Thomas Board can give a perfect example of why higher-education CIOs listed security and identity (ID) management as their No. 1 strategic concern in a 2006 Educause survey.

As director of information system architecture at Northwestern University in Evanston, Ill., Board worries about granting data access and issuing IDs to as many as 1,000 researchers from around the country working on grant-funded projects with Northwestern faculty.

"They are difficult to issue with a high level of trust," he said.

Northwestern is about one-third of the way through replacing its internally developed campuswide ID management infrastructure with Sun Microsystems' Identity Manager, Board said, and the number of applications that required IDs and passwords grew faster than the university's IT department could keep up with them. "We started out a long time ago providing access to modem pools and e-mail," he said. "Since then, the ID system we created has become the basis for access to all sorts of applications with varying levels of sensitivity, which forced us to look for a better service than we could create. We had to buy our way out of the problem."

To cope with outside researchers accessing its network, the university is now considering joining a higher-education "identity federation" called InCommon, in which institutions vouch for each other's users. Identity federation is broadly defined as agreements, standards and technologies that make identity portable across organizational boundaries. "With identity federation, a school like UC Berkeley would handle the vetting process of their researchers for us," Board said, "and eliminate that bureaucratic overhead and some degree of risk."


Sticky Situation
The evolution of distributed computing and the Internet have forced both public- and private-sector CIOs to focus more attention on ID management infrastructure issues. IT organizations are finding that partners, customers, employees and contractors all need access to their Web-enabled services, and CIOs are starting to recognize that they must be active participants in setting standards and working on interoperability issues.

The ID management software market is expected to grow to more than $8.5 billion by 2008, according to a 2005 study by the Radicati Group. In the private sector, regulatory requirements such as the Sarbanes-Oxley Act and Health Insurance Portability and Accountability Act (HIPAA) in health care are driving forces behind tighter controls and access to audit trails. Public-sector CIOs are grappling with disparate silos of identities across applications and agencies. The poster child for this problem is the employee's computer keyboard covered with four or five yellow sticky notes with passwords scribbled on them.

Governments must cross these boundaries both for internal government functions and provide more services to constituents. Most agencies have taken the first steps toward unifying and strengthening their identity infrastructure. "CIOs everywhere are concerned about the cost and hassle of maintaining multiple identities," said Nalneesh Gaur, a principal with Diamond Management and Technology Consultants. In addition, a well implemented ID management platform is a deterrent against identity theft, a concern for IT executives at all levels of government.

But beyond improving security, CIOs are starting to see potential efficiency gains. For instance, many organizations are moving to "single-sign-on" capability, so that once employees or constituents have logged into one application, they can move through other applications on the network without having to remember additional passwords or log on again. Applications can also be linked so that as a person's government ID is created, it is immediately added to other databases the user should have access to.

"It really is cheaper, better [and] faster to do authentication at an enterprise level rather than for each application," said Dan Combs, president of Global Identity Solutions in Falls Church, Va. "Just at the level of password changes, your costs could be spread across 10 applications, and you'd see a dramatic cost reduction." Call center costs related to ID authentication