There are a lot of moving parts involved in identity management, and it's going to get worse.
Despite the fact that many companies are juggling access by so many different users to so many different applications, we may all look back at this period as a time when life was simple.
CIOs today benefit from a number of advantages, say experts. Though many of the public key infrastructure, or PKI, initiatives of the past decade were nonstarters, certain standards are more widely accepted today than they were even a few years ago. For example, there is no more argument about the standard protocol for gleaning information from directory services: LDAP, the Lightweight Directory Access Protocol, has won. That means organizations are free to standardize methods for sharing data between directories.
But many standards are not yet solidified. "There is such a standards free-for-all going on, with different standards bodies grabbing different pieces of the elephant," says ISTPA's O'Neil. "As long as that Tower of Babel continues to go on, there will be confusion."
Internally, corporations have to struggle with the complexity of their own custom and legacy applications in order to simplify the business rules used to control access. Say, for example, a particular user is authorized to purchase no more than $50,000 of goods a day. Right now, analysts say, enterprise access management systems can't effectively manage that. So even straightforward but critical user access controls can't be completely centralized.
Meanwhile, the regulatory landscape continues to shift. The Sarbanes-Oxley Act, which mandates stricter financial reporting, will have a seismic effect on identity management in public companies. As CIO Insight pointed out in the December 2002 issue, IT departments are coming to realize they'll need to increase spending to respond to the law's stricter financial reporting rules and faster deadlines. But companies must also guarantee that sensitive information that might affect a company's stock price cannot be viewed by any but sanctioned people, significantly raising the bar for both internal and external digital identity management.
How can IT departments manage all of this complexity? Analysts say it comes down to good planning. The corporation's overall risk-management plan must encompass all major aspects of employee and customer identity. The security model built from the risk management plan has to anticipate a broad range of both users and applications all attempting to access critical corporate data. And because major identity management issues can only be solved over time, IT departments need to work from an identity management roadmap that helps determine what problems must be solved, and when.
Ask your CTO:
What critical technical standards are affecting our identity management efforts?
Ask your CFO:
How much legal risk do we run by providing internal access to our financial systems?
Tell your it architect:
We need a roadmap for identity management.
Please send questions or comments on this story to firstname.lastname@example.org.