Look who's watching

TECHNOLOGY: Identity management is an effective way to keep a check over critical information - but is it a breach of faith?

Effective identity management "" tracking when employees start and stop work in an organisation, allowing them access to relevant business processes and monitoring their daily technology consumption "" is a complex but important IT function for any reasonable-sized business.

In fact, IDC research shows that the identity and access management (IAM) market, estimated at $3.4 billion in 2006, will reach over $5 billion in revenue by 2010.

"For us, identity management is about establishing and managing the roles and access privileges of individual network users. ID management systems provide IT managers with tools and technologies for controlling user access to critical information within an organisation," explains S P S Grover, vice president (sales), Oracle.

In enterprise-speak, it's all about "provisioning" access to various IT applications for new staff and "de-provisioning" those services when people leave. ID management systems also give organisations a way to control the swarm of untethered endpoints "" laptops, PDAs and mobile phones "" buzzing around the enterprise.

Many of these devices are neither owned nor provisioned by the companies whose networks they need to access. The ability to enforce a set of policies on the devices that connect with the network through the management of the identities of the users of those devices is fast becoming a must-have security capability, especially with the outsourcing and multinational research centres in India.

Security breaches by disgruntled former staff who find their way back into the system are a nightmare for businesses. Ever since three former employees of Mphasis BPO were arrested on charges of using their old access privileges to plunder the company's databases, stealing bank account information from clients and transferring $350,000 into new accounts, corporates have become wary of such scams and are more willing to invest in effective "de-provisioning" systems.

"Global 1000 organisations are budgeting now for complex enterprise-wide ID management solutions," says Robert Dyson (CISSP), partner, Accenture.

The outsourcing major has deployed solutions that provide a means for segregation of duties, "which means that people cannot get blamed for inappropriately accessing information if they didn't have access to begin with".

Also, knowing exactly who is (and isn't) working for the company at any point in time can mean a huge saving in software licencing fees and prevent costly security breaches.

Dyson justifies the hefty investment in IAM solutions (estimated to be almost 1-2 per cent of a company's revenues), "It only takes a few audit findings to justify the expense. The improvement in security facilitates trust among all system users to include customers, partners and employees."

More cost saving, as claimed by vendors and analysts, comes from what might seem at first a trivial consideration "" automation of password resets.

Yet, depending on whose numbers you believe, somewhere around half of all help-desk calls are for password resets. ID management systems allow administrators to automate these and other time-consuming and costly tasks.

Compliance also accounts for 70 per cent of the growth in this market space. Oracle is eyeing multinational outsourcing outfits that still manage their employee on-boarding and off-boarding manually.

"A lot of help-desk tickets are generated by human resources, done at different times and signed by different personnel," says Grover.

Result, there is no single source data repository to manage information. Sarbanes-Oxley, Gramm-Leach-Bliley and HIPAA hold the company responsible for controlling access to customer and employee information.