Passwords and Identity: Seeking Synergy
Do password management software and identity synchronization software naturally go together? One thing's for sure: the ROI for both categories is attractive.
As more companies implement identity management software, a question arises: does it pay to get that software from the supplier of your password management software?
In other words, do password management software and identity synchronization software naturally go together?
Yes and no, says Jim Hurley, vice president of security and privacy with Aberdeen Group. While the password resetting and identity synchronization tend to rely upon the same authentication database, “password provisioning tends to be used by the user that knows the password, whereas identity synchronization tends to be used by IT administrators,” says Hurley.
A number of vendors compete in the identity management space, including Courion, M-Tech, Computer Associates, Blockade, Waveset, Thor Technologies, Sun Microsystems, Oblix, IBM/Tivoli, Entrust (which has some Waveset technology under the covers), plus about 50 more, says Hurley. So is there a natural synergy in the market for companies that do both?
Take identity management software provider M-Technology, which released ID-Synch 2.0 Access Management. The company also makes P-Synch software. It counts 3.5 million worldwide users, from companies such as Ford Motor Company, Sears Roebuck, Pfizer Inc., and Bristol-Myers Squibb.
Bruce MacDonald, senior product manager for M-Tech, says that password-reset software users naturally gravitate towards identity synchronization tools. “We find that P-Synch is almost always the first one that goes in, because it's always the simpler technology. You start taking out the millions of calls to the help desk, help users reset their own passwords—it's a quick win. That's generally the path that people will take. Then that's when people will typically move into ID-Synch,” he says.
Hurley notes that indeed, organizations typically adopt password management first, since it’s a more high-profile problem (read: it affects executives). Then they move into identity synchronization.
Both are relatively quick-hit ways to reduce costs. In addition, “there are some side benefits to the identity synchronization and delegation that M-Tech delivers, along with a bunch of other competitors, that are unrelated to obvious cost reductions,” says Hurley. One example is eliminating old accounts. Another is delegation, such as allowing an HR manager to shut down a contractor’s access as that contractor walks off a project and out the door, instead of having to wait for an IT administrator to do it.
Overall, identity synchronization tools can help lock down security, eliminate user downtime by automatically provisioning accounts, and lower the cost of it administration.
“United Technology Corp., they're our largest client for ID-Synch right now—about 50,000 users—and they're using it to clean up their accounts,” notes MacDonald. Companies could, of course, attempt to do that sort of thing manually, however “it’s almost impossible unless you have a lot of time.”
Hurley says companies typically see automated password-reset software pay for itself in less than a year, and identity synchronization in about a year. However he cautions customers to investigate potential identity synchronization suppliers very carefully, since “there are some suppliers with relatively bad track records.”
In the end, and because password management and identity synchronization tools don’t form a suite, per se, experts recommend customers evaluate each product on its own merits.
There are also some pitfalls to avoid. “Suppliers whose solution requires 10 times more money spent on professional services than the license requirements are definitely the ones to stay away from,” says Hurley, since “the financial return is going to take that longer to recover. And in some cases we've seen the project dropped because they just couldn't get it done.”
Mathew Schwartz is a Contributing Editor for Enterprise Systems and is its Security Strategies column, as well as being a long-time contributor to the company's print publications. Mr. Schwartz is also a security and technology freelance writer.