Vendors agree on business value of IAM

By Warwick Ashford, ITWeb London correspondent

Johannesburg, 29 Nov 2006

Identity and access management (IAM) is a controversial topic with little consensus on how best to achieve it. However, most local solutions vendors agree on IAM's business value.

This emerged at the Identity 2006 conference hosted by the Institute for International Research, in Midrand yesterday.

Vendors were clearly in different and often opposing camps about how to achieve IAM and whether or not role-based access control was the ultimate goal. However, the business value of successful implementations was a common theme that ran through the presentations.

Effective IAM saved US-based CNN millions of dollars. It consolidated its multiple call centres and billing systems into single, common systems across the organisation, said Stafford Masie, country manager for Novell SA.

He said a single view of each subscriber had enabled CNN to cut call centre costs even further by introducing a self-service facility to enable users to update billing and other details online.

In SA, Absa Bank is one of the leaders in terms of IAM, according to David Lello, director of Global Security Solutions. "Absa's IAM implementation has been successful in ensuring the right people have the right access at the right time," he said.

Drivers

Lello said although compliance was one of the main drivers of IAM, Absa had not approached it only as a means of risk mitigation. Absa realised that effective access control and a single view of the customer were vital to achieving the bank's business goals.

"Identity synchronisation across all systems drives business value across the enterprise," said Andrew Ochse, senior product manager at SecureData. He said IAM could reduce the risk of ghost users, increase the efficiency of rights provisioning, reduce password management, and enable a greater degree of self-service.

There was also broad agreement that IAM should be implemented at a business process level. The benefit of this would be to relieve IT of the burden of managing users, and bring the process under the control of business and give it a business focus.

Key components

All vendors agreed that clean data was an essential component of IAM. Lodewyk de Beer, a system architect at Sun Microsystems, identified eliminating data inconsistencies as one of the biggest challenges to implementing IAM for MTN in Nigeria.

A phased approach to IAM was another common theme. "Tackle the biggest risk applications first," advised Ochse, while Lello and De Beer emphasised the importance of demonstrating quick and regular returns on investment. This is the only way to ensure executive buy-in, said Ugan Naidoo, managing consultant at Fujitsu.

Philosophy, not technology

However, not all IAM solutions were complete, warned Lello. He said for an IAM solution to be effective, it should manage the full user lifecycle from joining an organisation to leaving it.

Several presenters saw IAM as a business philosophy rather than a technology implementation. They argued that any IAM implementation would touch every user and business process in an organisation. But Masie disagreed. He said Novell advocated a non-intrusive approach.

"By creating a common user repository, it is possible to deliver service-oriented enterprise IAM using existing processes and infrastructures that are independent of applications," he explained.

Illustrating the importance of IAM, Cape Town's CIO Nirvesh Sooful said the need to manage users and control their access to systems became immediately clear as soon as his department realised that ICT was critical to running the unicity, created over the past 10 years.