Access Granted: The Imperative of Innovationand Standardization in Information Security

Lara Khansa, Member, IEEE, and Divakaran Liginlal

Abstract- The management of digital identities, despite itspotential to generate business value, creates significantengineering challenges for modern firms. In this paper, we firstprovide an architectural overview of identity and accessmanagement (IDAM) technologies along with an analysis ofpatenting activities to establish that the IDAM market segmentdominates the information security sector. An empirical study,based on data pertaining to public firms with a significant shareof the IDAM market, shows that regulations and the frequency ofmalicious attacks are strongly correlated with increasingdemand. While demand for identity and access managementproducts has been exponentially increasing, innovation has onlybeen moving at a moderate rate after declining near the end ofthe market bubble of 2000. The stock market's valuation ofIDAM firms, while controlling for overall market conditions, hasconsequently been fairly static since 2001 and has followedsimilar trends in other segments of the IT industry. We thereforepropose a two-pronged strategy involving: (i) standardizationefforts on the engineering front; and (ii) additional regulations tostimulate innovation by IDAM firms.

Index Terms-Innovation, identity and access management,information security, market value, regulations.

I. INTRODUCTION

THE modem enterprise, fueled by the growth of theInternet, has metamorphosed into a confluence of services

leased within networks of suppliers and consumersempowered with anytime, anywhere access. These serviceshave evolved around virtual marketplaces and are deliveredthrough electronic networks, the engineering of which posesnumerous challenges to IT managers. This paper focuses ondigital identities, an important enabler of the IT infrastructurethat facilitates the access of customers, employees, and thirdparties to these services. In a commercial setting, conventionalbusiness methods have permitted the anonymous purchase ofgoods and services. However, the modem enterprise requiresvirtual transactions to be authenticated, recorded, andharnessed in a long-term digital relationship necessitatingsome real or fictitious identity that is traceable back to its

L. Khansa is with the Department of Operations and InformationManagement, University of Wisconsin-Madison, 1221 Grainger, 975University Avenue, Madison, Madison, WI 53706. E-mail:lzkhansa@wisc.edu.

D. Liginlal is with the Department of Operations and InformationManagement, University of Wisconsin-Madison, 5281 Grainger, 975University Avenue, Madison, Madison, WI 53706. E-mail:dliginlal@bus.wisc.edu.

978-1-4244-2146-6/08/$25.00 ©2008 IEEE

owner. The information related to these identities isdistributed by nature across the enterprise, geographicalboundaries, business entities, databases, and applications.Their management is therefore complex and very costly. Evenin a non-commercial setting, the events of September 11, 2001that emphasized the need to protect the nation's criticalinfrastructures have enhanced the significance and acceleratedthe adoption of digital identities. Further, regulatory forceshave spurred the rapid deployment of digital identities inenterprises, making identity and access management a toppriority to IT managers and nurturing the development of arelated market segment.

A. An Overview ofIdentity and Access Management

A digital identity contains data that uniquely describe aperson or a thing, referred to as a subject or entity, andencompasses information about the subject's relationships toother entities [1]. The term identity and access management(IDAM) stands for the technologies, processes, policies, andsupporting infrastructures necessary for the deployment,control, and maintenance of digital identities and access toresources. Simply put, the objective of IDAM is to controlaccess to resources based on the identities who manage them.

To place IDAM in perspective vis-a-vis other informationsecurity technologies, we examined patent class 726 entitled'information security' under the patent classification systememployed by the US patents office. Out of the 36 subclasseslisted at different hierarchical levels under this class, IDAMwas found to embrace 15 subclasses completely and severalother subclasses partially. Figure 1 depicts an architecturaloverview of IDAM technology components and the functionsthey address. The technology components are: (1) digitalidentity; (2) directory repository and services; (3) accessmanagement; and (4) account management. In order to betterunderstand these technology components and their businessvalue, let us consider a comprehensive scenario depicting useraccess to a networked resource involving all four of thesetechnology components, starting from the issuance of a digitalid to the termination of access to resources for the user.

