Identity Management Is Good Business

eWEEK Labs believes identity management, from account provisioning to authentication and directory integration, is the road most enterprises should be traveling.

Managing passwords is a good first step in taking control of end-user maintenance costs because it shifts some of the work from IT to the end user. eWeek Labs believes identity management, from account provisioning to authentication and directory integration, is the road most enterprises should be traveling.

The beauty of a product such as Passlogix Inc.s V-Go SSO is that with a modicum of fuss, IT managers can have users up and running on a tough, no-nonsense single-sign-on utility that cuts costs by limiting help desk calls. Products such as V-Go also increase security by ensuring that users adhere to tough password policies.

We had V-Go up and running in a day on a small test network. Obviously, that timeline wont be matched by companies rolling out the product to thousands of users, but the real benefits of a well-thought-out identity management policy will show up in a matter of weeks or months, not quarters or years.

Managing identity in the enterprise for maximum cost reduction means putting the technology (directories, certificate authorities and authentication methods) in place, along with policies (business plans, human resources procedures and delegated authority).

Tracking and maintaining user identities on the Web for binding agreements, including purchases and contracts, is outside the scope of this article.

Products such as Courion Corp.s AccountCourier, which is designed to handle password and user ID accounts throughout their life cycle, or customized applications of technologies, such as Novell Inc.s DirXML information-sharing technology, both take a stab at solving identity management in the enterprise. Using these products, employees are represented by an identity that is given access rights and privileges, as well as constraints that keep the users and the data under their control inside predetermined boundaries.

When using account management products to manage user identities, it is useful to consider three factors: how intrusive is the process in gathering information that is to be used for user authentication, how accurate is the information that is being supplied, and what is the real cost of gathering and maintaining the information.

Weve looked at several products that use a variety of methods to authenticate users, from biometric devices to new software tools that use multiple factors, including computer-usage habits, to determine who is trying to use the system. Its a fair question for employees to ask, "What happens to this data when I leave the company?"

The more intrusive the information (fingerprint, retina scan, country of birth, salary of first "real" job), the more valuable it is—both to the actual person who is attached to the data and to identify thieves. Proliferation of our most private data diminishes the usefulness of that data for identification purposes.

Put another way, information accuracy has more to do with the attributes that IT assigns to user identities than with the actual information supplied by the end user. As identity management applications are put in place, it is essential to also implement policies that mandate a review of the technical procedures.

For example, it should be the responsibility of an organizations IT department to review as frequently as every quarter the scripts used to generate new users. This is because, for all the efficiency and speed that automated systems bring to account creation and deletion, it is imperative to make sure that the correct rights are being assigned to new users. It is all too easy to set up a test account with wide-ranging authority, only to assign that account to new users by mistake. This is also a classic opportunity to work with line-of-business managers to ensure that the accounts that are created actually match the job functions of the people who are receiving the accounts.

Finally, nearly every account management tool on the market has a return-on-investment calculator that shows how much an organization can "save" by implementing the product. Before using one of these calculators, IT managers should run some rough numbers to get an idea of the actual costs that go into an identity management system.

Then run the calculator.