• United States



by Jonathan Penn

What’s Ahead For Identity Management in 2005

Dec 15, 20047 mins
CSO and CISOData and Information Security

In 2005, as in 2004, compliance will be the primary driver for enterprise investment in identity management. But new challenges are emerging: the rise in fraud and identity theft, the increasing consumer demand for privacy protections, and the drive by companies to partner with other businesses to interconnect their online services. The pressures behind these new market forces are welling, and attention to will start to fundamentally shift the direction of the identity management market in 2005.

Regulatory And Customer Pressures Continue To Steer Investment And Evolution

In 2005, we’ll see new drivers shape the adoption of identity management solutions and the evolution of the market.

  • Compliance demands continue to drive security priorities. Compliance initiatives occupy center stage in IT and security projects. A multitude of government and industry regulations are behind the majority of today’s identity management projects. From Sarbanes-Oxley and the USA PATRIOT Act to HIPAA and Visa Account Information Security Standards, a common aspect of these regulations’ security and privacy components is the establishment of proper authentication practices and the appropriate assignment of privileges. Developing, enforcing, and auditing authentication and access control policies is a core element of compliance projects.
  • Consumers have serious concerns about fraud and identity theft. Identity theft is the fastest-growing type of crime in the US. While businesses are still able to absorb the direct losses, consumers are altering their behavior, curbing their online purchasing and use of online banking services.
  • Simple passwords provide inadequate protection. Whoever is accessing your systems, be it employees on your LAN or Wi-Fi network, partners on your extranet, or customers on your commerce sites, simple passwords no longer suffice as a reliable means of authentication. Stronger forms, such as USB tokens or smart cards, may be required to assure the identity of users.
  • Businesses continue to build out and interconnect Internet-based services. Companies are putting more of their services online and are also continuing to connect these services together in novel ways. As a result, there are more identities, coming from more places, and using more varied devices – further justifying identity management.

2005 Trends To Watch In Identity Management

Because of these key drivers, six significant trends to watch in 2005 include:

  • Provisioning takes center stage in identity-enabled architectures. Provisioning directly addresses key compliance concerns around documentation, enforcement, and auditing of security controls. The primary value of provisioning has shifted from the ROI around self-service password reset and IT efficiency improvements to the policy enforcement and auditability around role-based access controls and centralized process management. Provisioning has eclipsed Web single sign-on in terms of both visibility and import.
  • Enterprise single sign-on (E-SSO) comes of age. Auditors are telling companies that they need greater assurance as to who is accessing their computer systems. HIPAA and Sarbanes-Oxley are driving organizations to adopt strong authentication technologies like smart cards and biometrics, or simply to strengthen their password policies.

    E-SSO solutions have matured greatly and are deservedly getting a new look after a long period of neglect. Organizations are beginning to adopt them in recognition that E-SSO is both a prerequisite and an enabler for successful implementation of strong authentication. It is one of the fastest-growing segments of the identity management market.

    Federation in a B2B environment isn’t just about single sign-on: It has an important compliance component that reduces user administration efforts thereby ensuring that only authorized external users access Internet-facing services.

  • Identity-based computing starts to become real. The concept of “identity” is not restricted to people. Devices, applications, and physical assets comprise additional identities to manage in an increasingly networked, interconnected, and always-on world. During the next year, we’ll start to see identity management tools and

    practices applied to a broad range of challenges that are not people-centric. This spans technologies as broad as Web services security, Trusted Computing, RFID deployments, and smart homes.

How Identity Management Will Adapt To Natural Shifts In Security Priorities

Most companies wrestle with similar security challenges at about the same time, meaning that larger security market trends follow a natural order. This order manifests as a continuing cycle of authentication, authorization, administration, and then audit. Thus, the adoption of security technologies follows this pattern.

Identity management has successfully adapted to these shifting priorities. It has retained high interest as attention has moved from the build-out of eBusiness, to efficiency and cost-cutting, and now to compliance. In 2005, we’ll start to see market interest shift once again to focus on the issues of fraud, theft, and privacy. This will manifest first in the realm of authentication and account protection, then in the realm of authorization and data protection (see Figure 1).

insert fig 1 >

  • Identity federation moves out of the test lab. Today, federated identity (a.k.a. Internet single sign-on) is still a bleeding-edge technology adopted mostly by mobile carriers and manufacturing supply chains. In 2005, it will firmly enter an early adopter phase with deployments targeted at financial services firms, government services, employee benefit portals, and healthcare.
  • Strong authentication goes consumer. The best defense against identity theft and account fraud comes in the form of strong authentication for consumers. AOL recently offered its customers better security over their ISP accounts through a partnership with RSA Security.
  • Content security evolves into identity information protection. Account hijacking isn’t the only way to steal someone’s identity. In fact, most identity theft is due to insider attack. The most customer-responsive organizations will implement security technologies that protect customer data. These are the next-generation content security products and include the perimeter scanning of Reconnex, Vericept, and Vidius, the desktop monitoring of Orchestria and Verdasys, and the server-level protection of IBM, Tizor Systems, and Vormetric.

What It Means

  • Continued market demand fuels further consolidation. Despite two successive years of acquisition activity, 2005 promises further consolidation. Identity management will evolve towards a well-recognized layer of the computing stack, and vendors will develop broad portfolios of integrated components.
    • Big vendors battle for market supremacy. The major application platform and systems management will start to dominate the landscape, pushing aside or absorbing many of the little guys. Expect Hewlett-Packard, Microsoft, Oracle, and SAP to make big investments in this area during 2005. Meanwhile, BMC Software, Entrust, IBM, RSA Security, and Sun Microsystems will be solidifying and expanding their positions.
    • Identity management vendors rediscover E-SSO. Long the forgotten stepchild of identity management, E-SSO is getting a lot more attention. Not only is it being rediscovered by end user organizations, but also big vendors will step up and acquire independent solutions after a long period of loose partnership activity.
  • Federation is the killer app for strong authentication. The value of account protection is bolstered by a network of trust. Isolated instances of strong authentication aren’t enough to protect consumers. That greater level of identity assurance must be leverage, and identity federation presents itself as the key to enabling strong consumer authentication. For example, even a retail powerhouse like Amazon won’t be giving its customers tokens to log in, but it can protect their accounts by offering to lock out access except through federation from another site offering strong authentication, such as their bank or ISP.


  • When it comes to vendor selection, think big. Give vendor factors consideration equal to product features. The pace of acquisitions will persist, large vendors will integrate their portfolios, and products are maturing. Thus, organizations mapping out their identity management strategies will have to be more considerate of vendor viability and product stability factors rather than just performing feature comparisons.