Identity Management Comes to Forefront as Data Losses Mount
by Alex Woodie
Software vendors are responding to the rash of high profile data losses by large corporations and the exploding problem of identity theft with new products designed to lock down access to business applications. IBM, BMC Software, and M-Tech introduced new single sign-on (SSO) and user administration products last month as companies look for ways to control access to data and applications.
In the recent past, the gory details of major security lapses at American corporations were rarely reported. Security software vendors occasionally would describe how clients had lost data or been hacked, but it was taboo for the vendors to name names, and the lack of crucial details (specifically, the names) made the stories vague and limited the ability of journalists and others to confirm the data loss.
Today, we're inundated with a new case of corporate data loss on seemingly a weekly basis. The details of the losses of major corporations--like Bank of America, CitiGroup, and a MasterCard affiliate--are splashed across the front pages of newspapers, and millions of consumers are left wondering whether their private data has been lost, too.
It's not just the loss of a few rows or tables in a database, or a missing backup tape or two. The private information of tens of millions of Americans has been compromised, as organized crime has made its way into cyberspace, led by Russian and other Eastern European groups, government and industry authorities have said.
According to the Federal Trade Commission, 9.3 million people in the United States were victims of identity theft last year, while a recent survey indicates the dollar impact of this form of crime was $52.6 billion in 2004, according to IBM. Identity theft has become the fastest growing crime in the country, according to Newsweek. B2C commerce is down. People are not as comfortable banking online.
Now, politicians are talking about what needs to be done about this. Just what we need, you say, after the billion-dollar frauds perpetrated by Enron, WorldCom, and the like sullied the reputations of thousands of otherwise upstanding corporate citizens and subjected all public companies to what some have said is needless oversight and wasted effort in the form of the Sarbanes-Oxley Act. Legislators are talking about new regulations to ensure the security of consumer's data, or to require corporations to pay for the cost of data loss. Almost guaranteed at this point is a national law that mimics California's SB 1386, which requires organizations to inform California citizens if their private data has been compromised.
While politicians discuss such moves, IT shops can protect themselves in the meantime by restricting access to applications, and basically becoming best-practices bastions. One way organizations can ease the administration of maintaining strict access to multiple applications and data sources is through a federated identity management suite, which in most cases incorporates a form of single sign-on (SSO) technology. Here's a run down-down on the latest news of three SSO products that support the iSeries.
Tivoli Identity Manager
IBM is making the case for protecting important assets from hackers and loss of data by using Tivoli Identity Manager Version 4.6, which is slated to become available this quarter. "The protection of a firm's reputation and brand is directly linked to the secure management of data, the applications that use that data, its people and assets," says Cal Slemp, vice president, security and privacy services, IBM Global Services. "Companies should embrace a holistic approach to evaluating and ensuring their business is secure."
Tivoli Identity Manager, which supports OS/400 and other major operating systems through optional adapters, is designed to automate the manual process IT shops must go through to set up new accounts and passwords for employees and customers, including the capability for users to reset and synchronize their own passwords. The software also makes it easier for users to demonstrate who has access to what, and how those policies are handled, IBM says. With version 4.6, IBM has added a preview function that shows administrators how making changes will affect systems, as well as new predefined reports.
BMC Identity Management Suite
In late June, BMC unveiled its three-part identity management blueprint to bring forward all its identity-related products, including products from two recent acquisitions. The Identity Management Suite plans call for helping administrators link what BMC calls "user populations," which include employees, partners, suppliers and customers, to the various processes, systems, and business services they need access to. As a result, Identity Management Suite users can comply with regulatory mandates and protect sensitive information.
The first phase, the delivery of the Identity Management Suite, unites the acquired technologies, including OpenNetworks' browser-based authentication and authorization products, and Calendra's workflow and directory components of identity management, with BMC's existing products, including CONTROL-SA, and delivers a common interface for the five components, which include directory management and visualization; access management; password management; user administration and provisioning; and audit and compliance management. BMC acquired Florida-based OpenNetworks for $18 million in March, while it completed the $33 million acquisition of Paris-based Calendra in January. The Identity Management Suite is available now, and supports OS/400, a BMC spokeswoman says.
Phase two will see even deeper integration of the Identity Management Suite products, a Web-based interface, and new products, including BMC Compliance Manager, which will provide a common view of user profiles across systems; BMC Federated Identity Manager, which will extend identity management capabilities outside the user's organization; and BMC Identity Discovery, which will help track users' identities, user profiles, and what they can access. Phase two products are due this fall.
Phase three, which is planned for 2006, finishes the integration across the five areas, and delivers an API for extending the products' capabilities outside the user's organization.
BMC made its identity blueprint announcement a day before announcing financial results for its fourth quarter and fiscal year 2005, which ended March 31. For the quarter the company had $395.1 million in revenues, a decrease of 1 percent, on net earnings of $15.5 million, a 58 percent drop from the fourth quarter last year. For the year, the company had almost $1.5 billion in revenues, an increase of about 3 percent from the previous year, on net earnings of about $75 million, a strong turnaround from the nearly $27 million loss the previous year. Its stock subsequently raised about $1, or more than 5 percent, in value to more than $18.
M-Tech ID-Org and P-Synch/SSO
Another vendor of identity management software that supports OS/400 is M-Tech. The Calgary, Alberta, company is currently developing two new products that can address the problem of access to information. The first new product, called ID-Org, will help with user provisioning and access certification by making it easier for users to build and maintain accurate and complete information on employee reporting lines within the organization. The second new product in development, called P-Synch/SSO, will unify the company's password synchronization and single sign-on capabilities. P-Synch/SSO is currently entering beta tests and should be available in the fourth quarter.
M-Tech had record sales during the first half of 2005 as companies look to streamline access to their applications. Some of the organizations licensing M-Tech's software include Blue Shield of South Carolina, Embry Riddle Aeronautical University, JetBlue, Northrop Grumman, and Merrill Lynch.