Too often, identity management projects become too large or cumbersome to finish on schedule. After all, there will always be more applications to integrate into the system. King has reached that point at Lehman Brothers.

"We're at a crossroads," he says. "We have to decide how far we are going to go with it."

Who Has Access to What

Part of the problem is confusion about what defines identity management. Vendors use the phrase to mean any number of things, from single sign-on applications to certificate authentication. Yet such technologies are really just add-ons to identity management.

Essentially, identity management is a system that serves as the authoritative identity record for an entire company. Each entry in the system should contain all the identity information associated with one individual - an employee, customer or partner - from name to Social SecuritySecurity number to employee identification number. This identity data can then connect to a company's existing systems, ultimately granting new users automatic access to applications (a process called automatic provisioning), allowing for password consolidation or "single sign-on" to multiple, linked applications, as well as providing the company with a detailed audit trail. Alles zu Security auf CIO.de

For most companies, however, that vision is far from a reality. "If you don't have identity management, there are all sorts of ways that people will get [access]," says King. Most often a user calls the application administrator demanding access; if the user is belligerent enough he gets it. In such an ad hoc environment, there is no way for a CIO to guarantee that employees gain access to only the applications they require. Furthermore, access levels can vary within applications. For instance, one of the first applications King linked to the identity management system was a Web-based intranet application that helps employees monitor their benefits. If employees want to view general benefit data on the intranet, their basic log-on credentials are sufficient. But if they want to browse confidential data related to their own benefits, the system requires an additional factor, like a secure ID token.