Software and standards for building interoperable identity-management systems are evolving rapidly, but streamlining business processes and cleaning up personnel data remain major stumbling blocks to corporate adoption of the technology.
At this week's annual The Burton Group Corp. Catalyst Conference, IT executives said standards and the support for those standards in products is moving along rapidly, including adoption of Security Assertion Markup Language (SAML), which provides a common way to share end-user credentials.
The Boeing Co. helped to validate that technology by detailing the deployment of a SAML-based integration project with Southwest Airlines Co. that gives the airline's mechanics single sign-on access to repair manuals stored on Boeing's corporate networks.
Also, Service Provisioning Markup Language (SPML), which is nearing ratification, is generating interest based on its promise to integrate systems for user-account provisioning. And IT executives are watching advancements related to the use of roles and rules in access-management software to control users' network privileges.
Those same IT executives say aligning internal and external business processes with automated network functions - and cleaning up multiple repositories of user information - are issues the technology can't solve but that must get addressed before identity management can succeed.
"It's clear identity has become a strategic business issue, not just a technology issue," says Jamie Lewis, president of consultancy Burton Group.
The drivers are regulatory issues and legislation that require companies to protect user privacy, ensure the accuracy of corporate financial data, and audit and log their efforts to ensure compliance.
"We are at the point where we have executive visibility," says Steve Linstead, directory services architect for Johnson Controls, a Milwaukee, Wis., supplier of automotive parts and building controls, including those for heating/cooling. But he says he can't satisfy demands overnight, and it won't be the technology that holds him up.
"It doesn't matter how slick the technology is, it's the data. We have data-integrity issues we are trying to solve. The common theme for identity management is that the data you start with has to be reliable." Linstead says the company has standard identities for e-mail, network access and voice, and is working on other applications.
Others agree that user data is a pressing issue.
"My executives are finally waking up to the fact that identity management is a data strategy," says an executive security analyst for a major insurance company. "We have master records for policy holders and processes for managing those records. We need a similar strategy for managing identity. It's a data-strategy issue and you have to know what you're doing. A fool with a tool is still a fool."
End users are optimistic that work to clean up data and align business processes with identity-management goals will bear fruit. That thinking is due, in part, to the fact that standards such as SAML are starting to show their promise.
Boeing has integrated thousands of Southwest Airlines user accounts into a federated identity environment using a Web-based authentication system supported by SAML. Similar integration projects are in the works with Boeing subsidiaries and partners.
"If we can deliver services to our customers that they can integrate into their environments then we become indispensable," says Mike Beach, associate technical fellow for security and directory services at Boeing. "We think SAML is huge."
In fact, users say standards are the spark to ignite identity-management systems that can be integrated, or federated, across corporate boundaries.
Fred Wettling, infrastructure architect for Bechtel in San Francisco, says standards compliance is climbing from No. 2 to No. 1 on the company's criteria list for product evaluation.
"Interoperability has to be built in, based on standards," he says.
"I'm betting on standards," says George Dobbs, assistant vice-president for infrastructure architecture at a major insurance company. "We need federated identity management. We have partners with employees that we need to bring onto our systems." Dobbs is looking at SAML to help support a single-sign-on environment to serve the army of agents that need data from the company's systems on a daily basis.
But experts say the standards aren't the complete answer.
"The thought is that standards will make things work easier out of the box, but there is still a lot of work to do to get identity management working right," says David Rusting, senior solutions architect for ePresence, a consulting firm in Westboro, Mass. "That leads to a lot of disillusionment. Folks who have been involved with directory projects have been through this."
Rusting says he finds users have lots of legacy systems, which he defines as anything that is currently deployed in production. "They have a lot of identities, access-management systems, and authentication and authorization systems, which means they don't know who has access to what.
"That is the bottom line - companies don't know who has access to what, and that has to change," he says.