"When you look at the nature of the problems, they've actually changed," says Amit Jasuja, vice president, development for security and identity management at Oracle. "In the past if I look back pre-Sarbanes-Oxley, there were two main drivers for identity management. One was user experience. The other was cost. But what has happened is that over the last few years the nature of the problem has changed in that it has become much more of a business process. And that is driven by compliance."

This fundamental shift in needs has transformed the identity management landscape, he says. "It changes the needs from a product. Now the product needs to be a lot more process-driven. In the old days, the products that you saw had a data-driven architecture. So, you have stuff in a directory and then you administer the directory. And if the data needed to be another place, you did a synchronization. People put a little bit of front end on the top and that was it."

IT security revolution

This shift is part of a revolution in IT security, according to Deepak Taneja, founder, president and CEO of Aveksa, an access governance firm with its U.S. base in Waltham, Mass.

"Security is moving from this era of technical details — a whole slew of silos of security and a lot of jargon and nitty-gritty details — to this era where the business issues are beginning to dominate," says Taneja. "And with regard to identity and access, the business issues are all around compliance, risk management and enabling IT security to work with business managers within the line of business, risk and compliance."

In order to comply with all of the regulations facing the enterprise, finance and IT auditors each have their own concerns that go beyond the typical ID management problems involving authentication, provisioning and the like.

"The financial audit folks have some sorts of concerns, the IT audit folks have other issues," Jasuja says. "Every company is starting to think, ‘What is my strategy for defining my risks?' They're thinking about defining controls and testing controls and who authorized what."

Don't boil the ocean

Unfortunately, this has made the implementation of identity management more complex. Not only is the task of changing from data-driven to process-driven technology difficult, but vendors cloud the problem with such a flood of marketing for products only peripherally related to identity management.

"One of the things that a lot of enterprises struggle with is that this is a big umbrella under which many vendors are trying to jam a lot of stuff," says Toffer Winslow, vice president of product management for RSA, the security division of EMC. "Anything that even touches a digital identity somewhere, people will claim they're an identity management vendor."

So how does an organization cut through the fog of marketing while still meeting security and business-process objectives?

Jasuja of Oracle says the best way to do this is to take a systematic approach. He suggests that even the most comprehensive end-to-end identity management programs should pick the key systems to work on first. Once the organization has developed an architecture and an approach to ID management within those systems, it can use that process as a template for future rollouts.

One organization that has taken just such an approach is Volkswagen AG. Under the management of CISO Ottmar Beckman, Volkswagen is in its final year of a six-year push to consolidate and update its identity management architecture and workflow. By

the end of the year, Beckman estimates that the firm will have more than 1.5 million identities working through a centralized system that uses BMC's Identity Management Suite as its anchoring technology.

According to Beckman, the organization saw the need for consolidation back when he joined in 2001.

"The problem was to consolidate and to really make an approach about identity management and how we handled identities," Beckman says. "We made a layered architecture and in the middle of that we put BMC as the central piece."

Beckman says that not only has the consolidation improved the overall security of the organization, but it has improved identity administration efficiency by about 30 percent.

Because identity management requires extensive planning of processes, it is often a costly and lengthy project to revamp. This can make it a difficult sell if the main driver is security alone. Beckman says that it was the business efficiency aspect of his project that really got the controller's attention.


Effective ID management

According to Amit Jasuja, vice president, development for security and identity management at Oracle, there are several steps to creating a successful identity management strategy:

Agree on universal identity. Jasuja says that there can be mapping between a single identity and different systems, but there must be a universal framework to be effective.

Start thinking about granular enforcement policies. This means deciding who can do what in your systems and then determining entitlement.

Start to automate. One of the biggest mistakes an organization can make is to begin the automation process before developing policies. Mixing up steps like this can make automation a money pit, he says.

Put a audit framework in place. This will define auditing and approval workflow, as well as attestation and entitlement review; basically everything needed on a quarterly basis for compliance.

Use the previous steps as a template. Jasuja suggests taking all that you've done for key systems and use the same process for broader deployment.

— Ericka Chickowski