101

Services & Benefitsto Stakeholders

TechnologyComponents

IDAMfunctlOns

Enterprise/Managers

Command & ControlLower TCO- Efficiency & Consolidation

IdentifierBP & App Integration

Credentials

~Digital r Workflow Management

Attributes identity ~ Reduced Risk

Roles IBetter auditingBetter Compliance

Customer

Authentication InteractionAuthorization

AccessPersonalized experience

Auditing .- PrivacyManagement .- Self service

Push informationTargeted after-sales service

Core storeInter-Enterprise

~Security Policies Directory Identity & Business Agility.- Repository & .-~ Access --+ Cost Reduction

Services Management \ Value AdditionSupply-Chain IntegrationFederationCommunities & EcosystemsCollaborative Work

Password MgmtIdentity Integration -. Account ~ Employee& Synchronization Management

~ Single Sign-onUser ProvisioningEfficiency & ProductivityTelecommutingCollaborative Work

B. IDAM- Where is the Business Value?

Besides depicting all technology components of IDAM andthe functions they encompass, Figure 1 provides a bird's eyeview of related benefits to enterprises and other stakeholders.At the enterprise level, IDAM provides managers with theability to streamline access to resources thus facilitating bettercommand and control over the corporate network. There issignificant reduction in total cost of ownership specificallyfrom the operational efficiencies achieved. There is lesswasted time associated with account access and insignificantcosts associated with manually purging user accounts andtrying to figure out who has access to what. Efficientprovisioning means end users are able to spend more timedoing their job rather than waiting for the help desk to reset

Fig. 1. Identity and access management - An architectural overview and business value

ensures that records related to user access are maintainedand scrutinized.

4) Several account management tasks are involved in thelifecycle of the user's possession of the digital identity.An important component is the management ofpasswords, which includes a registration system, self­service or assisted reset, and synchronization of passwordchanges. User provisioning involves the ability to createnew user login accounts on various systems, to alterexisting user login accounts, and to manage passwordrules and access among others. The de-provisioning upontermination of a user's privileges ensures that access to allresources is revoked and related accounts are expunged.

1) A user is first issued a digital identity (defined earlier)with a unique identifier (e.g. usemame) to distinguish theidentity holder for a specific context. The associateddigital credentials prove something about the owner ofthe identity and describe attributes that are inherent to theowner (e.g. fingerprints) or assigned to that identity (e.g.password) or roles that the user has been given (e.g.system administrator). Usually the digital identity isembedded in a hardware device such as a USB token thatstores the associated credentials.The information that is used to verify the credentials isorganized in a directory, which consists of a repository,i.e., a database that holds the information about digitalidentities and a set of software applications that managethe storage and access to the directory. A typical exampleof such a directory service is the X.500 and a commonprotocol used to access directory information is theLightweight Directory Access Protocol (LDAP). Thedirectory also serves as a means for enforcing securitypolicies.The authentication of the user involves confirming theclaims made by the user about the digital identity.Authorization, the subsequent step, maps the user'sidentity to privileges or roles, followed by access control,which ensures that the user has the right entitlements andenables access to the resources. The auditing process

2)

3)

102

their passwords or to grant them access to a businessapplication. Many business processes become electronic, thusfacilitating application integration and workflow management.Employees have a single means of accessing all applicationssuch as by using hardware tokens or single sign-on, whichrequires logging in only once across various applications andoperating systems. Single access allows reducedadministration costs and eliminates the need to remembermultiple passwords and associated resets. It also permitsgreater user productivity and experience through faster accessto systems and enhanced user experience. Extending beyondthe enterprise, the efficient coordination and integration ofbusiness processes with those of strategic partners permit easyand secure access to services that are housed in multiplesecurity domains. Known as federation, this integration allowsinformation about users, their security, and entitlement to beshared in a defined and controlled way between partners in atrusted business relationship. The ability to trust a digitalidentity also helps in strong community building andcollaborative work. An authenticated customer can beprovided with a unique experience on a personalizedwebpage, better assurance of privacy, and the ability for selfand targeted services. Confirmation of a customer's identityalso permits relationship management along with tailoringinformation to customers' preferences.

