It’s 10 P.M. Do You Know Who’s Logged On?

NAPA, Calif. — If you thought most companies handle identity management effectively, think again.

“Many organizations fail to deal with the basic issue of who gets access to what,” said Ed Partenope, vice president of operations and I.T. services at Innovativ, an information-technology consulting firm in Edison, N.J. An enterprise, he says, needs to agree on its “fundamental understanding of access.”

Partenope teamed with three other I.T. industry leaders on a panel examining identity management at Ziff Davis Media’s CIO Summit this week at the Silverado Resort in Napa, Calif. The other panelists were William Vass, senior vice president for information technology and CIO at Sun Microsystems; Bill Malik, principal at Malik Consulting, an I.T. research firm; and Randy Chalfant, chief technology officer at Sun’s storage unit in Louisville, Colo.

Asked to define identity management, Malik responded: “It’s the permissions and profile data about an individual.” Others took a broader view, describing identity management as encompassing all interactions of an employee with the various systems of the organization. “It’s not just signing people on and off, but it’s also keeping track of where they’ve been and why they’ve been there,” Chalfant said.

Added Partenope: “Identity management is how the data flows through all the applications throughout the company, not just a user name and a password.”

To some, at least, an identity management system may not seem to be a very worthwhile investment. But panelists agreed that the technology more than pays for itself as a risk-avoidance measure.

Identity management can pose a pitfall for corporations doing a merger or acquisition. “One of the big risks in a merger,” Partenope pointed out, “is differing sets of standards for identity management.”

Other factors making identity management a hot issue are the moves toward service-oriented architecture (SOA) and software on demand. As more companies embrace these emerging technologies, tracking the identity of people—especially those using mobile devices to access applications—will be critical, panelists agreed. “The key is how strongly you authenticate,” Vass said.

The panel members also weighed in on the thorny issue of how corporations should deal with I.T. assets that have been retired but still contain intellectual property. “The intellectual property may remain on these assets in somebody’s closet or a warehouse somewhere,” Partenope warned.

He suggested that companies employ a software monitoring system “to audit these assets and manage their deactivation.” Another method is to ensure that all intellectual property is encrypted, so that when laptops and desktop machines are decommissioned, customer files and product plans aren’t compromised.

As Chalfant summed up: “Who’s not afraid of some of that infrastructure slipping through the cracks?”