Making management more difficult, organizations often keep identity information in two different stores with contradictory data. For instance, an address may be updated in HR but not in the corporate online listing. And as the industry focuses on federated identity, which allows for the secure sharing of identities across domains, organizations that once managed only employees will have to address external identities, including those of vendors, resellers and partners. Because federated identity is in its infancy, chances are that systems implemented today will change greatly in the coming months and years (find a primer on federated identity).
Web access control deals with authorizing and authenticating individuals by supplying controlled access to Web resources. Web access-management systems generally offer an SSO (single sign-on) component for one-time authentication. The system maintains a user's credentials as he or she attempts to access resources inside and outside the organization. Implementing SSO is often a long-term goal rather than a short-term reality because of the complexity of integrating diverse and possibly legacy applications. The best most organizations can expect is reduced sign-on--fewer logins.
Because of provisioning difficulties, it's common for new hires to wait longer than 24 hours for their digital identities to be created and to be given appropriate access to resources. Provisioning is usually trickier from a business perspective than a technology perspective because companies often have no idea who is in charge of managing resources and who is responsible for the audits and assumed risks. Provisioning systems can simplify and centrally manage the process of granting or denying access to resources. The provisioning components we tested let users self-register and support the creation of an approval-process work flow for granting access to new accounts.
Delegated administration lets organizations entrust business units or even partners with managing a subset of users or tasks. By decentralizing control, organizations can alleviate identity-management bottlenecks. There are at least two roles in this process: the person who signs off from the business perspective and the person/mechanism that physically grants access.
Federated identity is the infrastructure wave most vendors hope to ride for the next several years. FIM (federated identity management) lets companies share identities securely, giving employees, customers and partners access to systems and resources throughout the supply chain. FIM is more than a technology--to reap its benefits, organizations must have the appropriate policies, procedures and trust agreements in place.