Not too long ago, identity access management (IAM) hardly warranted a full-time manager. Mostly, these responsibilities were tacked onto other IT employees' duties. But burgeoning demand for this technology is leading to a convergence of business and IT functions and prompting companies like forest products giant Weyerhaeuser Co. to place ads for full-time IAM technologists. "Convergence is the most significant thing happening in identity management," says Jonathan Penn, vice president and research director at Forrester Research. "Integration and convergence are upfront costs that pay for themselves over time through lower operational costs and better overall security."

IAM began life as an IT security framework to identify individuals within an organization who required access to data, and the access management tool acted as a gatekeeper. Now, however, demand is being driven by business functions, including Sarbanes-Oxley (SOX) regulations and the pressure to overlay governance, risk and compliance (GRC) tools on enterprise resource planning systems, vendors say. IAM "is becoming a cornerstone of an enterprise compliance effort," says Venkat Raghavan, director of strategy for IBM Corp.'s Tivoli storage and security software products. "This is a core process that needs to be applied across a system in many applications."

IAM systems play a key role in complying with SOX because they consolidate and also enable the provisioning, management and auditing of systems and applications across an enterprise. They also can provide the notification and approval processes. Now, in their latest incarnations as risk-based tools, they can alert managers when unauthorized activity is afoot, extending not only to employees, but also contractors and customers. For example, when an accounts payable (A/P) employee sends an electronic check to a vendor, the employee uses the IAM system to establish that the recipient is the correct authorized supplier. The technology also leaves an audit trail for SOX compliance or compliance with other regulations, such as the Health Insurance Portability and Accountability Act (HIPPA) and Basel II. "Auditors are going to want to know who had access to financial information and when," according to Joe Anthony, program director of security and compliance for IBM Tivoli software. "This provides automatic documentation."