By Ryan B. Patrick
ComputerWorld Canada

To the average organization, the concept of identity management (IM) seems simple enough — it’s the implementation that’s tricky.

Almost every large IT vendor offers some sort of IM offering. And it’s easy to become overwhelmed by directory servers, automated password reset, access control tools, user account provisioning as well as administration, Web and enterprise single sign-on, all of which fall under the identity management rubric.

Tom Keenan, dean and professor at the University of Calgary, noted that to combat a proliferation of identities and passwords, the U of C recently put in place a solution that allows staff to retrieve lost and forgotten passwords by accessing a Web site.

“But the catch is,” Keenan said, “I have to somehow remember exactly how my name and e-mail address were entered and, since I didn’t do it myself, I have no idea what it wants.”

Therein lies a large issue with secure IM: it has to be simple enough for the user to gain access to information and applications, yet still retain the security and privacy aspects across the IT architecture. This is one reason relatively few organizations have yet to adopt such an IM system, incurring the security vulnerabilities and operational inefficiencies that come with the decision.

Nonetheless, secure IM should be a priority in all organizations, according to Stephen Ibaraki. It’s particularly critical in an e-business environment where there is cross enterprise application integration and management of multiple user identities, said the chairman and chief architect for New Westminister, B.C.-based e-business solutions provider iGEN Knowledge Solutions Inc.

“As a user, I want to login once using one ID and password then automatically have controlled or managed access to all the information resources and applications across many different systems both inside and outside of my organization, from anyplace and at any time,” Ibaraki said. “I want to do this from my standard Windows computer, from any other computer using a standard Internet browser, or from a wireless smartphone or PDA.”

According to a recent study, 48 per cent of companies reported that it typically took them more than two days for employees to get access to all the systems needed, reducing productivity time by about 25 per cent; on the flipside it also takes an organization more than two days to revoke access rights. Conducted by Novell World Wide Services, Stanford University and Hong Kong University, the report — Exploring Secure Identity Management in Global Enterprises — also cites scenarios of poor ID management such as an ex-employee at a financial institution still able to access things like voice mail months after the fact or careless employees writing passwords on sticky notes or business cards.

Ross Chevalier, director of technology and solutions architecture at Toronto-based Novell Canada Ltd., noted that tools such as single sign-on can effectively quell lapses in identity management across multi-platform networks by authenticating users automatically to any applications and data to which they are authorized. The vendor has enhanced and repackaged existing technology under the Nsure brand, a software suite of identity management tools.

According to Islandia, N.Y.-based Ron Moritz, senior vice-president and chief security strategist for eTrust security solutions at Computer Associates (CA) International Inc., there is a competitive advantage to being able to virtualize information securely.

“Whether they’re consumers, business partners, suppliers, consultants or contractors…moving information out of the corporation is actually a business enabler,” Moritz said.

For the near future at least, both Chevalier and Moritz noted that cost-cutting and ROI considerations will be the main drivers for identity management adoption in the enterprise. The benefits of a sound IM strategy include enhanced data and transaction security, improved IT staff efficiencies (less calls to the help desk) and easier user access.