"We’re at a crossroads," he says. "We have to decide how far we are going to go with it."

Who Has Access to What

Part of the problem is confusion about what defines identity management. Vendors use the phrase to mean any number of things, from single sign-on applications to certificate authentication. Yet such technologies are really just add-ons to identity management.

Essentially, identity management is a system that serves as the authoritative identity record for an entire company. Each entry in the system should contain all the identity information associated with one individual—an employee, customer or partner—from name to Social Security number to employee identification number. This identity data can then connect to a company’s existing systems, ultimately granting new users automatic access to applications (a process called automatic provisioning), allowing for password consolidation or "single sign-on" to multiple, linked applications, as well as providing the company with a detailed audit trail.

For most companies, however, that vision is far from a reality. "If you don’t have identity management, there are all sorts of ways that people will get [access]," says King. Most often a user calls the application administrator demanding access; if the user is belligerent enough he gets it. In such an ad hoc environment, there is no way for a CIO to guarantee that employees gain access to only the applications they require. Furthermore, access levels can vary within applications. For instance, one of the first applications King linked to the identity management system was a Web-based intranet application that helps employees monitor their benefits. If employees want to view general benefit data on the intranet, their basic log-on credentials are sufficient. But if they want to browse confidential data related to their own benefits, the system requires an additional factor, like a secure ID token.

Beyond mere provisioning, identity management can also track who used what application when, providing CIOs with an application audit trail. That can be instrumental in helping companies comply with government regulations such as the Sarbanes-Oxley Act. Pete Sattler, chief e-business officer and CIO of manufacturing company SPX, says Sarbanes-Oxley is the top driver behind his company’s identity management project. (Sarbanes-Oxley requires that companies certify that no one has tampered with quarterly and annual financial reports, and having audit ability is the only way to guarantee that.) Sattler has other reasons, however. Fifty percent of his company’s help desk calls come from managers and users who have either forgotten their passwords or need their IDs changed—calls that experts say can cost a company up to $25 a pop. "Those go away when this goes live," he says. In the new system, each employee will have one user name, password and PIN. If an employee forgets his password, he can simply log on to the company intranet, enter his PIN and a key phrase, and automatically reset his password. That alone will pay for the project over time, says Sattler. (Employees may be less likely to forget their PIN because, unlike the password, it doesn’t have to be changed as frequently.)