Identity management is hot! Compliance with industry regulations, such as US’ Sarbanes-Oxley and the UK’s Companies (Audit, Investigations and Community Enterprise) Bill has undoubtedly raised the temperature; meanwhile the seemingly daily occurrence of identity data loss has fuelled the flames, whether through theft or negligence, exemplified by the recent troubles at the UK’s Department of Work and Pensions. These are, however, just a high-profile subset of a broad range of business requirements where identity management has a critical role to play. The processes and technologies which manage the lifecycle of digital identities and policies and their application in the establishment of trust between parties are essential for a variety of enterprise initiatives. SOA-based approaches; increasing the operational efficiency of IT and business personnel; making information accessible beyond corporate boundaries; inter-enterprise collaboration; online service provision… identity is at the heart of all of them.

This opportunity has not been lost on the major vendors who are aggressively moving in. The last couple of years have seen significant acquisition activity from the likes of BMC, CA, HP, Oracle, Sun and Microsoft. At the same time, start-ups continue to emerge looking to exploit new opportunities in areas such as strong authentication and compliance.

One could be mistaken for thinking that all of this activity is indicative of a raft of shiny new technology. The reality is somewhat different. Many of the elements of identity management are well understood: authentication and credential management, authorisation and access control, directory, lifecycle management and audit and logging and audit. The problem is that current identity management technologies and the way they are applied just do not stand the test of the fast changing business environment. The reality for many organisations is that they have multiple, siloed identity management solutions, alongside a set of fragmented identity management capabilities locked away in a wide variety of business applications and data repositories. This must change.

Meanwhile, technology adopters are being subjected to significant amounts of hype. The big vendors are all now claiming to offer integrated “identity management suites” (in part to paper over the acquisition cracks). These claims must be treated with some healthy scepticism. Adopters need to be asking some tough questions. Does the suite have a common management console? Is there a unified policy-based control framework? How is it secured? I could go on. At the same time, there is much discussion of standards—SPML, SAML, XACML, WS-*, Liberty Alliance… The reality is that it is still early days and it's premature to make hard and fast choices for the long-term.

To resolve these issues, there is an growing requirement for identity management to be treated architecturally. Such an architecture needs to be identity- rather than resource-centric; it must be service-oriented with capabilities delivered as part of the infrastructure, and controlled through business-meaningful policies. It must recognise the reality of distributed environments, in IT and business terms, with a federated approach. Finally, it must be based on open standards, given that no one vendor can satisfy all of the requirements and because solutions must span a heterogeneous environment, potentially across organisational boundaries.

It’s not just a technology problem though. There are numerous stakeholders, from both business and IT, including third parties. They all need to be involved, to enable a clear understanding of the business objectives, benefits and risks as input to any business case. Without these, the investment and commitment required for success will not be forthcoming.

At the same time, enterprise customers must avoid the temptation to “boil the ocean”. Scope initial projects carefully and look for quick wins. Get the stakeholders engaged early. Consider identity management in the context of risk management and as part of broader enterprise architecture and SOA initiatives. Finally, recognise that technology and standards are immature and factor that into technology choices, using the framework as a guide.

For a more in-depth analysis of these issues download our free report Identity management: an architectural foundation for business value.