Manage Learn to apply best practices and optimize your operations.

Trusting identity management, part 1

Identity is a critical element of an organization's IT infrastructure. Learn about the difference between identity for access and identity for security reasons.

The growing move towards globalization and high competition has marked a shift from business to e-business. E-business is no longer an option; it's a key to survival in this competitive world. It is about rightfully contemplating how to increase return to shareholders, improve profitability, expand markets, accelerate time to market, provide flexibility, and keep customers, business partners and employees happy. Enterprises today are adopting a number of information systems to streamline each business process through electronic automation.

While the introduction of these new systems has helped enterprises manage their growing customer base, supply chain, human resources, finances and corporate knowledge, companies are now being faced with new challenges. The primary challenge is how to cost-effectively integrate and maintain these increasing information systems across a growing number of business units, networks and platforms. Further, as corporate information systems become more distributed and interdependent with partners and business associates, it creates a bigger problem of maintaining security while allowing increased access to sensitive information.

Who do you trust?
Everyone needs access, be it employees, partners, customers and others upon whom the e-business depends. Providing this access is the very basis of e-business. In order to offer the highest standards of services and convenience, businesses must provide their customers with secure access to back-office systems to enable purchases, status assessment and more. On the other hand, business partners may require access to systems in a distributed network environment. But when it comes to security, most of our attention gets focused on Internet-based attacks, and we tend to ignore internal threats. Since insiders have intimate knowledge of our network layouts, applications, staff and business practices, they cause the vast majority of security incidents and can do the most damage.

The major stumbling blocks here are identity management and access control. Studies have shown that most of the time businesses fail to gather necessary security requirements, and often there's a gap between strategy and execution.

Managing identity
Identity management, the term understood and adopted differently by many organizations, has resulted in confusion about what constitutes identity management and its relevance in corporate IT security infrastructure.

For corporate IT users, identity works as a key to accessing different IT services in the organization and helps them to be effective. In relation to information security, identity is viewed as an asset that needs protection and works as a resource that enables protection of other information resources. According to Meta Group, identity management is best defined as "those IT and business processes, organizations, and technologies that are applied to ensure the integrity and privacy of identity and how it translates to access." This results in its effective use as a crucial element of IT security infrastructure. Identity is a critical element of an organization's IT infrastructure. Be it operating systems, networks, databases or application environments, every system needs a unique identifier. This is primarily achieved using user IDs or system IDs. In a distributed environment, this identity creation may span several systems, creating a problem of multiple user identities because every system has its own way of identity implementation. Identity management is not a single approach solution, but rather a framework of business processes and technologies.

In part two of this series, I'll address the components of identity management, how they work, and how they are best implemented.

Puneet Mehta is a CISSP Security Architect, at SDG Corporation, an e-security consulting and e-business software services and solutions firm headquartered in Connecticut.
This was last published in May 2004

Dig Deeper on Network Security Monitoring and Analysis

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.