Security Spotlight

Identity management appliances reduce password cost

SECURITY SPOTLIGHT
Approximately one out of three help desk calls involve password reset. At $30 to $50 per call, password administration really adds up. Network operations and security managers who must cut that cost while satisfying industry regulations and privacy laws should consider identity management. Identity management refers to an integrated system of processes, policies and technologies that facilitate and control user access to applications and resources on the network.

Why deploy an Identity management appliance?
A well-implemented identity management solution can eliminate much of this overhead while strengthening network security and improving productivity. Identity management consolidates directory services and data stores that hold user identities, credentials, and policies. Identity management automates workflows associated with identity lifecycle, from account provisioning to update to revocation. Identity management helps companies regain control over independently-managed systems and applications that define their own user accounts and generate their own access logs. In many cases, identity management can also simplify life for end users.

Various devices have been called identity appliances. Appliances like Infoblox IDeal IP consolidate disparate DNS, DHCP, and IP management services into a single box. Appliances like the RSA SecurID Appliance, Bayshore Neworks SingleKey Appliance, and SecureComputing Safeword SecureWire interface with many access devices to authenticate, authorize, and audit usage. Appliances like the Cisco Clean Access Appliance and the Juniper Infranet Controller 4000 enforce network access policies.

Nework addressing, authentication, and access control all depend upon identity, but "identity management appliances" are devices that unify identity management across diverse access devices, authentication methods, directory services, and internal systems/applications. An identity management appliance helps you glue together what you already have by automating time-consuming or error-prone tasks and streamlining identity-related workflows.

Deploying an Identity management appliance
Identity management appliances are deployed inside your network, in a location where they can communicate securely with existing infrastructure.

To access devices, the identity management appliance appears as an authentication server, speaking standard protocols like RADIUS, 802.1X, and EAP. The identity management appliance may have an on-board authentication server, but generally appears to existing authentication servers as an authentication proxy.

To create a meta-directory or virtual directory, the identity management appliance imports or synchronizes user accounts and attributes from directory services like LDAP, Active Directory, Sun iPlanet, Solaris NIS, and RSA ACE.

To support lifecycle tasks, the identity management appliance interfaces with administrators and end users. Administrative GUIs and CLIs enable provisioning and maintenance, providing a consolidated view of each account and synchronizing adds, removes, and changes across directories. A self-help GUI may provide users the ability reset their own passwords.

An appliance that implements single sign-on must go further, playing middle-man between users and applications. This may involve deploying an agent on user devices to discover and manage credentials, based on profiles that characterize each application's login process.

Shopping for an Identity management appliance?
Features to look for include the following:

  • Authentication services: Can the appliance support methods and servers used by your company, including strong authentication?
  • Directory services: Can the appliance consolidate user accounts obtained from your existing directories?
  • Account provisioning: Does the appliance enable centralized account creation and maintenance, including ability to quickly revoke access?
  • Password self-help: Is there an interface for users to reset their own passwords, without help desk intervention?
  • Logging and reporting: Can you track an individual user's activity, or enumerate access to a specified resource?
  • Single or reduced sign-on: Can the appliance reduce the number of passwords that each user must remember?

Choosing the right Identity management appliance
A challenge for any appliance is dovetailing with all the moving parts in your network. Look carefully at the authentication methods and directories required by your security policy. For example, 802.1X does not ensure interoperability; make sure the appliance supports the EAP types you plan to use (e.g., EAP-TLS, PEAP, EAP-SIM).

A primary identity management goal is to simplify workflow and cut cost. Consider speed of deployment and installation aids, like ability to use selected features without inter-dependencies, or to use single sign-on without application impact or script development.

Identity management not only consolidates provisioning and authentication, it creates a unified platform for compliance reporting, troubleshooting, and incident investigation. Use this to justify and leverage your identity management investment.

Finding an Identity management appliance Historically, identity management solutions have involved expensive software suites designed for large enterprises with lengthy deployment cycles. Small-to-medium businesses were unable to afford that cost or complexity. But recently, turn-key identity management appliances have appeared, priced and packaged for rapid deployment:

As security appliances go, identity management is a new field, and features offered by these three appliances differ quite a bit. For example, Imprivata is the only appliance on this list to offer single sign-on; A10 is the only appliance to offer identity-based firewall logs. But all share a common goal: improving security and productivity while cutting identity management cost.

About the author:

Lisa Phifer owns Core Competence Inc., a consulting firm specializing in network security and management technology. Lisa has been involved in the design, implementation and evaluation of data communications, internetworking, security and network management products for over 20 years. At Core Competence, she has advised large and small companies regarding security needs, product assessment and the use of emerging technologies and best practices. Lisa teaches about wireless LANs, mobile security and virtual private networking at many industry conferences and on-line webinars. Lisa's WLAN Advisor column is published by SearchNetworking.com, where she is a site expert on wireless LANs. She also has written extensively about network infrastructure and security technologies for numerous publications including Wi-Fi Planet, ISP-Planet, Business Communications Review, Information Security and SearchSecurity.com.

This was first published in July 2006

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: