By Colin Soutar, CSC
In 2009, we see two main market trends that will continue to drive the deployment of identity and access management solutions (IAM). First, the broad array of technology offerings in this space will be focused very much on the business-rules and compliance requirements of customers. Second, the policies around privacy and personally identifiable information (PII) will continue to mature and be clarified, thereby instilling greater user acceptance.
Business-Rules and Compliance
In the last few years, technology evolution in identity and access management has made great progress through companies’ internal product development and through acquisitions and industry consolidation. In 2009, we expect to see the broad range of offerings produced by this technology evolution being complemented by further clarity of the business rules that govern the deployment of the solutions.
An example of business-rules as a driving force in the IAM industry is compliance to government and industry standards. In fact, IDC reported that 75% of IAM worldwide revenue for 2007 was generated as a consequence of compliance to regulations such as Sarbanes-Oxley (SOX) in the financial sector and Health Insurance Portability and Accountability (HIPAA) in the health sector. For 2009, we expect to see the continued growth of IAM solutions in the health care sector, as governed by the HIPAA regulations.
As the business rules continue to mature, the separate components of identity and access management technology solutions that have been developed to perform operations such as: provision/de-provision users; manage physical and logical access; and support authorization rights and privileges, are being deployed as enterprise business rules. As evidence of this, we look to the many emerging security councils that are addressing cross-departmental management of an employee or citizen’s “identity” within an enterprise – of course, a large-scale example of this is FIPS 201 in support of Homeland Security Presidential Directive 12.
It will be key that corporations and governments take a holistic view on identity and access management solutions. This approach provides not only security benefits – in terms of more robust vetting procedures and harmonized roles across physical and logical boundaries – but also offers savings in terms of sharing user provisioning costs. We will continue to see the employees’ roles and consequent authority being defined across the enterprise in this holistic manner.
A further step in the development of the business rules for identity and access management solutions is the federation of identities – where “like-minded” enterprises can leverage their respective vetting and provisioning efforts. This trend has been evident throughout 2007-2008 and will only be accelerated by a combination of the maturing of the business practices and the economic pressures that will be brought to bear on deployment decisions – which will encourage disparate enterprises to look at sharing costs of vetting and provisioning.
Users and Personally Identifiable Information
As IAM solutions are deployed, there will also be continuing dialogue regarding the interaction of a user and their personally identifiable information. As technologies such as biometrics are used within identity and access management solutions, users become even more aware of the data that they are sharing with an enterprise. In a sense, these technologies make users more aware of the data that they were already sharing – such as credit card numbers, employee numbers and other identifiers. In light of the public’s increased awareness and wariness, it is critical that biometrics be used to offer solutions to protect a user’s personal data.
As the dialogue regarding the user and their personal data continues, this will lead to further clarity on the uses and function of such data and the transparency with which solutions should be deployed. In fact, there may even be a trend whereby the user is empowered to regulate the flow of information in a much more transparent way – receiving notice and being required to give explicit consent when data are used for “extraordinary” transactions.
In particular, the role of biometrics within identity and access management will be clarified as a vetting tool and as a secure authentication mechanism that can be used to authorize and assure transactions. The user’s controlled interaction with their personally identifiable information will enhance the deployment of IAM solutions in health and financial environments and will catalyze further deployments in other sectors.
At CSC, we believe the heart of business value is the creation of trusted identities. The underlying enrollment technology is not the point. Trusted identities are only achieved through the seamless integration of systems, policies and procedures across mission and functional areas.
Achieving that business value requires:
- A robust transformational change program that guarantees stakeholder buy-in and acceptance
- Keen awareness of identity targeted and related technology standards that assure solution flexibility, efficiency, recovery and refresh
- Renewed and integrated business processes for all identity-based transactions designed to keep pace with the evolving privacy and regulatory environment
- Production of auditable artifacts and metrics that demonstrate visible success
The deployment of a successful and lasting identity and access management solution is also dependent on close collaboration with the customer. In particular, it is critical that the current vision and strategy of the customer is mapped directly with the available technology solutions to address access rights, data management tools and authentication mechanisms to create a solution that is forward-looking, robust, consistent with users’ expectations and within budget. The industry is continuing to mature and we look forward to the many interesting opportunities and developments that 2009 will bring.
About the AVISIAN Publishing Expert Panel
At the close of each year, AVISIAN Publishing’s editorial team selects a group of key leaders from various sectors of the ID technology market to serve as Expert Panelists. Each individual is asked to share their unique insight into what lies ahead. During the month of December, these panelist’s predictions are published daily at the appropriate title within the AVISIAN suite of ID technology publications: SecureIDNews.com, ContactlessNews.com, CR80News.com, RFIDNews.org, FIPS201.com, NFCNews.com, ThirdFactor.com, and DigitalIDNews.com.