Identity Management is complicated for even the simplest of enterprises. But the ROI can be compelling.

In the classic Marx Brothers movie Horse Feathers, Harpo is asked for a password, which the audience knows is "swordfish." If an identity management system had been in place, the silent comedian would first have had to display a smart ID card and give a thumbprint to authenticate who he was, then define what he wanted access to—rather than simply pulling a fish from his pocket.

Long considered a mundane and esoteric aspect of IT security, identity management is rapidly gaining visibility as the linchpin around which companies are organizing their risk-management efforts. But for most organizations, identity management isn't a simple set of problems with easy solutions. Instead, it's a host of ongoing challenges that must be dealt with over time.

What is identity management? It's "managing all the aspects of a user's online identity in a coherent method," says John Pescatore, research director for Internet security at Gartner Inc. Burton Group, a Midvale, Utah-based consulting firm, defines it as "a set of processes, and a supporting infrastructure, for the creation, maintenance and use of digital identities." Says Burton President Jamie Lewis: "It's about making the right things available to the right people at the right time, and then having audit and logging capabilities that show what happened."

For most companies, the downside of ad hoc identity management is obvious. Giving new employees access to every application they need can take weeks, slowing productivity dramatically. Support costs to provide access to applications can be huge, with analysts claiming that up to 40 percent of help-desk calls concern employee passwords. Managing security changes when someone's promoted or transferred tends to be a complex process that may never be the same twice. And many companies have little or no idea whether employees they fire or lay off can still gain access to the system, creating serious risks until security audit time rolls around.

Substantial costs and looming liability should send a wake-up call to every CIO making clear the need to improve their identity management. Companies need to know who's accessing what data and what it's costing to maintain that access—and provide a bulletproof audit trail detailing how it's all being managed.

Ask Your IT Staff:

What is it costing us to try to keep track of who's who?

Ask Your Vendors:

What is the range of costs for an identity management initiative?

Ask Your Security Auditors:

Which critical identity management issues do you care about the most?

This article was originally published on 03-01-2003
eWeek eWeek

Have the latest technology news and resources emailed to you everyday.