In the past, identity management mostly has been about who you are. But it's increasingly becoming more about what you can do as well as when and where you can do it. It's something some security analysts and vendors call "entitlement."

Entitlement, and other emerging components of identity management, are on many vendors' minds as they prepare for the annual RSA conference in San Francisco next week. Identity management will be a key theme at the show, both in sessions and on the show floor.

Regulatory pressures (think Sarbanes-Oxley and PCI) are forcing the issue of entitlement, which is basically an evolved authorization model, vendors say. "We're seeing a lot more interest in authorization," says Ellen Libenson, vice president of product management for Symark Software. "It's really about what happens once [users] have access... [Knowing] what they are doing, and to restrict things they can do."

Trouble is, most of these user-defined policies are custom-coded individually into each application, along with each user's authentication credentials for the apps. Each application stores its own user credentials and in some cases privileges: "And each application has a custom way of storing it. There's no consistency," says Rajiv Gupta, CEO and founder of Securent, which sells entitlement management software.

Compliance audits are making this model of authentication and authorization both costly and unwieldy. "If you have to make a change [to meet compliance], remediation is required, you have to take the application down and get the developers involved again," Gupta says.

It's all about adding a policy layer across different systems, including instant messaging, VOIP, and email as well as data applications. If a brokerage's policy prohibits an analyst and broker from communicating with one another, today that policy typically must be applied and enforced individually for IM, VOIP, and email, Gupta notes. "I have to go into each channel and re-specify policy, which leads to mistakes and problems with visibility and compliance," he says. "This is becoming an issue with customers."

Vendors are moving on the identity management issue, even before the RSA show begins. Symantec yesterday showed off its upcoming Norton Identity Client, which are online credentials for consumers akin to a passport or driver's license for doing business on the Internet.

Some of the most established identity management vendors are CA, IBM, Novell, Oracle, Microsoft, and BMC, according to a recent Burton study. Burton expects identity management technology to be integrated into server platforms and applications as the market shifts from products and suites to more of a service-oriented identity services model. In addition to Securent, other players in the identity management entitlement space include Bayshore Networks, BEA, and Jericho Systems, notes Gerry Gebel, service director for identity and privacy strategies at the Burton Group.

Securent's Gupta says estimates for the identity entitlement management market are somewhere around $2 billion for this year. One of its customers, a large financial services firm that requested anonymity, is running Securent's Entitlement Management software in a services-oriented architecture for its applications and various lines of business.

A couple of years ago, the firm realized the missing link was "fine-grained entitlements and authorization," says the IT executive there who heads up the identity management project. "Our developers did their own thing... Each had built their own solution" for authorization, he says, which became challenging during audits.

But the biggest hurdle has been getting the firm's developer teams to shake their "roll your own" mentality for shared services, he says. So far, the firm has deployed Entitlement Management on two of its largest public Web applications, and hopes to roll it out for its own users as well.

The bottom line with identity management is that it must be continuous and dynamic, not just a snapshot of user credentials, notes Deb Pappas, vice president of market strategy for Courion, which sells an automated user access and authorization solution. "It's no longer enough just to have that access control," she says. "You need to proactively flag inconsistencies and move to preventative control [of user privileges]... This is tying the 'what is' to the 'what should be,' " she says.

Identity management must be automated in how it grants users access, and it should take into account moves, adds, and changes along the user's "lifecycle," Pappas says. Some users receive entitlements they shouldn't have, so there's a gap in security and compliance, she says. "It isn't enough to grant and assign privileges," she explains. "What's increasingly critical today is comparing what should be –- how you define what they should have -- with what they are actually doing... Companies are finding a disconnect there."

Symark's Libenson says the key is to stop reacting with point solutions and provide a more holistic approach.

But it won't be easy. Building an identity management architecture is no plug-and-play project. "It's a big endeavor to roll out an identity management system -- it touches so many departments and people. It's like an ERP application rollout," Symark's Libenson says.

— Kelly Jackson Higgins, Senior Editor, Dark Reading