Like most of us, you"re accustomed to being recognized. The folks at your local char tan teng know what you prefer for breakfast, and your dog instantly recognizes your voice when you discover the mutt nose-deep in the rubbish bin.
But electronic identities are different. Proving your identity across a network is a critical component of electronic security. And in cyberspace there"s no friendly canines to sniff out your packets and authenticate them.
Identity and access management (IAM) is a subset of an enterprise"s overall security strategy. All security schemes require a holistic approach -- installing a complex biometric-operated lock on your top-secret laboratory door isn"t much use if the technicians are sneaking out the back every time they want a double-espresso.
Growth area
"Identity management is a hot growth area within the security software market in Hong Kong," said Ethan Pike, senior analyst of software research for IDC Asia-Pacific. "A number of vendors see IAM as a good market opportunity, being driven -- in part -- by the increasing importance being placed on enterprise requirements, corporate governance, and compliance issues (Basel II and Sarbanes-Oxley) around managing content and data.
"As a result," said Pike, "vendors are looking to push further into the space."
According to Pike, the high concentration of multinational companies in Hong Kong means that there"s a higher awareness of IAM"s importance at the top echelons of Hong Kong business. He added, "IAM vendors, at this point, are largely targeting the enterprise-level customer, or those customers with large numbers of system users and more complex user validation and user provisioning environments."
"The more developed IT markets in the region, such as Hong Kong, Singapore, and Australia, are more aware of the need for effective IAM solutions to counter various problems that arise in relation to user identification and system access, like former employees with active access codes and accounts," said Pike.
"However, vendors are turning more and more towards the markets of China and India," he said, "given the importance countries are placing on developing their corporate governance and compliance environments, as well as the relatively low level of product penetration."
IAM through acquisition
One vendor"s approach: Oracle"s recent purchase of U.S.-based Oblix is part of a movement among major IT vendors to address growing user demand for identity and access management software, according to IT analysts.
The acquisition gives Oracle a range of software supporting capabilities, such as single sign-on and federated identity management. Oblix has about 100 employees and claims more than 150 customers, including Boeing, Burger King and Coca-Cola.
The Oblix software complements a set of tools that Oracle already sells and will allow it to offer users identity management functionality for non-Oracle applications, middleware and databases, said Thomas Kurian, a senior vice president at the software vendor. That includes the PeopleSoft and JD Edwards applications that Oracle acquired earlier this year, Kurian said.
Oracle"s acquisition plays into a growing corporate interest in tools that combine access control for Web applications with functions for administering the separate identity credentials associated with legacy applications running on mainframes and other systems, said Gartner analyst Roberta Witty. "The need to comply with regulations is forcing identity and access management to the forefront at every organization," said Witty.
"Companies in Hong Kong are acutely aware of the problems with poor identity management," said Lionel Louie, director of sales consulting for Oracle application server, Oracle Greater China. "The increase of identity theft whether from phishing or hacking have heightened awareness and demand for better safeguards on private and restricted data."
Acquisition frenzy
Oracle is the latest in a line of large vendors that have recently augmented their identity management capabilities through acquisitions. In March, BMC announced that it had bought OpenNetwork Technologies, a vendor of Web access-control and single sign-on tools. This followed a January deal in which BMC acquired Calendra, a Paris-based developer of federated identity management software.
Last November, Computer Associates purchased identity management vendor Netegrity and last month, CA said it had bought software for identifying and deleting obsolete or rogue user IDs on mainframes from InfoSec. In addition, IBM, Sun and HP have all made identity-related purchases over the past two years.
"Clearly, ID management is becoming a big-company market," said Phil Schacter, an analyst at Burton Group in the U.S.. He added that small vendors "have difficulty growing fast and investing in the marketing infrastructure to be able to compete with the likes of CA and IBM."
Louie said that his firm"s identity management technology would help provide the adequate internal controls around financial reporting required for regulatory standards compliance.
Compliance, SMBs, privacy issues
"For the first time, Europe is exceeding identity management growth over other regions," Sara Gates, VP of identity management marketing for Sun Microsystems.
Sun"s Java Identity Auditor, rolled out in the U.S. in late January, allows companies to audit individuals" system-access activities.
Many European organizations face complex issues, such as requirements for complying with cross-border regulations and the need to manage geographically dispersed staff, and these areas present new opportunities for Sun, Gates said. So too do European government and private-sector organizations that are seeking to address issues like migration, health care and e-government using identity management.
That said, small and medium-size businesses, which make up over two-thirds of the European market, require packaged identity management offerings that can automate a variety of business processes across borders, Gates noted. Sun is likely to target them with products like Auditor, which offers features such as automated certification reviews and compliance reports.
"Oracle and the other big application providers are used to seeing themselves as the center of a universe. Our strategy is to offer identity management for everyone," Gates said.
"Today"s enterprises face unprecedented challenges in protecting sensitive data (data privacy), and keeping the cost of identity management under control," said Wilson Ho, practice director, identity management client solutions organization, Sun Greater China. "These challenges are exacerbated by an enterprise environment in which information security is critical and the pressure to comply with legislative mandates such as Sarbanes-Oxley is on the rise."
"In greater China, I see a very high demand for end-to-end lifecycle IAM," said Ho. "This is particularly prominent among enterprises [such as] service providers and financial institutions. There is demand from the government too, but they are more or less targeting citizen level [services]?from driving licenses to taxation."
Ho noted that "vendors such as Oracle and BMC have acquired IM tools to help their customers build a more integrated identity management system," but added that he views IAM as the evolution of EAI (enterprise applications integration).
"Watch out for Sun"s Identity Grid," declared Ho. "It will be the next killer app [after] EAI."
Security and RFID
Security is also a hot topic when it comes to identity management, given the recent worldwide growth in identity theft. However, Sun already counts on Symantec to provide security capabilities for Auditor, such as the ability to report unauthorized system access.
"We"re seeing a collision between the worlds of security and identity management because ID brings intelligence to security," said Don Bowen, director of Sun"s Directory Server Enterprise Edition.
Radio frequency identification (RFID) also combines security and identity capability and Gates predicted that the next year will bring offerings that can, for instance, allow clients to secure a system by tracking its location and recording who has access to that system through identity management technology.
RFID has real security benefits because it links who somebody is to where they are located and identity management can also be used to deliver location-based services to mobile devices, Gates said. She added she expects Deutsche Telekom and other European operators to start rolling out location-based services in the near future, allowing them to send users text messages telling them where the closest coffeehouse or theater is, for example.
Sun and Microsoft: bedfellows
But while Gates emphasized that Sun wants to help companies address broad identity management needs, closer cooperation with Microsoft to provide joint customers with seamless identity management is not in the cards. Although the former rivals entered a surprise cooperation accord last year, saying they will allow information to be more easily shared between Microsoft"s Active Directory and Sun"s Java System Identity Server identity management products, there has been no word about further collaboration in the identity area.
"We are of two minds," Gates said. "We stand together on standards and interoperability -- we are working behind the scenes and it"s taking time -- but we are competitors."
"Sun is, however, working closely with Microsoft on identity interoperability but we compete on implementation," concluded Ho.
(IDG staff contributed to this story)