RealTime IT News

Make Way for ID Management as Web Service

The snail-like pace of integrating identity management software into one complete suite will be a major topic of discussion at the Burton Group's annual Catalyst Conference next week, according to an analyst with the research firm.

But when companies do get around to shoring up their ID management portfolios, identity services may be delivered as Web services, highly popular distributed computing software.

Burton's Jamie Lewis said the ID management niche is entering a new "iteration," in the wake of massive industry consolidation that saw Computer Associates buy Netegrity and Oracle scoop up Oblix, among other acquisitions.

This next stage is being challenged by the difficulty of integrating components such as authorization, authentication and single sign-on.

While vendors such as CA, Oracle, BMC, IBM, HP, and Sun Microsystems talk a great deal about offering one full suite to meet customers needs for and the like, the fruit borne from these endeavors is on the light side.

Integrated ID management generally means services that share components tethered by one workflow engine and one set of administrative interfaces and event systems. After digging under the hoods of these companies, Lewis said most of the products have different workflow engines and don't share a common set of administrative interfaces.

"I don't think anybody has what I consider anywhere the level of integration that the word 'suite' would connote. The big question facing the vendors is how long will it really take to deliver and integrated set of products that truly shares a common set of components rather than overlapping.

Lewis said he expects vendors to redouble their efforts going forward to yield more than just an exercise in branding. This is driven by customer demand.

"The customer doesn't want to bear the integration burden," Lewis said. "They want one throat to choke."

Going forward, Lewis said he expects ID management tools to evolve to become a set of services accessible by multiple applications.

This includes and so-called identity services, which began as directory services and are evolving to become a larger superset of discreet services that live on the network. To be fully useful, these services must become encapsulated, exposed and used as Web services .

"You'll hear more about the collapse of directory, virtual directory, metadirectory and federation into the larger superset of identity services and then we'll be looking at how those get exposed as Web services and used in a Web services framework," Lewis said.

The analyst said work to deliver ID management as Web services is being seen in tooling efforts. This includes Microsoft's Indigo integration software project and an identity abstraction layer proposed within the Eclipse Foundation open source group.

Microsoft is also doing some solid work in identity federation with its InfoCard plan to make portable and interoperable identity a reality. InfoCards help trading partners and Web services providers know just who it is they're dealing with on the Web, no matter what platform the services are using.

"I'd expect more detail to emerge at Catalyst about InfoCards and I expect there to be some debate about whether what they're proposing is going to work or not and some debate about specifications, particularly WS-Trust, the backbone protocol that InfoCards would plug into.

Lewis continued: "There is going to be a lot of debate about whether or not WS-Trust is a standard or not because it is not in a standards organization and Microsoft and IBM have been working on it. Some people see it as a well controlled process that Microsoft and IBM pretty much govern. That's where some of the controversy lies at this point."

Why is ID management such a hot topic?

Organizations and public sector agencies are looking to ID management software to prevent security breaches and meet stringent regulatory requirements specifying tighter controls over user access to information, applications and systems.

One thing that all the vendors and their customers seem to agree on is that government regulations are fueling the need for comprehensive identity management suites in a number of key vertical industries such as finance and healthcare.

Sarbanes-Oxley and HIPAA pretty much control the financial services and healthcare services industries, respectively, ordering organizations to corral their data and retrieve it at a moment's notice.

As far as the major ID management vendors go, Oracle, Sun Microsystems are all expected to make some news announcements. Thor Technologies is already talking about its new Xellerate Identity Manager 8.5, which the New York-based startup is already detailing.

Thor's new suite makes ID management easier to implement through a Web-based deployment management tool and boosts exception-handling processes and compliance through graphical workflows.