c. The Imperatives ofInnovation and Standardization

Although identity management generates business value, itnecessitates addressing several engineering and logisticalchallenges. From a software engineering perspective, the needto manage multiple software implementations across multipleoperating systems and platforms generates several integrationchallenges. From an architectural perspective, integrating thesecurity infrastructures of two organizations for the purposesof federation calls for standardization, mutual understanding,and the ability to acquire or build the required systems. Froma system engineering perspective, the need to handleinconsistencies arising from different developers leads to userconfusion and security problems. When each application isresponsible for its own security components, it is nearlyimpossible to manage roles and access control across variousapplications in the enterprise. The scalability of IDAMsolutions, especially in a federated system, requires thedetermination of service level agreements and the ability toexpand IT resources without a corresponding increase in ITstaff. Although scalability is a technical matter, it is requiredto understand the business requirements regarding the numberof users to be supported and the estimated transaction rates.The planned growth of IDAM systems needs to be addressedas part of the initial system design so that this system can scaleto meet the organization's business needs. Similarly, accountmanagement challenges include those related to HR-drivenprovisioning, web-driven provisioning, and complexworkflow provisioning. Federation, for instance, does notcompletely eliminate the need to administer the digitalidentities of the users on different sides of the federation.

Cross- organizational business processes that support userprovisioning and de-provisioning need to be in place. An IDCsurvey [2] of the worldwide IDAM market clearly summarizesthese challenges, by noting the existence of two discerningtrends: (i) a continued push towards open standardsdevelopment across different IDAM platforms, thus indicatingintegration within the IDAM market segment; and (ii)momentum that is shifting towards integrating IDAMtechnologies into the systems software infrastructure stack.

The previous discussion clearly highlights the importanceof innovation and standardization to identity and accessmanagement. The rest of the paper is organized as follows.Section II surveys the literature related to the drivers ofinnovation in the IDAM market segment, summarizes recentregulations, and provides evidence to demonstrate theimportance of the IDAM market segment vis-a-vis otherinformation security market segments. Section III reports theresults of an empirical study of public firms with a significantshare of the IDAM market, aimed at showing that regulationsand the frequency of security breaches are positivelyassociated with increasing demand in this market segment.Given the evidence that the stock market's valuation ofinnovation by IDAM firms, while controlling for overallmarket conditions, has been fairly static, we advocate inSection IV the need for regulatory impetus andstandardization efforts.

II. WHAT DRIVES INNOVATION IN IDAM?

A. Linking Demand and Innovation

Innovation is closely intertwined with market structure.Schumpeter [3] fundamentally argued that change intechnology is the primary driver of innovation and assumedthat consumers are able to absorb any new innovations,essentially suggesting that demand automatically adjusts tosupply. Schmookler [4], on the other hand, argued that thesuccess of an innovation is intertwined with a strong andgrowing demand for it. Applying these general notions ofinnovation to IT, one may note that, contrary to other ITproducts that exist in and out of themselves, informationsecurity technologies aim at making IT products more secure.Since information security is part of information technology,we shall first briefly examine theories related to innovation ininformation systems. Adner and Levinthal [5] identifiedconsumer wants as the main driver of IT innovations. Theyexplored how heterogeneous consumer needs influence theproduct development efforts of firms. Another example is thatof innovations in open source whose drivers include "users'urgent needs for software" when a sponsoring firm is incharge of commercialization [6]. Our study of innovation inidentity and access management is based primarily on thedemand-pull facets of innovation.

Figure 2 clearly identifies two important drivers ofinnovation in the IDAM market segment. First, maliciousattacks and privacy breaches increase demand for IDAMproducts, in tum generating more innovation. Second, new

103

regulations that require firms to apply necessary safeguards toIT systems also increase demand for information security

products in general and lOAM products in particular.

