Recent high-profile data breach incidents, such as those at The TJX Cos. and the U.S. Department of Veterans Affairs, have brought the need for effective identity and access management (IAM) into sharp focus for many IT departments and executive boardrooms. Still, with adoption rates at no higher than 30%, comprehensive IAM products are only in the "early mainstream" phase, according to Jonathan Penn of Cambridge, Mass.-based Forrester...
Research Inc. "I've yet to meet anyone who has it all," Penn said.
But that may be changing, as the Sarbanes-Oxley Act and other compliance regulations have ignited a new push in the IAM space. Framingham, Mass.-based IDC estimates that revenues in the IAM market will increase nearly two-thirds between 2005 and 2010 to an estimated $5.1 billion. Even for companies not grappling with compliance issues, IAM has become increasingly important for protecting data both internally and externally.
Small and medium-sized businesses (SMBs), however, should proceed with caution when selecting and implementing an IAM product. "Many SMBs don't have the expertise to execute a project like this because of the intricate levels of integration involved," noted Sally Hudson, research director for identity and access management at IDC. "A company has to understand the skill sets required to monitor and maintain the system."
In the SMB space then, the key features to look for in an IAM product include low cost, ease of use and ease of implementation, Hudson says. But it's obvious that companies of all sizes recognize the importance of protecting data, managing user passwords and improving workflow through other IAM features.
There are a number of things SMBs must pay attention to when implementing an identity and access management solution:
- Allow plenty of time for discovery to get a clear understanding of what your company is trying to accomplish, then focus laserlike on those findings. Products can range far beyond simple security to improving business processes, so be sure to shop around for a product that fits company objectives.
- Recognize that IAM is not a purely IT project but can affect business processes, human resources, audit and compliance and more. Get the appropriate stakeholders involved early in the process and address up-front issues surrounding the ownership of processes and data.
- Evaluate the skill sets of IT workers who will implement the project. If deficiencies are found, consider hiring new employees or contracting with a consultant to help with implementation.
- Start slowly. Conduct a pilot project or implement the product in phases.
- Recognize that identity and access management will remain a work in progress. Review coverage, protocols and opportunities at least once a quarter, making tweaks as necessary to keep data secure and work processes up to date.
Keeping pace with growth
GotVMail Communications LLC, a telecom provider that specializes in virtual phone service for small businesses, is testing two systems with multifactor authentication and integrated single sign-in, CTO David Hauser said. The company, which has two dozen employees at its Weston, Mass., headquarters and another dozen at a Florida satellite location, is evaluating IAM products from Imprivata Inc. and RSA Security Inc.
GotVMail has been expanding rapidly, doubling its head count in the past six months, so the company is looking for a product that can keep pace with its growth.
"With our current system, each individual has to manage multiple passwords, and the operations team has to manage multiple passwords," Hauser said. "We're looking for multifactor authentication because a single password isn't enough."
So far, Imprivata has the overall edge, Hauser said, although he does like RSA from a functional standpoint.
Better business efficiency
IAM can also improve efficiency and link IT and physical security systems, such as building access, said Ed MacBeth, senior vice president of marketing and business development at ActivIdentity Inc., a Freemont, Calif.-based provider of identity assurance products.
An IAM product linked to a smart device can manage multiple applications such as personal information, digital certificates, remote access, time-and-attendance functions and building access -- it can even charge lunch in the company cafeteria, MacBeth said.
"There are real business efficiencies that IAM can provide," MacBeth said. The technology can enable digital signatures that speed up workflow processes for purchase requisitions, travel approvals and memo routing in addition to security.
But despite these and other features that may be attractive to certain SMBs, the security aspects are still driving the IAM market. "A company never is as secure as it needs to be," IDC's Hudson said. "The security space evolves rapidly, and business needs change. This isn't a case where you can wipe your hands and forget about it for three years."
Matt Bolch is a freelance writer based out of Atlanta. To comment on this story, email firstname.lastname@example.org.