to solve. The common theme for identity management is that the data you start with has to be reliable." Linstead says the company has standard identities for e-mail, network access and voice, and is working on other applications.
Others agree that user data is a pressing issue.
"My executives are finally waking up to the fact that identity management is a data strategy," says an executive security analyst for a major insurance company. "We have master records for policy holders and processes for managing those records. We need a similar strategy for managing identity. It's a data-strategy issue and you have to know what you're doing. A fool with a tool is still a fool."