Why deploy an Identity management appliance?
A well-implemented identity management solution can eliminate much of this overhead while strengthening network security and improving productivity. Identity management consolidates directory services and data stores that hold user identities, credentials, and policies. Identity management automates workflows associated with identity lifecycle, from account provisioning to update to revocation. Identity management helps companies regain control over independently-managed systems and applications that define their own user accounts and generate their own access logs. In many cases, identity management can also simplify life for end users.
Various devices have been called identity appliances. Appliances like Infoblox IDeal IP consolidate disparate DNS, DHCP, and IP management services into a single box. Appliances like the RSA SecurID Appliance, Bayshore Neworks SingleKey Appliance, and SecureComputing Safeword SecureWire interface with many access devices to authenticate, authorize, and audit usage. Appliances like the Cisco Clean Access Appliance and the Juniper Infranet Controller 4000 enforce network access policies.
Nework addressing, authentication, and access control all depend upon identity, but "identity management appliances" are devices that unify identity management across diverse access devices, authentication methods, directory services, and internal systems/applications. An identity management appliance helps you glue together what you already have by automating time-consuming or error-prone tasks and streamlining identity-related workflows.
Deploying an Identity management appliance
Identity management appliances are deployed inside your network, in a location where they can communicate securely with existing infrastructure.
To access devices, the identity management appliance appears as an authentication server, speaking standard protocols like RADIUS, 802.1X, and EAP. The identity management appliance may have an on-board authentication server, but generally appears to existing authentication servers as an authentication proxy.
To create a meta-directory or virtual directory, the identity management appliance imports or synchronizes user accounts and attributes from directory services like LDAP, Active Directory, Sun iPlanet, Solaris NIS, and RSA ACE.
To support lifecycle tasks, the identity management appliance interfaces with administrators and end users. Administrative GUIs and CLIs enable provisioning and maintenance, providing a consolidated view of each account and synchronizing adds, removes, and changes across directories. A self-help GUI may provide users the ability reset their own passwords.
An appliance that implements single sign-on must go further, playing middle-man between users and applications. This may involve deploying an agent on user devices to discover and manage credentials, based on profiles that characterize each application's login process.
Shopping for an Identity management appliance?
Features to look for include the following:
- Authentication services: Can the appliance support methods and servers used by your company, including strong authentication?
- Directory services: Can the appliance consolidate user accounts obtained from your existing directories?
- Account provisioning: Does the appliance enable centralized account creation and maintenance, including ability to quickly revoke access?
- Password self-help: Is there an interface for users to reset their own passwords, without help desk intervention?
- Logging and reporting: Can you track an individual user's activity, or enumerate access to a specified resource?
- Single or reduced sign-on: Can the appliance reduce the number of passwords that each user must remember?
Choosing the right Identity management appliance
A challenge for any appliance is dovetailing with all the moving parts in your network. Look carefully at the authentication methods and directories required by your security policy. For example, 802.1X does not ensure interoperability; make sure the appliance supports the EAP types you plan to use (e.g., EAP-TLS, PEAP, EAP-SIM).
A primary identity management goal is to simplify workflow and cut cost. Consider speed of deployment and installation aids, like ability to use selected features without inter-dependencies, or to use single sign-on without application impact or script development.
Identity management not only consolidates provisioning and authentication, it creates a unified platform for compliance reporting, troubleshooting, and incident investigation. Use this to justify and leverage your identity management investment.
Finding an Identity management appliance Historically, identity management solutions have involved expensive software suites designed for large enterprises with lengthy deployment cycles. Small-to-medium businesses were unable to afford that cost or complexity. But recently, turn-key identity management appliances have appeared, priced and packaged for rapid deployment:
As security appliances go, identity management is a new field, and features offered by these three appliances differ quite a bit. For example, Imprivata is the only appliance on this list to offer single sign-on; A10 is the only appliance to offer identity-based firewall logs. But all share a common goal: improving security and productivity while cutting identity management cost.
About the author:
This was first published in July 2006