Identity Management: A Market Assessment

The identity management (IdM) market segment encompasses the technical and service infrastructure that allows companies to create, manage, and authenticate user identities and broker services based on the identities for use within an enterprise or in an Internet-based context. The primary foundation for most identity management platforms is a directory or directory service, which lists and organizes users (as well as applications) in a hierarchical structure and serves as a storehouse for identity attributes, including security rights and authentication information. From a functional point of view, identity management involves four major tasks: authentication, authorization, access control, and audit. Identity management thus includes established market segments such as directory servers, certificate authorities, certificate management servers, password management, and single sign-on solutions. Companies build on identity management solutions and tap into larger platforms such as application servers, development tools, and/or integration platforms, although separate market segments cover these areas.

Identity management vendors are currently expanding the footprint of their offerings through internal development, partnership, or acquisition. Vendors expect end-to-end suites to support sophisticated provisioning capability on top of more traditional functionality. Solutions built on Web services will play an increasingly important role in the next few years, as will the advent of “federated” identity management standards that aim to trade identity information among companies and authentication providers to ease application access. Traditional managed PKI vendors, such as Entrust and RSA, are aggressively moving to secure Web services and better reorient themselves as identity management providers.

Professional services play an important role in the rollout of identity management projects. While enterprise IT departments have established and understand much of the underlying technology, specialist providers of corporate planning, market strategy, and security are required to promote and support the business vision enabled by identity management solutions.

Market Review:

• More for Less: Fear of commoditization of identity infrastructure products (that is, directories and metadirectories) is a factor in product consolidation. The merging of metadirectory and provisioning functionality are most indicative of this trend.
• Follow the Money: Compliance management is a major growth segment of the identity management market. While the external drivers are new regulatory regimes, such as HIPAA, GLBA, and SOX, the more pragmatic driver is that organizations are setting aside earmarked funds for compliance management. Numerous IdM vendors have made recent compliance announcements, including Courion, IBM Tivoli, and Thor Technologies.
• Homegrown Provisioning Enters Market: Not every IdM vendor moved into provisioning through acquisition. Interestingly, vendors that took a “build, not buy” route to provisioning are beginning to introduce provisioning functionality to their suites (such as Oblix). By leveraging Microsoft’s MIIS metadirectory, these vendors are entering the market only slightly behind vendors that acquired provisioning vendors.
• Would You Like Federation with That?: Support for federated identity management has moved quickly from an interesting feature to a core requirement for IdM engagements. Several vendors report that federation is a leading requirement in the majority of their new business.
• Web Access Meets Web Services Management: Access control vendors are paying increasingly close attention to Web services management vendors. There are a wide range of relationships, spanning acquisitions (for example, Oblix buying Confluent Software) and best-of-breed partnerships.
• Endpoint Integrity: Network access and endpoint integrity programs such as Cisco Network Admission Control (NAC) and Microsoft Network Access Program (NAP) are beginning to garner significant industry attention. IdM vendors need to be prepared to expand authentication, authorization and access considerations to devices as well as users.

Near-Term Market Drivers:

• Continued Commoditization at the Low-end: Identity infrastructure components (that is, directories and metadirectories) will continue to feel downward price pressure, particularly at the low-end of the market. Vendors will continue to have success, however, in differentiating their products at the high-end and charging commensurate premiums.
• Integrated Suites: Suite vendors will begin to collapse their product sets into a more manageable set of offerings. The commoditization trend noted above will drive this as well as the more general needs to ease deployment and maintenance burdens as well as enable more actual benefits vis-à-vis best of breed vendors than simply providing “one throat to choke.”
• Market Consolidation: The market will continue to consolidate even as new entrants appear. Computer Associates’ acquisition of Netegrity is the most dramatic recent example. Interestingly, this consolidation will be driven both by the need to expand technological and professional services capabilities.
• Federated Identity Standards/Secure Web Services: One key way to ensure trusted communities is through federated identities, whereby organizations pass or share user identity information. With this goal, federated identity is a “solution” to developing extra- organizational trust in the spirit of EDI or PKI. There is room for optimism that federation will be more successful than these previous attempts. Competing federated standards will begin to merge in 2005 and federated deployments will accelerate.
• Virtual Directories: The idea of virtual directories has been around for a while but until recently has not seemed to garner much attention or respect. This is beginning to change drastically, with even mainstream directory vendors (Novell, for example) and access management vendors (such as Oblix) pushing the technology as a solution to the inherent difficulties in physically consolidating directory data.
• Regulatory Compliance: In the United States, businesses deal with a host of new access control and audit requirements that derive from newly enacted or newly implemented laws and regulations. These include GLBA, HIPAA, Sarbanes-Oxley, and the USA PATRIOT Act. The regulations affect companies across the economy, but are especially important to the financial services and health care industries. Although each piece of legislation was drafted with different objectives, they have similar implications for information security and particularly identity management.

Long-Term Market Drivers:

• Identity-enabling Security Infrastructures: Identity management solutions will increasingly support broader security infrastructure initiatives. External factors such as compliance management and the expediency of leveraging IdM investments (such as directory services) in vulnerability management and threat protection products will drive this increase. In particular, this will drive additional sales of identity infrastructure products.
• Enterprise IT Focus on ROI: Coming out of the spending slowdowns that began the decade, companies are no longer writing off IT activities simply as “the cost of doing business.” Rather, companies apply return on investment calculations to infrastructure and operations as part of product and services rollouts. Increasingly, companies will weigh infrastructure investments in identity management against gains in efficiency, productivity, and cost savings made through newly-enabled communications and transaction processes and services. IdM suites will leverage the ROI calculations of numerous point products and further drive considerations of TCO.
• Data Control Concerns: The flip-side of the benefits of highly integrated services is the lost control of proprietary data. The authentication, access control, and audit aspects of identity management infrastructures will continue to be a hot button topic for businesses. Enterprise wariness about linking too closely with supply- chain partners and erstwhile competitors chilled the growth of B2B trading networks and likewise will play an important role in the adoption cycle of federated identity management systems. Early indications are that in many cases the benefits outweigh the costs when implementing these solutions. Interestingly, organizations use many of the early-federated deployments internally.
• Privacy Concerns: Consumer awareness of privacy issues and concerns about control of personal information continue to grow, particularly with regard to the sharing of health and financial information among affiliated businesses. Some proponents of Web services proffer the same service arguments made by supermarkets and credit card companies – that knowing more about an individual enables providers to offer more tailored services. The same emerging regulations will govern the sharing of consumer information within and among businesses. Identity management systems need the flexibility to ensure varying levels of information control and meet prevailing standards and regulations. Emerging regulations governing access control are in fact driving a completely new class of compliance management products that build on the identity infrastructure.