© Copyright IBM Corp. 2008. All rights reserved. 3
Chapter 1. Business context for Identity
and Credential Management
As the world of e-business gains global acceptance and access to these systems
becomes mission critical, the traditional processes of corporate user
administration are no longer able to cope with the demands for increased scale,
scope, and availability that are expected from them.
Identity Management is a
super set of older user provisioning systems that allows for the management of
identity and credential information for clients, partners, suppliers, automated
processes, corporate users, and others. New functional capabilities provide
businesses with an opportunity to re-engineer their procedures for managing
access to their IT resources based on their business policies, which in turn drive
their IT security policies and their IT security procedures.
Unfortunately as more businesses establish their presence on the Internet, these
IT assets attract the attention of people who want to use them for illicit purposes.
Legislation is being enacted worldwide to insure the integrity of a corporation’s IT
assets, especially those assets that determine the corporation’s financial results.
New audit and compliance reporting rules are the result.
For example in June of 2004, central bank governors and bank supervisory
authorities for members of the Group of Ten (G10) countries endorsed the
publication of the “International Convergence of Capital Measurement and
Capital Standards: a revised framework” commonly called Basel II
. This product
provided financial incentives for banks worldwide to upgrade and improve their
4 Deployment Guide Series: IBM Tivoli Identity Manager 5.0
business models, their risk management systems, and their public disclosure
information to provide greater transparency of their operations. Banks must
manage their capital resources efficiently, because capital not only affects their
profitability, it also provides the foundation for growth and the cushion against an
unexpected loss. Basel II implementation began in 2006.
In the United States, the Sarbanes-Oxley Act
of 2002 requires all publicly held
corporations with more than three hundred shareholders, which are being traded
on the United States stock exchanges, to provide information about the accuracy
of their financial records and the internal controls to the financial data. This
legislation has created a ripple effect in the international community, because the
Sarbanes-Oxley requirements can exceed legislation in the countries where
these international companies have their headquarters. In certain cases, the
Sarbanes-Oxley requirements might conflict with the local legislation.
Companies that are implementing accounting and audit procedures to comply
with the Sarbanes-Oxley legislation are stating that the core problem is
identifying who has access to the financial information and the business reasons
that they have been given this access. Fundamentally, it is an identity
management and provisioning challenge.
The Gramm-Leach-Bliley Act
of 1999 established regulations for the protection
and privacy of an individual’s financial information that is maintained by private
organizations. Compliance was mandated by July 2001.
Revisions to existing legislation and new legislation are under consideration to
control access to personal information contained in these IT assets, such as an
individual’s health information or financial data. For example in the United States,
the Health Insurance Privacy and Accountability Act of 1996 created national
standards to protect an individual’s medical records and other health information.
It gives patients more control over their health records and limits the use of
information contained in these records.
Today, health care providers and the health insurance companies are looking to
reduce costs while improving the quality of health care. They are studying the
creation of electronic health records whose contents must be secured. New
applications based on Radio Frequency Identification (RFID) and
point-of-presence technology are becoming available, and they will require
access to secured personal data.
More information about the Basel II framework can be found at:
More information about the Sarbanes-Oxley Act can be found at http://www.sarbanes-oxley.com/
More information about the Gramm-Leach-Bliley Act can be found at