Having a single database responsible for identity and authentication information - and a single sign-on for access - requires that you enforce use of complex passwords and password updates. Sattler recently tested his new system, which requires employees to use complex passwords containing numbers and letters, against the old approach. "I ran a hacker tool I downloaded, and it guessed my old password in two minutes," says Sattler. But it would be impossible to enforce the new system if people had to remember 12 such passwords, he says.

Thus, while the single sign-on system is a risk, CIOs agree that the opportunities it presents for cost savings, increased efficiency and better usage-tracking outweigh the potential of an attack. "You are always balancing convenience and access to business applications with risk," says King.

Who's Selling

There's one last hurdle that CIOs pursuing identity management need to consider: finding a single vendor that can provide you with a full identity management suite. That will be difficult, if not impossible. It's getting better, says Earl Perkins, vice president of security and risk strategies for Meta Group. There has been substantial consolidation during the past year, but right now the muddled vendor landscape just adds to the confusion. Many CIOs are forced to create patchwork solutions with software that handles the identity database from one company, while another company deals with provisioning and a third implements security. Gartner lists only four vendors - IBMIBM, Netegrity, Novell and Oblix - that can deliver anything like a full range of products, with IBM, which went on an identity vendor shopping spree last year, on top of the list. Niche players, however, remain the largest category in the identity industry. Alles zu IBM auf CIO.de

"We don't expect there to be just one vendor," says King. "A lot of this will have to be homegrown."

Still, it hasn't prevented King from doing identity management. It may require piecing together, but all the pieces fit. "There is huge ROI," he says. "It's silly not to do it."