Who gets access to what data, for how long, and for what purpose? The questions are age-old, but as the ways of storing and sharing information increase, so must the answers.

Unfortunately, the answer usually requires multiple passwords for the same employee and different access rights for different employees—an administrative burden for technology departments that already are stretched thin. Spread those access rights across 350 data stores (an average for large companies, according to a Meta Group survey) and throw in the goal of extending access to customers and other outsiders, and you've got trouble.

A year ago, industry analyst firm the Burton Group coined the term "identity management" to describe the growing list of issues companies were facing: How do you best authorize or permit access to data that may be spread across thousands of applications and databases? How do you authenticate or control that access? And how do you provision or automate access so that employees, customers and partners can be easily added and deleted?

No single piece of software answers all of these questions. Instead, professional services firms are creating their own packages out of the parts that do exist. PricewaterhouseCoopers (PwC), for example, is doing this with the help of Oblix, BMC Software, Access360, Netegrity and Sun's iPlanet.

The technology industry is also addressing how identities will be managed between networks. Proposals for how to share a single identity among different companies are emerging from Sun, IBM, Microsoft and others. Security Assertions Markup Language (SAML), for example, aims to let Web sites exchange sign-on information.

Companies may agree with identity management as part of a larger security initiative, but how extensive the investment needs to be is up for debate. Jeffrey Kovach, senior manager in PwC's Security and Privacy practice, says that a partial solution like single sign-on may be a manageable first step for most companies. "It's still easier to develop a business case from softer value versus hard-dollar savings," he says. "How much is it worth to an organization to have a holistic security approach?" (PwC, with help from Meta Group, wants to answer that question; see chart, below).

And return on investment can be long in coming. IBM Vice President Arvind Krishna says that although customers can be running and showing some return on its Tivoli software in three to six months, a one- to two-year business case may be more realistic.