For example, the Navy's identity management effort has been hamstrung by the process by which IT projects get funding: Each project has to be approved by Congress, have a dedicated administrator, and until now, it usually has had its own infrastructure. The fragmented framework gives individual administrators carte blanche to choose their own identity standards, as well as the power to grant and deny user access.

Howell says that so far, Naval administrators have been reluctant to let his team take away that control. The Navy has "tried everything under the sun" to get them to migrate to the new identity system. It has even slowed the project so that the estimated finishing date has been pushed back from 2004 to 2009. Moving forward, however, often requires a heavy hand. "We beat them up until they do it," Howell says, only half-joking. He has, in fact, had to "publicly guilt" someone, openly naming him to higher-ups as impeding Naval modernization.

Most private-sector CIOs haven't had to take such drastic steps, but they do acknowledge that getting people to commit to new identity systems requires a lot of convincing. And in some cases, it's simply not worth the effort. Such is the case at Nucor, a $4.8 billion, highly decentralized steel producer. CIO Scott Messenger says he didn't even try to wrest control of divisional HR applications away from their long-time owners - he knew that would be a losing battle. Instead, corporate made its own identity database, which contains all the employee information from the divisions, but the database interacts with divisional applications only in a few places, such as the financial reporting function. "We need centralized reporting," says Messenger, who simply added a layer on top of the existing divisional software. The divisions still control the applications, but corporate can tell who is using what and when, while simultaneously controlling access. The integration was still reasonably complex, says Messenger, but it wasn't anywhere near as complex as running all the divisional applications off of the identity management system - and it didn't require a lot of politicking.

What's the Password?

Even after the problems of integration and politics have been licked, a larger issue looms: security. Whenever you have one system responsible for authentication - regardless of whether you have a single sign-on - you create a single point of failure. With an identity management system in place, a hacker would potentially need only one user name and one password to access multiple applications.

Identity management can increase security (by automatically deprovisioning former employees and keeping users from needing to do dumb things such as writing passwords on sticky notes), but only if you demonstrate the proper diligence. "You can think of [identity management] as the ultimate Trojan horse," says Lehman's King. "This has got to be the most secure system on your network."