Be careful on ID management: Gartner

IAM refers to enterprise security software's increasingly important ability to manage user access to crucial business systems using more sophistication than simple user ID and password combinations. For example, a call centre employee might need to access the customer relationship management (CRM) features of the company's enterprise resource planning system, but would not need access to detailed marketing information stored in the same system.

In current practice, it's hard to restrict access with such high granularity, since each application manages its own user accounts and may not allow fine-tuning of each user's access. IAM, however, allows different applications to share and respect records of access limits based on common business policies -- for example, limiting all call centre users to accessing information specifically related to customer support.

"The issue is controlled access," said Tim Blake, technology solutions manager with Oracle, one of several vendor partners that joined Gartner and more than 200 attendees at Gartner's first-ever Asia-Pacific security conference, where IAM was a major theme.

"We want to allow different people, perhaps sharing desks with one another, different levels of access based on their roles so that the roles and privileges of those people really drive the way we give them access to that information. But scale is an issue: the number of resources is growing over time, and the way we want to manage those resources is getting finer and finer grained".

This presents a challenge, Blake explained, in that access to business applications has usually been managed by IT departments that might, for example, create a dozen user ID and password combinations for the different systems needed by a new employee. In most companies, IT-managed user identities are rarely subject to any controls by business managers -- who are nonetheless responsible for the employees' behaviour and access to often confidential information.

Proper governance, which requires detailed control over information access by individuals, is therefore hard to enforce without effective IAM. Although the audience at the conference was arguably self-selecting, a survey during a panel discussion on Wednesday revealed that fully 54 percent of those attending expect to implement IAM within the next 12 months, and an additional 24 percent saw it on the radar in the 12 months-plus timeframe.

Pressed to name their highest priority in user authentication, 30 percent said they were aiming to improve user account management; 25 percent wanted to better control access to information systems; 17 percent were focusing on single sign-on to many systems; and 15 percent wanted stronger user authentication.

Fully 13 percent of attendees were interested in 'federated' IAM, in which applications within and outside of a company develop a common language for exchanging user access information. Federated capabilities will be essential as companies work to maintain governance controls while allowing access to their systems by outside firms such as distribution partners or key suppliers. But actually implementing such technology is extremely difficult and likely to remain so for some time, Gartner analysts said.

With fundamental enterprise risk management issues at stake, many companies risk botching the whole situation by listening to vendor hype and rushing into IAM rollouts before they fully understand their business requirements, warned Gartner research director Roberta Witty, who argued that properly planning and rolling out IAM in a company of 5,000 users can -- and should -- take up to a year. Most of that time, she added, should be spent not in choosing technology but in weighing up business requirements and developing a detailed rollout plan.

"Do not try for a single sign-on, and don't worry about federated IAM [FI] unless you want to become a FI poster child," Witty advised. "More and more we're finding companies want to do very fine-grained role management. But if you want to develop centralised authentication, driving it deep into the application, that's going to require a very different level of integration. Don't let the vendor hype tell you that these projects are quick; you need to understand the complexity of your roles, and develop your strategy and requirements first".