Changing BusinessPriorities and Radical IT

Innovations

Process Improvements &Innovation

Security TechnologyEnhancements

Innovation inlOAM Teehnologies

Regulations & Standards

Demand for IDAMproduets

New Breeds of MaliciousAttacks and ShrinkingVulnerability Exploit

C clesFig. 2. Drivers of innovation in identity and access management

TABLE ICATEGORIZATION OF INFORMATION S ECURITY R EGULATIONS AND LI NK TO lOA M

Intent and Scene Sneclflc requirements on identity and aecess manasementCorporate Governance SOX (Sarbanes Oxley): Sections 302 and 404 address the need for effective internal controlsInformation Privacy HIPAA (Health Insurance Portabil ity and Accountability Act): 164.312(d) - Person or Entity Authen tication

164.312 (a)(I)(i) - Unique User Identification164.308 (a)(3)(B) - Access ManagementGLBA (Gramm-Leach-Bliley Act): Title V - Privacy,Subtitle A - Disclosure of Nonpublic Personal InformationSection 50 1(a); Section 50 1(b)

Federal Agencies HSPD-12 (Homeland Security Presidential Directiv e 12): requires every agency to use smart cards for physicaland logical security.FISMA (Federal Information Security Management Act): NIST SP800-53 families of contro ls includingidentification and authentication, access control , audit and accountabil ity, and configuration management.

Electronic Banking and FFIEC (Federal Financial Institutions Examination Council )-- Single-factor authenticat ion no longerPayment satisfactory

PCI (Payment Card Industry): Restrict access to cardholder data by business need-to-know, assign unique lD toeach person, and restr ict physical access to data.

Sector-wise FDA (Food and Drug Administration): 21 CFR Part 11- Controls over who has access to closed systems andrequires audit trails of access rights and actions, run-time authorization over user access to key data andfunctions, and the use of electron ic signatures, includ ing passwords.NERC (North American Electric Reliability Council): CIP 003- Secur ity policies and LDAP authen ticationCIP 005- Two-factor authentication.

The fundamental objective of information securityregulations is to apply safeguards and controls to systems andorganizational processes in order to protect the confidentiality,integrity, and availability of data. To understand theimportance of lOAM technologies in the regulatory context,we categorize information security regulations based on theirintent (corporate governance and privacy legislations) andscope (federal agencies, electronic banking and payment, andsector-wise). Table 1 lists the specific provisions related toidentity and access management within each regulation.

B. Relative importance a/ the IDAM market segment

To study the extent of innovation in the lOAM sector, westarted by analyzing the trend of patents filed in the lOAMarea. Given that information technology patents take four tosix years to complete the review process, the count of patentsafter 2003 is not reliable. We also observed that very fewaccepted patents were filed prior to 1998, the onset of thelnternet bubble. We conclude that analyzing trends in patentcount would not lead to reliable conclusions. Assuming ittakes, on average, a fairly equal amount of time to review anlOAM patent and a non-lOAM information security patent,we conducted a count analysis of lOAM patents relative to thetotal number of information security patents from 1998 to2005. Figure 3 shows that more than half of the information

104

security patents are related to lOAM (median percentage67%; mean percentage = 68.37%).

% o(( DAM Pate nts vers us Tutal Infuruuuhm Security Paten ts

IltUK~Vo

IOO.(K1Vo

90.(X1YO

80.(K1Yo

70.(K1Vo

60.(K1Yo

50.()(l%)

.JO.O(jOlo

30.tK~1o +--~--~-~--'-----~-------'-~--~

Ju~98 Dcc-99 Apr-OJ Scp-02 Jan-(~ May-OS Ocl-06

Mo nth

Fig. 3. Relative percen tage of lDA M patents

111. E MPIRICAL STUDY

A. Empirically testing the demand and innovation link

The inappropriateness of patent count as a measure ofinnovation has been amply discussed in prior research. Hall etal. [7], for example, showed that patent count is a noisyindicator of R&D success. They argued that the number ofpatent citations is a better measure of innovation success. Weuse the quarterly R&D expenses of a representative sample oflOAM firms to quantify innovation in lOAM as in [8]. For

