Don't Sacrifice Growth for Security

Historically, companies have implemented identity management programs out of fear of what would happen if they didn't. And while the ability to manage who accesses your system is paramount to mitigating risk and complying with regulations, there's a brighter side.

An effective identity management program will cover your security bases while also providing the freedom to grow as quickly as your business will allow. Sun Vice President of Identity Management, Sara Gates shares her perspective with Boardroom Minutes readers.

Q: What does identity management encompass?

A: Identity management covers people and things. It encompasses managing and knowing about the people you have a relationship with so you can run your business effectively, securely, and automatically.

From an employee perspective, it is about managing the employee life cycle, turning on access for new employees so that they are productive very quickly and turning that access off when the relationship ends.

Many folks think that identity management is fundamentally about security, but it is a business solution as well. The question I pose is, "Why do cars have brakes? It's not so they can stop. It's so they can go fast."

There is a shifting view of security in the business world. Today it's driven by fear and the need for compliance. It's about locking things down and keeping them secure. We are turning a corner in the corporate world, however, where security is becoming the brakes on the car. You put it in place not only to keep things secure but to go as fast as you need to, to drive your online business and partnerships.

We are moving toward no fear. Ten years from now, security in the corporate world won't be driven by fear. It will be driven by a need to accelerate the business at new speeds.

Q: What benefits does an effective identity management program offer and what risks does the lack of one pose?

A: Let me first give you a taste of the market. This is one of the fastest growing enterprise software markets in the world. According to a recent CIO survey, it's one of the next killer apps and is expected to be a $10 billion market in the next five years. It involves the perfect storm of business drivers, combining elements that often contradict each another.

The first pressure is the need to secure your business — lock it down. The second conflicting pressure is the need to open up your business and drive new online business models. You can see the conflict. One of the reasons identity management is so hot right now is because it lets you do both.

From a security perspective, an identity management program provides an essential point of control. It provides reporting and auditing, and you have immediate revocation of an identity problem.

On the openness front, it enables new business models. For companies that are moving into the next generation of online business, identity is an essential component. The next generation of Internet technology is going to be about large, accelerated, trusted networks of businesses that are providing service to every consumer and citizen online.

Identity is essential — you've got to know who is coming in to do business with you. You need to know something about them and their service level. You've got to trust them. Identity management helps you do all of those things. We used to do business on Main Street with a handshake. Identity management lets you do that trusted handshake on Main Street, but in the millions.

From a risk perspective, one of the most significant values that identity management provides is in-depth and immediate knowledge of who has access to what in your company. When a person gets laid off or is under investigation, or they go to a competitor, or a partnership collapses, you can immediately revoke access to accounts across the enterprise.

As an example, a huge telecommunications company had a layoff. There was a systems administrator who had the deepest level root access to a number of the critical systems, including e-mail. The company didn't shut down his account. After he was laid off, he got into the system and deleted every e-mail account, from the CEO to the janitor. Talk about business continuity!

So the risk of not having an identity management program is significant in terms of unauthorized access to business critical data. Going back to the car/brakes example — the risk of not having effective identity management is that you won't have a good security infrastructure; therefore you won't be able to move as fast as your competition.

Q: In business terms, does that translate to more revenue potential?

A: Absolutely. Two years ago the focus on identity management was on cost reduction. Now we are moving from an ROI focus to a revenue focus. We see more and more companies with a disappearing perimeter — they are outsourcing HR and IT, and they are developing new partnerships — all so that they can go to market more competitively, bring more services to their consumers, bring more partners online, and drive down the cost of the supply chain.

In real business terms it's not just about cutting head count and helping on the efficiency front, it is also about enabling new business models.

Identity management gives you a lot of automation, whether you are automating work flows, business processes, whatever. Another interesting story — one F50 company has hundreds of thousands of employees worldwide. For 40,000 of these employees, the company was writing a check every month to pay for long-distance calling cards, conference-calling, and cell phone accounts.

Every year that equated to $50 million. To add to that, they had no way of knowing when someone left the company, so they didn't know when to turn off those telco assets. By implementing identity management, they were able to tie those telco assets to real hard dollars and were able to cut that telco spend in half — money that can now be reinvested back into the business to drive growth.

Now they can turn on accounts when someone joins the company and turn them off the same business day of their departure.

Here's a revenue-driving example. A large, multi-service financial organization is trying to drive more people to do online banking. The bank is aggregating a number of financial services (e.g., online bill payments, student loans, credit cards) under a single customer portal. It is using Sun's Identity Management Solution to provide Web single sign-on for behind-the-scenes security.

This equates to the brakes for the car, which in this case verifies who the customers are, what they are allowed to do, how much they can be trusted, and how much business they can transact. The company is using this as a revenue driver because they charge for the various services they provide and are in a very competitive environment. In this case, more services drive customer loyalty, which leads to increased revenue and less customer turnover.

Q: What are some of the business drivers for an identity management program?

A: Business drivers include the need for increased security to open up your business, service level agreements with partners and customers, and reduction in costs. And then, lately, compliance. Compliance is like a 100 mph wind behind the perfect storm.

Sarbanes-Oxley is obviously on everyone's mind right now, but there is quite a bit of other legislation — Basel II in Europe and HIPAA, for example — and identity management gets to the root of what all of those have in common.

They're all about data integrity, privacy of personal data, and controlling who has access to what. This legislation is driving companies to change business processes and get better control of their environment.

