Forces external to enterprises combined to renew focus on identity management this year. These included an increase in phishing e-mail scams and government regulation, combined with maturing identity management products and refinement of industry technology standards.
Many companies—including RSA, VeriSign, Oracle, Microsoft, Sun and Hewlett-Packard—either released new identity products or acquired identity technologies to bolster current products. The result sets the stage for identity management initiatives to take on more importance in the year ahead.
Indeed, IT managers should put identity management at the top of their planning lists. In particular, they should develop an airtight understanding of how mission-critical applications consume identity data. From this understanding should come a schematic of how directory information is being used by applications; how the directory data is being maintained; and how it can be most efficiently provided, protected and updated to meet business needs while also complying with audit and privacy regulations.
As identity management became a more pressing concern, organizations this year worked harder to define where identity information is currently stored, what applications need the data and who in the organization controls the data—laying the foundation for an effective technology deployment, whatever the technology might be.
And there is no doubt in my mind there will be an even greater insistence on effective identity management next year, to control the costs of conforming to now-entrenched federal legislation such as Sarbanes-Oxley and Gramm-Leach-Bliley.
But the story of identity management would be a sad one if it were limited to complying with regulations. This year we saw important milestones, such as the Liberty Alliance Project announcement in August that several companies had participated successfully in the first SAML (Security Assertion Markup Language) 2.0 interoperability tests. The SAML tests showed that it is possible to extend trust-based identity outside the company.
This initial success is important to developing federated identity solutions, through which organizations can lower the cost of creating and maintaining a trusted relationship with other businesses. The IEEE is working hard to ensure vendor interoperability, in part because the technologies included in SAML 2.0 are fundamental to providing Web services by asserting attributes and authorization information.
In addition to the technology developments we saw this year, industry consolidation and new technology announcements point to significant progress that is likely to be made next year. Oracle this year went on a veritable identity shopping spree, gobbling up identity management, virtual directory and enterprise-class user provisioning tools. The integration of these technologies speaks to the industry trend toward considering identity management a basic application feature.
Finally, work on WS-Security and a range of other OASIS specs will continue in the coming year, making it much more likely that Web services will play a role in the ongoing implementation of single-sign-on solutions. Ultimately, WS-Security should let applications secure SOAP message exchanges with encryption and authentication support.
Technical Director Cameron Sturdevant can be reached at [email protected].