2006.1200-l 1

Quarter

2002,12000,1

l\larket-Adjuste d Price Inde x Leve l

199Kl

Fig. 6. Market-adjusted IDAM stoek priee index

B. Market value and Tobin's q

To further understand the role of innovation in driving themarket value of lOAM firms, we plotted the time series of theselected firms' Tobin's q, also weighted by relative marketcapitalization. Tobin's q, the ratio of the market valuation of afirm's assets to their replacement value, is a measure of firms'incentives to invest. Only when a firm can at least create asmuch market value from its investment in additional assets,should it undergo these investments [9]. It is also shown inHall et al. [7] that, assuming a constant return to scale marketvalue equation, Tobin's q is logarithmically related to thevalue of investment in knowledge assets and reflects themarket 's sentiment of a firm's prospects and futureprofitability. In simple terms, Tobin's q represents a measureof the market's view towards the future benefits of innovation.We establish the innovation-market value link by regressingthe lOAM stock price time series on the innovation timeseries. The results confirm that innovation significantly drivesmarket value at the 10% significance level (lagged coefficient1.228; t-value 1.824; p-value 0.0682). We further investigatedthe stock market's view of innovation in lOAM compared tothat of other IT sectors. For that, we selected key non-lOAMIT players in IT areas such as database, computer hardware,and operating systems. We then plotted the Tobin 's q of theselected lOAM firms and of the non-lOAM firms. Figure 7shows that, while the stock market's valuation of the futureperformance of lOAM firms was noticeably higher than thatof the IT counterpart in the bubble years, both have recentlyconverged to comparable values.

1.705; p-value 0.0820). Comparing the growth rates of thedemand and innovation time series indicates that demand forlOAM has been increasing at a much higher rate than that atwhich lOAM firms have been innovating. This discrepancy ingrowth rate explains why the market value of the lOAMsector, after controlling for the market performance proxiedby the Nasdaq return, has been stagnating over the past threeyears (Figure 6). This price index was built as an average ofthe selected lOAM firms, weighted by market capitalization toaccount for firm size. Note that in the case of the demand andinnovation time series, firm size is already factored in so asimple average was taken.

y -O.fU R-Ixl - O...BI-lx +-12.173

Rl - O.9-¥)S

1 ~ : 1so711

~ m

~ so~~~-c-:;,...-......

I< : ::I20

IU

II -+-1+-1+-1HI1--+1-+1-+-1+-1+-1HI1--+1-+1-+-1+-1HI 1--+1-+1-+1+-1+-1HI1--+1-+1-+-1+-1+-1--+11--+1-+1~II

Quarter

Fig. 4. R&D expenses time series

Quarter

that, we chose twenty-five public lOAM firms who control asignificant market share of the lOAM sector [2]. Since patentcount analysis showed no significant patenting activity priorto 1998, the R&D expenses we compiled covered the period1998 to 2006. The R&D expenses time series plotted in Figure4 reveals that innovation decreased abruptly after peaking inthe year 2000 and has been increasing steadily but slowlysince then.

To relate demand and innovation in lOAM, we used timeseries regression analysis, which establishes correlation orlagged effects. Prior to relating the two time series, we firstplotted their partial autocorrelation functions (PACFs) to helpuncover lingering autocorrelations. The PACFs of the demandand innovation time series revealed high first-orderautocorrelation (0.8833 and 0.5843 respectively).

We then conducted lag-l differencing to remove first-orderautocorrelations. The time series results, post-differencing,indicate that demand significantly drives innovation at the10% significance level (lagged coefficient 0.111; t-value

To understand the reasons behind this slower growth rate, itis important to study the demand that drives innovation. Sinceit is fairly impossible to get hard data to gauge demand forlOAM products, we introduce a novel approach that has notbeen previously used in the literature. We argue that therevenues of information security firms selling lOAM productsconstitute a sufficient measure of demand for lOAM products .We used the same sample of IDAM firms used earlier,collected their quarterly revenues over the same 1998 to 2006period, and plotted their demand trend in Figure 5.

R&D E\l'X'lIw sTinll' s..' lil' S

Fig. 5. Demand time series

105

14

12

10

1<)-)7 199K 1')1.)') 2000 200 I 2002 2003 2004 2005 200:-)

Quarter

Fig. 7. lOAM and non-lOAM Tobin ' s q

We have shown that demand has been driving innovationbut the latter has not been increasing at a comparable rate asdemand. This slow innovation growth rate has been reflectedin the market valuation of the future performance of lOAMfirms in recent years . It is therefore imperative to examine thedrivers of demand. In particular, we need to investigate thespecific roles of regulations and malicious attacks in drivingdemand.

