The first principle of IT should be that if you collect and hold information about anyone or anything, you are responsible for the upkeep and protection of that information. For all public and private sector organisations that have become very adept at capturing large volumes of data relating to their business activities and the customers that they serve, accepting responsibility for that data is the easy part. However, maintaining its integrity and ensuring that it is not allowed to fall into the wrong hands is an entirely more complex matter.

Business success and the efficiency with which successful organisations drive the delivery of their operational services is empowered by the availability of information - providing the right information to the right people at the right time - but the most significant challenge that all organisations face today is one of maintaining control. There is a need to build trusted environments where the identity of each user can be proved before access rights are granted. These must be trusted environments where customers and citizens can gain on-request access to personal and account information, without running the risk of falling prey to identity theft; where employees are able to gain unencumbered access to corporate networks, systems, and applications, irrespective of where their chosen place of work happens to be; and where business partners and suppliers can be provided with certified access channels to collaborative information sources.

This is the scope of the information control and identity management challenges that face all public and private sector organisations today. Business organisations must be capable of setting and achieving an acceptable balance between information availability to support day-to-day operational activities and the information protection requirements of the business itself, its customers, and regulatory bodies that dictate how it should perform its duties. In support of all of these high-profile issues, I&AM technology represents the one constant element that has been, and is being, used to deal with the 'WHO GETS ACCESS TO WHAT INFORMATION' factors.

Whoever we are, whatever our role within an organisation, we all make use of our identities to authenticate ourselves to public and private information services. We make requests, pay for goods, and add to the information silos that commercial organisations maintain. Through the use of 24x7 real-time access systems, our information access expectations, from both business and private perspectives, have grown to such a high level that the identity management, authentication, and access control systems that organisations have put in place must continue to grow and evolve simply to keep pace.

The scope and the requirement to manage user identity has evolved so much over the last three years that integrated I&AM solutions are needed in every business sector in order to support normal operational activities. Organisations used to be able to get away with using simple authentication tools - passwords provided the keys to the kingdom - but today, due to the security and compliance risks involved, this can no longer be the case. There is now an urgent need to integrate the solutions that link together identity management, user authentication, and access controls. Users demand single-source access to an ever widening range of systems and applications, and they do it in the knowledge that any perceived service restrictions can be firmly laid at the door of their service provider or business partner. The response from both the public and private sectors has to be to provide authentication and access control solutions that match the expectations of their users, but at the same time ensure that all elements of the business remain properly protected.

Business Issues

If you are a bank or an insurance company the communications revolution that arrived when the Internet era began, and was further enhanced through the use of broadband services, opened up a range of new, cost-efficient, self-service business channels. This also proved to be the case for a wide range of other business verticals including retail and eGovernment. Furthermore, as the Internet business model is both open and ubiquitous in its value as a communications channel to business, it enables information users of all types to make systems access requests from pretty much any location they choose.

However, as the business community has found to its cost, the systems access channels that it chooses to use must be secure enough to support the requirements of its users. Open access to authorised systems can only be made available if the correct levels of interrogating security exist. Every open door that provides an invitation to corporate information systems also brings with it new access and information control responsibilities that cannot be ignored.

In addition, internal and external business collaboration factors have also combined to create an environment of broader integration across systems and networks. This effect is compelling organisations to look at making better use of I&AM solutions in order to deal with valid employee and partner requests and at the same time to repulse the unwanted access demands that can now so easily be made against their systems. Not only does the required response demand the use of joined-up technology systems, it also brings together the need to draw in the use of authentication-related policies, corporate procedures, risk management factors, and regulatory compliance requirements.

The real value-to-business proposition that the integrated use of I&AM can deliver comes from the technology's ability to deal with all the key identity, sign-on, authentication, provisioning, access control, and administration issues, and to deliver these as a service that can be tailored to meet the needs of all user groups. The components that each organisation will select as being appropriate to its business needs can vary quite significantly. What is seen as a key authentication tool in one area of the business may be seen as overkill in another. Achieving an environment where all remote users are provided with secure and seamless access may be important to some business operations, whereas to others, where all users are office-based, the overall I&AM control requirements would be quite different.

The facilities that I&AM is capable of delivering, and the protection and operability services that it is able to provide, need to be focused towards the requirements of the business: its day-to-day operational processes, its policy on risk, the individual and collective requirements of all its users, and the protection needs of the information that it holds. This Report provides detailed evaluations and comparisons on many of the industry's leading technology solutions. From a business perspective these evaluations highlight what is good and what is bad about the way that the I&AM sector delivers its services, and how it deals with important Return On Investment (ROI) issues, such as reducing administration and management costs through the automated use of provisioning and password management systems.

