Identity and Access Management

Identity and access management is a comprehensive set of solutions used to identify users in a system (employees, customers, contractors, and so on) and control their access to resources within that system by associating user rights and restrictions with the established identity. Web SSO, Host SSO, user provisioning, advanced authentication, legacy authorization, public key infrastructure (PKI), and directory services are all critical components of identity and access management. The following are representative vendors and products in this market:

• Computer Associates (eTrust Identity and Access Management Suite)
• IBM/Tivoli (Tivoli Identity Manager and Tivoli Access Manager)
• Novell (Nsure Identity Manager and eDirectory)
• RSA (ACE Server, Keon, ClearTrust, and SecurID)
• VeriSign (VeriSign PKI)

Another significant area of identity and access management is the hardware token market. IDC includes revenue from this category as software revenue included under the appliances operating environment. It comprises several necessary technologies, which IDC has defined as follows:

Token authentication server (TAS) is a highly configurable authentication server, which maintains user information, stores seed key data, and provides the verification of token authentication requests. The TAS passes authentication verification to the specific application. These systems are designed to integrate tightly into the existing network and security identity management architectures. Users can be grouped into configurable profiles with different rule sets governing the access control for each. RADIUS server technology is either built in or provided as an option.

Authentication client software, usually configured as an agent, is designed to operate within almost every conceivable client or other delivery device within an enterprise, allowing access control for the local desktop as well as network and Web resources. These agents are becoming increasingly versatile, and can be used in traditional token technology (i.e., key fob, credit cards, and other software, such as Java applets and software for PDAs and wireless devices).

Traditional authentication tokens are small hardware devices that allow users to authenticate themselves to the TAS using either one-time passwords or challenge/reply methods. These tokens can come in multiple form factors and do not require additional hardware. One-time password (OTP) or challenge/reply tokens are simple to use and provide a robust authentication method.

USB authentication tokens are small, key-sized devices that connect to any standards-based USB port and can have smart card chips and embedded software used to perform user authentication and cryptographic functions, such as digital signing. USB authentication tokens don't inherently require external server software, as do traditional authentication tokens; instead, they can be utilized by nearly any application that can recognize the token. These tokens may have the same capabilities as smart cards and can be used as smart card replacements. They may be increasingly used within OTP security architectures.

Software licensing authentication tokens (SLATs) are parallel/serial port tokens or USB keys that authorize the use of software on a particular device. SLATs generally do not require user intervention because the software application is designed to check for the SLAT prior to running the application. SLATs are used to protect against software piracy and to enforce software licensing.
 
Copyright 2006 IDC - Global Headquarters: 5 Speen Street Framingham, MA 01701 USA - P. 508.872.6200 - F. 508.935.4015 - www.idc.com