C. The role ofregulations in driving demand

Figure 8 maps the various information security regulationsto the lOAM demand time series. The percent changes overvarious compliance windows, shown in Table 2, average to15.6% and are significantly positive with a t-stat of 2.2 at the95% significance level. This indicates that regulations areassociated with a significant increase in demand.

TAB LE 2RES ULTS O F T REN D AN AYS lS

Regul ationPereeent Change overComnlia nee Window

HIPAA Privacy Rulc 9.023%HIPAA Security Rule 50.192%GLBA (Parts 30 and 248) 18.662%GLBA (Parts 314) 26.676%FISMA -5.6683%FIPS 7.680%AB 1950 8.389%CIPA 14.258%NERC 14.089%PC1- Levels 2 and 3 23.707%SOX 19.149%US Patriot Act -2.999%

Average 15.263%% Positiv e 83.333%Confidence Interval [0.0594 0.212]t-stat 2.200985159

D. The role ofmalicious attacks in driving demand

We collected 5000 occurrences of malicious attacks fromSymantec 's web site covering the period 2000 to 2005. Weaggregated the frequency of malicious attacks monthly andcross-validated the count with CERT's vulnerability database.The resulting time series, shown in Figure 9, indicate s thatmalicious attacks have also been increasing at an exponentialrate.

Monthly Frequency of Attacks

y =2E_13e00271x

R2 = 0.5979

180

160

140

120

§ 100

8 80

60

:~ L _ -rd-- -"OV'""""o 4-1~-=---,-~~~~~~~~~~~~~~~~~

S)~ ~() @ 5)" ~" <:)" 5)'1.- j:)'1- <:)'l.. ';:J":J ';:J":J <:)":J 5:,)'>- s:f ~ ';:J':l 5=>" <:)<'

## ~ ##~ #### # ~ ##~ ##~Month

Fig. 9. Monthly frequency of mal icious att ack s

Rev enue Dura (Information Security Spe ndina)

~~

~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~~ :5. ~~ -£ ~ ~ Q~';_ ~ov~~ -e < Z L<. ::;: rJj ...-_ •

C L.;---1 . ~C · .AD 1950 ompliJnc e Wmdow FFIF..L ompliance Wmdow

III PAA Securit y Rule SOX Deadline WindowCompli nee Win dow (Including Extension s)

III PAA Pri vacy RuleCompli ce Window

~ ~ ~ ~ 1 ~ ~ ~ ~~ z ~ ~ ~ ~ ~ ~ 0

n Sl\tA~iance Window :\Ionths

.c;;

+------r------r~l-IJ~I~~ ~1. '-.-'-----o-----.--------.-'- .l ! ~

35

30

25

20

15

10

0

t s 8 1 ~ ~;;

~ ~.:.

~ 0 c.-e

Fig. 8. Mapping of regulations over demand time series

We also related the demand and malicious attacks timeseries, post-differencing, and obtained a correlation of0.749 , clearly indicating that the increase in malicious

attacks has been associated with a corresponding Increasein demand for lOAM products.

106

IV. DISCUSSION AND RECOMMENDATIONS

In this section, we propose a two-pronged strategyinvolving: (i) additional regulations that stimulateinnovation by IDAM firms and require firms to applyeffective safeguards so as to curb security breaches byinsiders and malicious attacks by outsiders; and (ii)standardization efforts on the engineering front.

A. How can regulations be more effective?

Regulations may influence innovative activities in twoways. First, they significantly increase demand, thusaffecting market structure. Second, in the IT industry wherestandards are very important, public policies serve as acatalyst for developing and enforcing standards.Consequently, policies that influence standardization mayhave profound effects on the nature and pace of innovation.