Technology Issues

The role that I&AM is being asked to fulfil is that of a technology policeman - individual organisations determine which users should be allowed to gain access to each of their systems and applications, and then they utilise the core elements of the technology to ensure that the required controls and access services are delivered. There are areas within the I&AM model where standard services that deliver an industry focus are relevant, but each deployment needs to be delivered based upon its own requirements specification. This approach is the correct one for I&AM, but also causes a number of problems.

The I&AM industry as a whole has gained a not unfair reputation for being over complex in its approach to product delivery, and over burdensome in its cost overheads and project timescales. Part of the problem relates to how such solutions are being packaged for delivery, but there is also a need to accept that another part of the problem lies with the complex nature of the enterprise systems and networks that need to be supported - gaining stricture and control over user identities and how they are controlled and managed is not a straightforward task.

Today we are left with an I&AM industry that still looks over complex in its delivery style and continues to send out mixed messages about the way forward. For example, Microsoft and RSA persist in telling the world that the continued use of passwords represents an inherently insecure approach to user and systems protection, and yet even after all this time, and all the problems that the use of passwords as a first-line authentication tool have caused, password management and password synchronisation remain core components of most I&AM justification and ROI models.

Single Sign-On (SSO) is seen as a core component that delivers I&AM security and business efficiency, yet where are the minimum standards that are required to deliver SSO as a service? In Butler Group's opinion SSO that is delivered with a lax supporting security model - inappropriately factored authentication or as a password-centric offering - represents an open door to corporate malcontents.

Two-factor authentication is often referred to as the holy grail of I&AM; certainly it is seen as providing strong access controls, yet little seems to have been done to ensure that each factor of the authentication model adds real value in terms of the extra layer of security that it is supposed to provide.

In Butler Group's opinion, the way forward for I&AM is for it to be supported by a clearer, more focused technology delivery model, one that can be fully understood by the organisations that need to use it, and one is supportable from a business standpoint through its ability to deliver tangible end-user benefits.

Market Analysis

It is now almost three years since Butler Group last produced an in-depth Report on I&AM (September 2003), and within that timeframe the shape of the I&AM industry has altered out of all recognition. This is true both in terms of the vendor landscape and the scope of the technology solutions on offer. Key vendors have disappeared from the scene. For many - including Baltimore, Netegrity, Oblix, and Thor - their best-of-breed technology lives on under different covers. For others, such as BMC, CA, HP, and Novell, that three years ago provided somewhat disconnected, point-based solutions, the time has been well spent in developing or acquiring and integrating additional I&AM components.

What we are now left with is an I&AM industry that overall is stronger because of the consolidation that has taken place; sturdier because of the continued presence of established players including IBM Tivoli, CA, RSA, and Sun; functionally richer because of the entrance of newer players such as Oracle, and the growing presence of Aviatier and Entrust; and more well-rounded because vendors such as Bull Evidian, Encentuate, and Passlogix continue to compete within their own areas of expertise. In terms of the I&AM vendor community, those vendors that have been included in this Report for Technology Audit comparisons represent a strong and significant percentage of the I&AM sector's leading players.

There are many compelling factors that are driving the I&AM sector forward; some are positive, such as the technology's ability to improve business continuity by facilitating controlled access from a SSO foundation to a wide variety of otherwise unconnected systems. However, some elements are less positive, including the fear factor issues such as identity and information theft being at an all time high and threatening the very future of e-business trading, and the compliance and regulatory drivers that almost dictate that organisations cannot operate securely without having some form of proven I&AM controls in place.

Summary

To date, business has struggled to get to grips with the proper use that should be made of I&AM. It is still seen as a protection commodity, deployed to deal with specific security issues, rather than as the enabler of business services that it must become.

The efficient management of identity and associated access control issues are of pressing concern for all security-conscious organisations, irrespective of their size or business focus. They all struggle to identify and control who gets what access to their IT systems. The onus of regulatory compliance has added further pressure, to ensure that identity can be managed effectively, not just in terms of getting the job done but also by being able to prove that adequate levels of protection are being applied.

Overall, the I&AM market has seen significant consolidation over the three years since Butler Group's last Report on the subject was published. Niche players have given way to the acquisitive overtures of the systems heavyweights who continue to dominate the sector. Over the next twelve months we expect to see further acquisitions taking place as the big players ramp up their I&AM investments, but as I&AM remains as the security sector to be in, we would not rule out further incursions from external sources.

Key Findings

• Identity and Access Management (I&AM) lays the foundations for the building of a trusted environment. Butler Group believes that it is essential that companies move to an identity-centric approach, where the focus is on authentication to reduce risk, rather than relying on the current mechanisms of perimeter control and detection.
• The move to Internet-based business processes and a collaboration framework means that it is not a question of if, but when, enterprises must implement integrated security solutions that are based on the principles of identity and trust.
• I&AM solutions must relate clearly to business requirements, and avoid the nightmare scenario where users are hindered rather than empowered by the technology.
• The goal for I&AM is to deliver that balance between the needs of authorised users for open information access and enterprise information privacy.
• The most significant challenge that all organisations face today is one of maintaining control. There is a need to build trusted environments where the identity of each user can be proved before access rights are granted.
• Good quality I&AM acts as a corporate policeman - it determines rights of passage, directs the traffic flow by enabling authorised users to have access to business information, but above all it provides the locks and the keys to corporate systems and networks.
• Identity theft is at an all time high; companies must use secure authentication techniques to ensure that customers that transact business on-line are not exposed to additional risk.
• Business has struggled to get real value from I&AM because it is still seen as a protection commodity, deployed to deal with specific security issues, rather than as an enabler of business services.
• Organisations dealing with sensitive information can no longer get away with insecure, password-based authentication. Compliance obliges organisations to prove that adequate levels of protection are being applied.

• Section1: Management Summary
  • 1.1. Management Summary
• Section 2: Business Issues
  • 2.1. Report Objectives and Structure
  • 2.2. Safeguarding and Enabling Business Systems
  • 2.3. Dealing with the Management of Identity
  • 2.4. Examining Vertical Business Issues - I&AM Business Requirements
  • 2.5. Operational Case Studies
• Section 3: Technology Issues
  • 3.1. Identity Management Technology
  • 3.2. Authentication Technologies
  • 3.3. Password Management and Systems Synchronisation
  • 3.4. Single Sign-On
  • 3.5. Access Control
  • 3.6. Provisioning and De-provisioning
  • 3.7. Administration and Policy Management
  • 3.8. Standards Bodies and Standards in Practice
• Section 4: Architectures and Models
  • 4.1. Building an Effective I&AM Strategy
  • 4.2. Architecture - The Butler Group Model for I&AM
  • 4.3. Deployment - Delivering a Successful I&AM Strategy
• Section 5: Market Issues
  • 5.1. Market Analysis
  • 5.2. Market Drivers
  • 5.3. Market Direction
• Section 6: Tables
  • 6.1. Butler Group Identity and Access Management Features Matrix
  • 6.2. Butler Group Identity and Access Management Product Capability Diagrams
  • 6.3. Butler Group Identity and Access Management Market Lifecycle Ratings
• Section 7: Vendor Comparisons
  • 7.1. Product Comparisons
  • 7.2. Comparison of Vendor Strategies
• Section 8: Technology Audits
  • Avatier Corporation - Avatier Identity Management Suite 7.0
  • BMC - BMC Identity Management
  • Bull Evidian - AccessMaster version 7.0.1
  • CA - Identity and Access Management Suite
  • Encentuate - Encentuate TCI version 3.0
  • Entrust - Entrust IdentityGuard and GetAccess
  • Hewlett-Packard - OpenView Identity Management Suite
  • IBM - Identity Management
  • Microsoft - Identity and Access Architecture
  • Novell - Novell solutions for Security & Identity
  • Oracle - Identity and Access Management Suite Release 10gR3
  • Passlogix - v-GO Single Sign-On Platform Version 5.04
  • RSA Security - Identity and Access Management Suite
  • Sun Microsystems - Identity and Access Management
• Section 9: Vendor Profiles
  • ActivIdentity
  • Aladdin Knowledge Systems
  • Cisco Systems, Inc.
  • Citrix Systems, Inc.
  • Courion
  • CRYPTOMAThIC Ltd.
  • Cyber-Ark
  • Cybertrust
  • Entegrity
  • GeoTrust
  • Imprivata
  • Juniper Networks
  • LogicaCMG
  • M-Tech
  • Nexus
  • Open Systems Management (OSM)
  • Ping Identity
  • Pointsec
  • PortWise
  • SafeNet
  • Secure Computing
  • Siemens
  • VeriSign
• Section 10: Glossary