My personal belief as an investor is that, within five years all of this legislation will be seen as very positive because it will increase investor confidence. This is good for our economy, even if it's a pain for businesses right now.

This legislation is trying to protect private data and ensure the accuracy and integrity of financial data — and you do that by controlling who has access to what. Identity management tells a company what everyone in the system is doing, and this is why it is being recognized as an essential technology for achieving sustainable compliance.

Q: How can identity management be used as a competitive advantage?

A: It can be used as a competitive advantage in two primary ways. First, by allowing you to offer a new level of service to revenue-driving constituents like partners and customers and, second, by allowing you to open up your enterprise securely, to do business with new partners and customers online.

Each of the big wireless providers is competing for customers by aggregating services on the device. All of the various services they are trying to aggregate in the phone (ring tone, e-mail, etc.) require identity management.

They are competing in terms of who can do what more easily, quickly, and securely in the phone or device. Telco is one area where we're seeing a drive to manage identities as a key to driving new business, though it will soon move to all consumer online experiences.

Q: What risks does identity theft pose both to consumers and enterprises?

A: One of the greatest risks from an identity theft perspective is from an insider who has unauthorized access to private data that they are going to use and possibly sell.

Identity management constantly checks your environment to see who has access to what. With large enterprises having thousands of independent systems and millions of identities that need to be managed, there has to be an automatic process. It minimizes the risk from the greatest threat population — that of the insider.

An employee is more likely to gain access to financial data than an outsider trying to hack in from their garage. Sun identity management does a great job of controlling and operating access from the inside.

One interesting phenomenon right now is this see-saw tradeoff between privacy and convenience. Which one do you care more about? I think right now, with the rise in identity theft, homeland security, and terrorism threats, as a culture we're shifting to the privacy side and letting this outweigh convenience. And that will ultimately help reduce the identity theft epidemic because we are willing to sacrifice some convenience for privacy and security.

Q: Does the importance of identity management increase as enterprises grow?

A: Yes. I came to Sun via an acquisition. My previous company was very small — only 150 people, but even we had an identity management problem. We couldn't get people set up and turned off as quickly as we needed to.

I think every company has this problem. But the need for automation, security, and the amount of revenue you are going to drive online, all grow as your population grows. It's not quite a linear problem, but it's definitely bigger in the bigger environment.

It's typically the companies with 5000+ users that we see making the investment. But I think we will start seeing an increase in managed service providers like EDS providing out-of-the-box solutions using Sun technology and targeting the small/medium business market.

Q: What is the virtual enterprise, and what role does identity management play in it?

A: I talked earlier about the disappearing perimeter around companies. The way we did business 50 — or even five — years ago, wasn't noticeably different. Today, we are outsourcing HR; we want direct connection to our 401K companies; we are outsourcing IT; we are bringing partners into our daily business.

The perimeter is disappearing. So the virtual enterprise is the notion of the disappearing perimeter and the need to do normal, everyday business in a new way. And the next generation of Internet technology is enabling this.

Q: What is Sun's solution for identity management?

A: Sun has the market-leading identity management technology according to Meta Group, in terms of the life-cycle management of people and things, automating that process, secure turn-off, as well as the world's leading directory server, which is often the key repository of identity data in the enterprise.

We are market and industry leading in terms of standard products in the Web services, Web single sign-on, and federations market. Our Identity Auditor product is specifically targeted at the compliance problem and automating the ongoing compliance processes that companies are now faced with.

Identity management needs often vary depending on what industry you're in. Take a look at Sun's recommendations for improving identity operations in a broad range of markets.

Q: Looking down the road 10-20 years, what will the identity landscape look like, both for businesses and consumers?

A: My prediction is that identity management will be such a major part of our infrastructure that we won't even talk about it anymore. Like the ATM network. When it first came out, it shifted the paradigm of how we managed money, got cash, and traveled.

Identity management is much bigger than this, but it's somewhat analogous. I believe that in 10-20 years there will be a completely secure identity network where we understand customer identities, we know how to do business online securely, and we don't have the eruptions of identity theft. Identity management becomes pervasive, re-usable, consistent. It's just there.

We as citizens will be doing a lot more business online with the government and will reach a point where we're comfortable with the amount of data we're sharing and the amount of services we're receiving.

For companies, identity will enable the next generation of Internet technologies and will look very unlike what we're used to today. If you think about the kids yet to be born — they'll never know an alternative. For them, I think that the privacy/convenience trade-off will be very different. They will be "plugged-in" 24x7. And because of them, unless something really big happens, we are going to shift from the need for privacy to the need for convenience. But that's okay, because we'll have the brakes on the car.

About Sara Gates:
Sara Gates is Vice President of Identity Management at Sun Microsystems and has overall responsibility for driving the Sun identity management vision, strategy, and product line. She joined Sun in December 2003 through the acquisition of Waveset Technologies, bringing more than 15 years of industry experience.

Previously, Gates was the director of product management and product marketing at Waveset Technologies, a leading provider of identity management solutions. Prior to Waveset, Gates acquired diverse experience in market strategy positions at Deloitte Consulting and Microsoft. Gates holds a BBA from the University of Texas at Austin and an MBA from Vanderbilt University, where she is currently President of the Board of Directors.

I found this article... Not Informative   Informative   Very Informative Comments: