Day 2 of Incite: Who are you?

Identity Management (IDM) breaks out in 2006, as ROI-driven password management and single sign-on (SSO) initiatives are deployed en masse. Smart users increasingly figure out that strong and centralized IDM provides “good enough” authentication and authorization for compliance purposes, accelerating market growth in 2H 2006. Yet, identity federation continues to lag in a cloud of useless vendor bickering and standards immaturity until mid-2007. Token-based authentication finally hits the wall, as passwords remain good enough and no compelling alternative appears.

In all my conversations with people all across the industry, the most consistent message I hear is about Identity Management (IDM). IDM is finally poised to become mainstream in 2006. Being the cynical type of guy, I’ve never really bought into IDM, since it was just too hard to implement, required lots of integration, and the true value was suspect since customers never really bought it en masse.

So I started asking questions. Why now? What has happened over the past 12-18 months that changed things? I guess I was trying to figure out why it’s going to be different this time.

The answers were kind of surprising on one hand, and not so much on the other. Firstly, IDM has moved from the purview of the start-up to the mature systems management (and application) vendors. With the acquisitions of companies like Netegrity (by CA), WaveSet (by Sun), Access360 (by IBM), Oblix and Thor (by Oracle), and Trustgenix (by HP), the systems/integration giants now have the core software foundation to implement large scale IDM projects, which previously were out of reach of the start-ups. IDM is now a logical extension of the system management platform, and controlled by the giants of the management space.

Additionally, with a couple of years of implementations under the belt, integrating IDM with key applications and data stores no longer requires hocus-pocus. IDM functions like single sign-on or provisioning provided clear ROI, given that you could implement for a reasonable price in a reasonable timeframe. With the integration issues largely in the rear view, and large integrators are “baking” IDM into management platforms, the ROI of IDM is poised to be unleashed this year.

IDM will also see increased momentum this year driven by compliance. I’ll have a lot more to say on compliance tomorrow, but suffice it to say that a couple of years later, it’s still not clear what is “good enough” for compliance. You need to be able to prove that you are protecting private information and have a strong information security process in place.  

Implementing IDM to make sure that the right people get access to the right resources would seem to meet the spirit of most of the regulations. Of course, it’s not the total answer because a process of auditing and reporting is also required, but it’s a big piece.

Yet, it’s not all blue sky. Is it ever? Standards have been and will remain challenging. The whole objective of being able to share identity information across networks, streamlining the authentication and authorization process. BUT, as always, everyone needs to play ball in order for that to happen.

But that’s the funny thing about standards. They rarely work when it’s just a bunch of vendors rubbing their antennas to try to get something defined. Ultimately, customers will drive the definition and adoption of standards. They’ve haven’t thus far, so it must not be a big enough problem.

There is also the move to make Identity Management more user-centric and leverage more “open” Web standards (the so-called Identity 2.0 initiative). Like all good “2.0” initiatives, they’ll throw some open source stuff in there for good measure. On paper, this is interesting, and plays into the Incite that new Web-based application architectures with better security models will gain in importance. Clearly, the standardization and secure portability of identity will play a huge role in making Web 2.0 actually work. But, it’s still very early for Identity 2.0.

Finally, no discussion of IDM is complete without at least addressing the future of token-based authentication. I am a fan of two-factor, from the days when a company called Security Dynamics put those tokens in the hands of everyone, or so it seemed. The tokens served a very important need in the early days of remote access and web applications. BUT, tokens have never really gained traction outside of the select few high profile applications on sensitive networks open to external access.

Growth is slowing in the token business, and it’s going to hit the wall this year because for a bulk of applications, passwords are good enough. Having that additional layer of security is not important enough for users to spend the money and impact the user experience by rolling out tokens. That being said, there is a market for a legitimate alternative, providing the ease of passwords with the security of two-factor. I know a lot have tried and all have failed thus far. But the market is there.

That’s Day 2. The next Day of Incite focuses on compliance.