Beyond mere provisioning, identity management can also track who used what application when, providing CIOs with an application audit trail. That can be instrumental in helping companies comply with government regulations such as the Sarbanes-Oxley Act. Pete Sattler, chief e-business officer and CIO of manufacturing company SPX, says Sarbanes-Oxley is the top driver behind his company's identity management project. (Sarbanes-Oxley requires that companies certify that no one has tampered with quarterly and annual financial reports, and having audit ability is the only way to guarantee that.) Sattler has other reasons, however. Fifty percent of his company's help desk calls come from managers and users who have either forgotten their passwords or need their IDs changed - calls that experts say can cost a company up to $25 a pop. "Those go away when this goes live," he says. In the new system, each employee will have one user name, password and PIN. If an employee forgets his password, he can simply log on to the company intranet, enter his PIN and a key phrase, and automatically reset his password. That alone will pay for the project over time, says Sattler. (Employees may be less likely to forget their PIN because, unlike the password, it doesn't have to be changed as frequently.)

What Integrates with What

Of course, identity management has more than its share of challenges. The first and most time consuming is integration. Currently, no standards exist for identity records and authentication processes. Security assertion markup language (SAML), an XML framework, is gaining momentum in standards organizations such as Oasis and the Liberty Alliance, but it is awaiting formal standardization. As a result, not only do old applications not have a single format for identity information, but neither do new ones. "I may be psattler in one system, Pete Sattler in another and [something else] in a third," says Sattler. Identity management vendors have created tools that let CIOs synchronize most Web-enabled applications to an existing identity directory in a matter of hours. Older applications, however, require more time and oversight. In some cases, it may be a simple matter of building an application program interface, or API, that links the application to the identity database so that it can tell the application that psattler is Pete Sattler. But even those cases may require initial (not to mention expensive and slow) human oversight to make sure that one system's psattler isn't actually Paul Sattler instead of Pete.

Furthermore, older applications that don't have APIs, as well as mainframe applications lacking Web front ends, will require manual integration. This fact has driven many CIOs to phase in identity integration, starting with the most important applications. Sattler, who has so far linked only his company's identity directory to the company's white pages application, says that his plan is to go after "the applications with the biggest influence up front and then slowly start chipping away." That means tackling Lotus Notes and the virtual private network first. He then expects to add the company's three ERPERP systems and the HR system to the list. Alles zu ERP auf CIO.de

"I don't envision ever having all of my systems [integrated]," he says. In some cases, the cost of integration is prohibitively expensive. In such cases, he'll just let the applications run the way they've always run.

Who Owns the Data

Terry Howell, enterprise portal program manager for the U.S. Navy, which is currently undertaking its own massive identity management project, agrees with Sattler. "The problem is that [integrating the legacy system with identity management] is pretty much a manual process," he says. "It is going to be hard. But that's not the scary part. The scary part is the politics that are on top of that." In fact, the biggest obstacle to identity management is the battle over who owns identity data and who controls access to it.