Corralling Identities

IT should hold vendors accountable for identity applications.

Its been 50 years since General Electric became the first corporation to use computers to process its payroll. Since then, many enterprise applications have sprung up. Resource planning applications appeared more than 30 years ago, and HR and CRM software have become prevalent more recently. The result is that data, often rich in personal identity information, is fragmented in silos across many organizations.

Many CIOs and CTOs seek a way to manage this data in a unified way. One answer is identity management technology. Identity management provides a horizontal view of data linked to personal identities, thus increasing IT professionals ability to manage the data and users access to it. How should you implement an identity management solution? Here are some tips.

First, know what information the enterprise has about a person. Typically, this is permission information, such as rights and rules about accessing data, and profile information, such as a users home address and health records. Then you can determine the appropriate permissions to assign to that person for access to appropriate systems and applications in the enterprise.

Second, know the data flow. Enterprises must consider all the possible ways that data about individuals enters the company, how it is used, where it might go—internally and externally—and who can change that information. Once those processes are documented, they can be automated using identity management. Identity management gives the enterprise control over documented workflow and the granting of access rights, which is critical to meeting laws such as the Sarbanes-Oxley Act.

Third, information security is essential. To deploy and use identity management effectively, an enterprise must have solid security to protect all types of information from loss, alteration or inadvertent disclosure. Without such security, its impossible to deploy an effective identity management solution successfully.

Fourth, select solutions that support or endorse relevant standards. Service Provisioning Markup Language and Liberty and Security Assertion Markup Language will help save your investment across vendors technologies. Pure custom code is expensive; crisp, portable solutions will provide excellent ROI and interoperability.

Fifth, make vendors prove claims. They should be able to describe what the tool does and how it fits into the organization employing it. Ask them for a business architecture—a description of the set of business processes—that explains how their identity management solution works. Ask vendors how their identity management solution will use your information security program to ensure identity data safety. Ask them to explain why identity management is needed for a valid privacy program. Then compare their answers with your enterprises needs.

Bill Malik is chief technology officer of Identity Management at Sun Microsystems Inc. Free Spectrum is a forum for the IT community. Send submissions to


Check out eWEEK.coms Enterprise Applications Center at for the latest news, reviews and analysis about productivity and business solutions.


Be sure to add our enterprise applications news feed to your RSS newsreader or My Yahoo page