Although technology, process, and organizationalinnovations are not the intended goals of regulations, theyare the primary means by which regulations take effect.Security regulations directly affect consumers of ITproducts and services in the financial, healthcare , biotech,and telecommunications sectors, among others, whileproducers of IT (and information security as a sub­discipline within IT) are affected indirectly through actionsby standards bodies and the demand for IT products andservices. Such a producer-consumer paradigm, serves as auseful basis to tie regulations to innovation. First, weemphasize the need for regulatory bodies to recognize theimportance of information security innovation to nationalsecurity and to organizational and social welfare. Second,in all regulatory efforts, there should be a commitment tohighlight the impact on the information infrastructure,which is the backbone of the nation's digital economy.Finally, policies designed to address both IT consumers andIT producers are required. Such policies should not just befocused on a punitive regime. Rather they should bedesigned to provide social incentives to innovate andstimulate competition among IT firms.

B. What standardization efforts are required?

Standardization efforts can gain momentum throughindustry alliances and via efforts of standardization bodiessuch as the lTD and NIST. The federal government shouldprovide incentives to industries to develop IDAMstandards. In regards to work by standardization bodies,two areas are gaining attention, namely role engineeringand interoperability and open standards. On the one hand,the engineering, management, and refinement of rolesconstitute the "next frontier" of enterprise identitymanagement', The NIST role-based access control model(RBAC) was developed in 1992 and suffers from severalmajor mismatches with today's needs of identitymanagement. First, it is a static model whereas roles intoday's business environment are very dynamic. Second, it

I Digital ID Newsletter May 25,2006 [http://www.digitalidworld.com/]

assumes that a person has a single role which exists in ahierarchical form. In reality, roles are dynamic and areoften multiple and overlapping.

The Focus Group on Identity Management, recentlyestablished by lTD to ensure interoperability, aims atfacilitating the development of a generic identitymanagement framework by fostering participation of alltelecommunications and ICT experts on identitymanagement. According to the chairman of the focus groupAbbie Barbir "What we really need in the long run - or theshort run - is the identity layer as the enabler of the servicelayer".

V. CONCLUSION AND FUTURE RESEARCH

In this paper, we outlined the importance of identity andaccess management to the engineering of IT systems. Weshowed that regulations drive demand for identity andaccess management technologies. Additional analysesrevealed that innovation has been recently increasing at amuch slower rate than demand. We conjectured that thisslow rate of growth explains why the stock market'svaluation of the IDAM sector has recently languished.

We therefore conclude that more innovation andstandardization efforts are required in this technologysegment. This study will be extended on many fronts. First,we wish to investigate further the complementaritiesbetween the information security sector and the rest of theIT industry by comparing their innovation trends. Wearealso in the process of designing a questionnaire forinterviewing CSOs of DS firms. This will help us gauge therelevance of identity and access management to thecustomer as well as study trends related to convergence andconsolidation trends in this important technology sector.

REFERENCES

[1] P.J. Windley, Digital Identity. 0 Reilly Media Inc.: California, 2006.[2] S. Hudson and A. Carey. (2006, August). Worldwide Identity and

Access Management 2006-2010 forecast, Doc#202728. Available:http://www.idc.com.

[3] LA, Schumpeter, The Theory ofEconomic Development. Cambridge:Harvard College, 1934.

[4] J. Schmookler, Invention and Economic Growth. Cambridge:Harvard University Press, 1966.

[5] R. Adner and D. Levinthal, "Demand heterogeneity and technologyevolution: implications for product and process innovation,"Management Science, vol. 47, pp. 611-628, 200l.

[6] S.K. Shah, "Motivation, governance, and the viability of hybridforms in open source software development," Management Science,vol. 52, no.7, pp. 1000-1014,2006.

[7] B.H. Hall, A. Jaffe, and M. Trajtenberg, "Market value and patentcitations," Rand Journal of Economics, vol. 36, no. 1, pp. 16-38,2005.

[8] Y. K. Ho, H. T. Keh, and J. M. Ong, "The effects of R&D andadvertising on firm value: An examination of manufacturing andnon-manufacturing firms," IEEE Transactions on EngineeringManagement, vol. 52, no. 1, pp. 3-14,2005.

[9] T. Erickson and T.M. Whited, "On the accuracy of different measuresof q," Financial Management, vol. 35, no. 3, pp. 5-33, 2006.

107