It was September 1999, at the Networld + Interop show in Atlanta, when I first heard about the concept of automated provisioning of applications and other IT resources to end-users. The idea came from the folks at Business Layers, a company that was founded earlier that year. I remember thinking, "This will be really something -- if it works."

At the time, the idea was a rather confusing one that seemed nearly impossible to pull off. It entailed lots of links between various corporate directories and human resources applications such as PeopleSoft. When a new employee joined a company, an HR administrator could click a few buttons and set off a string of events to get the new employee set up with email, phone service and a suite of applications and access rights appropriate to the employee's role in the company. As the employee's role changed over time, access privileges could be changed accordingly. When the employee finally left the firm, access to all resources could be cut off with a few mouse clicks.

Nearly three years removed from that meeting, the concept of "e-provisioning," as Business Layers calls it, has matured considerably. A number of players are now in the market telling compelling stories of improved security and real return on investment (ROI). And the marketing message has morphed considerably, into a category that many call identity management.

I was reminded of the Business Layers meeting after another recent meeting, this one with some folks at Waveset Technologies. Waveset was founded in January 2000 by four ex-Tivoli employees and launched its Lighthouse product in June 2001. The company offers essentially the same type of products as Business Layers but focuses the discussion more on identity management and ROI. To varying degrees, other players in the identity management space include Access360, BMC, Computer Associates, Courion, Entact and Tivoli.

Security Guard Archives
Who To Call About Computer Crime

CSI/FBI Security Survey: Questions Behind The Numbers

Experts Warn of Cyber Terrorist Attacks

Surviving the SNMP Vulnerability Scare

Is Bill Gates Sincere About Security?

Two aspects of identity management make it particularly compelling: improved security and ROI. Identity management tools improve security by enabling companies to keep closer -- and more accurate -- tabs on who can access what enterprise resources. The best products do this by working with a company's existing directories and applications such as PeopleSoft, where access privilege data is typically stored, so you don't have to install yet another database of such information.

Some, Waveset included, can detect changes in a PeopleSoft application, for example, and make sure that change is reflected in other relevant directories and databases.

The most extreme example is when an employee is fired. As soon as the change is noted in the HR application, the identity management tools can kick off a series of steps to make sure the user is denied access to all IT resources. Waveset can also detect when a user who wasn't supposed to have access to a financial application mysteriously is granted access, maybe because he talked his IT administrator buddy into hooking him up. Lighthouse will then fire off a message to the owner of the financial package to determine whether the user should be allowed access.

Such features can dramatically improve security within an organization simply by making sure that users don't have access to resources that they shouldn't have access to. In an organization with even a few hundred users, that can be a daunting -- if not impossible -- task to perform manually. Extrapolate to partners, suppliers and customers that have access via extranets, and the problem gets even more serious.

Which gets to the ROI discussion. If all these routines are happening with little to no human intervention, it clearly saves the company money that would be spent on system administrators. Additionally, many identity management tools have facilities that enable users to handle their own password changes or deal with forgotten passwords, easing a major cost burden on enterprise help desks.

Waveset claims to further save users money because Lighthouse doesn't require software agents to be installed on various enterprise servers. Maintaining the appropriate agent versions as servers come and go can be laborious and expensive for large organizations, the company says.

Identity management vendors are now putting the ROI issue front and center, with some even helping you make the case. Business Layers and Waveset, for example, both have simple ROI calculators on their Web sites. (See and

It's rare indeed when you can make a solid ROI case for buying any given security product. While there are some emerging metrics, you often have to go with your gut and make the case based on what might happen if you don't buy the product -- not exactly what the bean counters typically want to hear.

Desmond is a writer and editor based in Framingham, Mass. He serves as editor of, a source of practical security information for IT managers, CIOs and business executives. Email him at