Identity management, which, broadly speaking, governs user access to corporate IT systems, is not enough by itself. Strong authentication is required to protect IT systems, but risk mitigation should be weighed against cost. "IDENTITY MANAGEMENT represents a category of solutions that administer user authentication, access rights and restrictions, account profiles, passwords, and other attributes that support users` [access to] an application or system," states the online encyclopaedia, Wikipedia. Despite criticism from traditional encyclopaedia circles, it is normally accurate in explaining technology terms.

And while that definition may seem exhaustive, to say the least, , research VP at , adds more still. "Identity management is a bag of markets, not a single market in itself."

Allan says such solutions, the basis of an integrated plan (which unifies all security solutions and ties in with corporate strategy), are popular because they improve (process) efficiencies and satisfy regulation on good governance. The first concerns the removal of onerous administration tasks governing many security solutions, improvement of internal service levels (application `requests`, for instance) and speeding up the turnaround of change requests (such as when an employee leaves or joins the company). The second has to do with risk management.

"One problem in a heterogeneous environment is tying things down because you have different administrators on different systems. You get inconsistencies in the way users are set up, you lose track of them, you leave user accounts lying around with access that they no longer need or even [inactive] accounts belonging to former employees," he notes.

For , director: technology engineering at , these are very real issues, because, as is pointed out several times elsewhere in this issue, the biggest threat to an organisation is internal

And while he concedes that there is no cure-all solution, he says the only way to deal with the issue is through access control and monitoring, or identity management.

However, identity management alone is not enough. End-user organisations must authenticate users via more than just a password. To Singh`s mind this means using two-factor authentication, in other words, supplementing traditional password systems with other methods. In many companies this is not a reality yet, because of cost of extra layers and immaturity of technology.

Andrew Kellett, senior research analyst at Butler Group, agrees stronger methods of authentication are being sought in Europe too. He cites Lloyds TSB as an example. This financial institution is setting out on a trial of two-facet authentication, using one-shot tokens.

This method requires a separate device that, upon activation, will produce a one-time code that lasts for 30 seconds. That code, when used in conjunction with a password, provides two-factor, hence harder-to-crack authentication.

Standard Bank has developed a two-factor authentication scheme for its Internet banking service, one for which Singh says 110 000 customers have already signed up. It only requires a cellphone.

Certain transactions, such as loading new beneficiaries, changing your personal details or making a one-time payment, trigger a one-time code that is sent to the customer`s cellphone via SMS. Once the code is entered online, the transaction can proceed.

Down the road at , a similar investigation is taking place. Dr , CEO of eSolutions, reports that various options are being considered for its electronic banking services. So far, he says, biometrics hasn`t featured very highly - primarily because of the complexity of supporting a large client-base.

However, he says, two-factor authentication for Internet banking is one thing, implementing stronger security with existing internal environments quite another. Singh reports that Standard Bank is looking at various alternatives including the cellphone model, smart cards and biometrics. "We`ll probably go for smart cards," he says.

, research manager at BMI-TechKnowledge (BMI-T), says the two chief inhibitors of biometric technology are cost and its perceived invasiveness. He describes it as a balancing act between security, cost and ease of use. So which will you use?

Tags: Managing  Risk