Many businesses embrace the notion that the Internet can be a source of real competitive advantage, but it is the rare business indeed that can effectively handle the complexities the Internet has introduced. While the most forward-looking companies are able to manage these opportunities and threats in order to create flexible, scalable Web-enabled architectures, other companies are not. In particular, the complexity of the issues surrounding identity management — the management of user access to applications and information based on proof of identity — is exploding as a direct result of the connectivity that underlies the Internet. So what factors are causing us to grapple with identity to the point that it is a problem to be managed?
First and foremost, there has been a marked increase in the “opening up” of the enterprise to partners, customers, and suppliers, as well as to an increasingly mobile workforce, all of whom expect to have the appropriate network resources available to them on demand, regardless of physical location or access device being used. The demand for the “always on” enterprise leaves little or no time to slow down and catch a breath in the forced march toward the virtual enterprise.
As might be imagined, opening up the enterprise to partners, customers, and suppliers creates enormous demands on overworked IT departments, leaving aside the baseline issues of managing the IDs of the workforce. Something as seemingly simple as proper maintenance and oversight of user IDs can be problematic. According to some estimates, within a typical enterprise, one-quarter of user IDs are invalid or expired. The costs of maintaining these IDs on a real-time basis are often prohibitive, leading to the unpleasant prospect that an employee who was terminated last month may still have access to mission-critical IT assets. Of course, letting identities remain in force that should no longer provide valid access to critical enterprise information and applications is a serious security loophole. In addition to these security liabilities, there are problems associated with customer satisfaction: what happens when customers cannot access the information that they need on a timely and relevant basis?
Today’s IT environment has undergone an explosion in the number of policies, platforms, systems, and controls. With the introduction of each new policy or platform, the complexity of the IT environment increases significantly. Companies are already grappling with the compartmentalization of IT resources into different autonomous domains. We seem to be drowning in metaphors, with the media describing the situation in terms such as “islands of information,” “patchwork quilts,” “silos,” “stovepipes,” and so on. The net result is a tremendous increase in the number of user IDs and passwords as well as a corresponding exponential increase in the number of potential security loopholes. Imagine what happens after a merger or acquisition, when two companies must work to consolidate layers and layers of technology infrastructure.
It is difficult to overstate the complexity of the situation. By some estimates, a typical enterprise has 250 applications — a full order of magnitude greater than just a few years ago. Large enterprises may have upward of 50 distinct information stores, while internal user information may be distributed across several dozen data stores and external user information spread across five or more databases. Given this proliferation of data across different domains, it has been estimated that the average IT department devotes nearly one-third of its time to managing the dynamic profile information of users. Not surprisingly, each month approximately one in 10 employees will experience an access rights issue, and almost the same number will experience a personal profile problem.
A Growing Regulatory Environment
Companies are dealing with a vastly more complex regulatory environment created by the corporate governance scandals of the 1990s and the “know-your-customer” concerns resulting from the terrorist attacks of 9/11. In addition to Sarbanes-Oxley in the US, a raft of new laws, regulations, and compliance orders (such as the Turnbull law in the UK) require companies in industries ranging from healthcare to financial services to consider a comprehensive overhaul of the way they monitor and track customers and partners. Suddenly, digital identity is no longer just a way to keep track of users; it is a fundamental requirement that could raise serious corporate governance questions for ill-informed boards of directors.
Companies are under constant pressure from stakeholders to improve their overall competitive positions. Shareholders, of course, want a more efficient, streamlined enterprise and year-over-year growth in revenues. That translates into a constant call for ROI from IT investments — senior-level managers must be able to deliver ROI on any IT investment. They can no longer experiment with the next big thing; they must be able to implement technologies that can cut costs, boost revenues, or result in increased efficiency. Likewise, business partners are demanding a more comprehensive look at network resources; suppliers want greater visibility into the supply chain, while other partners want access to real-time information on portal sites. End users want personalized solutions that are seamless throughout geographies and time zones and are responsive to privacy concerns. And not to be ignored, employees want solutions that empower them to leverage enterprise IT resources on an as-needed basis.
By failing to take the time to address the pressing concerns of digital identity management, companies face the following list of consequences, which — individually or in tandem — can significantly erode competitive advantage:
- Lower end-user satisfaction rates
- Lower ROI for IT assets
- Higher administrative and development costs for IT solutions
- Exposure to financial penalties for regulatory noncompliance
- Weaker security
- Inability to react quickly to new customer, employee, and partner requirements
Because nearly all companies in all industries are moving onto the Internet, the bottom line is that identity management has become a critical requirement for the enterprise.
Thus, digital identity can be the key to unlocking value within the corporation, but only if senior-level decision makers learn to embrace identity as a central organizing principle. Digital identity management is not simply a way to reduce costs, reduce complexity, and address regulatory concerns; it is a way to catalyze the transformation of the enterprise into an identity-enabled virtual enterprise.
Vendors in the digital identity management market believe that with the right network identity technology, content and services can be personalized, access to resources can be effectively controlled, a consistent user experience across applications and Web sites can be provided, and trust relationships with intermediaries and providers can be established. Without such technologies, these goals may be impossible to achieve.
— Stowe Boyd, Senior Consultant, Cutter Consortium
This article was originally published by Cutter Consortium