Manage Learn to apply best practices and optimize your operations.

Trusting identity management, part 2

This article addresses the components of identity management, how they work, and how they are best implemented.

Part one of this series focused on identity as a critical element of an organization's IT infrastructure and explained the difference between identity for access and identity for security reasons. In part two of this series, we address the components of identity management, how they work, and how they are best implemented.

Let's discuss the key components of identity management from functional viewpoint:

Enterprise directory services: These services play a crucial role in an enterprise information architecture and are emerging as a cornerstone for identity management. Organizations have started realizing the benefits of using these services to provide high performance in an almost infinitely scalable repository for centralized employee and customer management. The popularity of LDAP as a generic protocol for accessing directory servers has enabled the widespread use of directories for a variety of purposes. A directory service allows a single view of the entity by providing user-profile services, thereby eliminating the need to manage and secure separate authentication databases, increasing overall system security.

Provisioning: User provisioning is undoubtedly the most important component of identity management framework. It's a process of deploying user access rights based on the business policies -- be it employees, customers or business associates -- throughout their life cycle inside corporate IT systems.

The number of e-business applications requiring comprehensive security solutions in an enterprise is on the rise, and managing the attributes of individual security accounts and user profiles across these different systems is essential. In a large enterprise with thousands of employees, this process becomes more complicated and cumbersome when the end users change job functions and/or there is departmental or business-line restructuring involved. This is one of the most vulnerable breach points, as the larger security risks come from invalid or old accounts that are mistakenly left active There is, therefore, a need for a centralized or single point of administration that allows a single administrator to manage all the user IDs, passwords, roles, access rights and other security attributes across multiple, different and disparate IT systems. User provisioning is deployed in conjunction with Web access management and directory services management solutions to ensure secure relationships that work as the building blocks for all the business processes and interactions.

Authentication: For an identity management to be effective, it needs to be able to establish trust in an organization's online environment, especially in identities. To establish this trust, there must exist binding of unique attributes or credentials to a unique identity. This binding must be proven by authentication. This is achieved by verifying the identity of a user so that access to protected resources can be correctly granted or denied. Authentication is an important element of trust and a key component of any identity management strategy. Authentication techniques range from basic schemes using user ID and password combinations to strong authentication schemes like two-factor authentication, biometrics, digital certificates and smart cards.

In a federated identity model, trust becomes more important, since companies need to manage and share identity information with each other in a controlled manner. This trust is achieved via authentication. Trust management and federated identity management provide a standardized mechanism for simplifying identity management across company boundaries. Web services are largely being deployed (using open-standard technologies like XML-RPC, SAML, SOAP and DSML) to build the circle of trust between organizations, enabling users from trusted organizations to securely access information and resources within another.

Access control: Once trust is established in digital identities, policies should be enforced to control access to protected resources. This approach not only simplifies administration, it also provides the maximum amount of flexibility for each user, since an individual's unique set of roles translates into a unique set of access privileges. This ensures that a user is granted the level of access that is appropriate for every role and/or business function for which the individual is responsible.

Workflow management: Workflow is an integral part of provisioning, which enables management of identity change-request approval process. In an organization, a typical workflow process could involve enrollment of new employees and granting access to applications and network resources. It also involves providing computer systems that allow the construction of a workflow approval framework. This integrated approval process enables secure and effective provisioning of users by attaching correct user privileges, access rights and other security settings to an individual's profile based on his/her job function.

Delegated administration and self-service: Delegated administration allows organizations to transfer administration responsibility across departments, business units and corporate boundaries, enabling administrators, department managers or the human resources department to effectively manage users, policies and other objects within their respective namespace.

An enterprise can enhance its security administration through Web-based self-services modes like self-registration, self-administration and self-service password management. While a self-registration allows users (internal and external) to register for and request application access, self-administration allows users to authenticate themselves and then update their personal information. This eliminates the need for any administrative intervention and increases productivity.

Password management is an important element of security administration because many attacks are targeted toward passwords. According to a study, more than 65% of the help desk calls concern password problems. A self-service password management system provides an administrative interface that allows users to change or reset their passwords once they are successfully authenticated. This also allows users to recover forgotten passwords upon successfully confirming their identity by correctly responding to the challenge questions chosen at the time of the user registration process. Furthermore, it helps to enforcing strong password policies and synchronization and ensures compliance of security policies. This practically eliminates the need for an administrator or help-desk worker's involvement, saving both time and money.

Integration: Integration is the key to a successful identity management deployment. A typical organization maintains a number of different user data stores including networks, operating systems, applications, human resources systems, and e-mail applications. However, most of these systems lack cross-directory or data-store management capability. The increasing demand for interoperability has made vendors adopt a directory services approach.

Meta-directories enabling data synchronization are becoming extremely popular among organizations. A meta-directory allows an enterprise to combine data from distributed data sources into a single directory construct, thereby providing a unified view of enterprise user data. Furthermore, it provides a universal method of access that allows naming, searching, joining and updating data across multiple data sources. Provisioning systems are now being directory-enabled to provide interoperability. Most of them include a built-in workflow engine that enables role-based access control by managing the changes associated with user profiles. Both meta-directory and provisioning tools are powerful and need to be efficiently integrated. The XML-based architecture is now being used to create automated, interoperable communication between meta-directory join engine and provisioning systems, enabling secure identity creation.

Auditing and reporting: Audit is an integral part of identity management, because it ensures effectiveness and compliance of security policies. A comprehensive identity auditing and reporting tool allows detection of security risks and enables organizations to deal with them proactively.

The right approach
While organizations can implement identity management and role-based access control by combining directory, provisioning, access control and other security administration tools, the key to effective and secure identity management still lies in the way strategies are defined and executed. The prime importance lies in understanding business processes and security requirements rather than the technological aspects of the products. Organizations may have different business cases for implementing identity management, but there are some common business drivers behind the initiative.

  • Lowering enterprise cost by automating business processes and reducing administrative overheads.
  • Improving efficiency and productivity by integrating operational processes and enhancing communication and information exchange with partners and customers. This is further complemented by substantially reducing the wait time for new users in a business process through deployment of provisioning and workflow systems.
  • Security and compliance by delivering information security service capabilities, such as authentication, authorization, confidentiality, integrity, non-repudiation and auditing.

Finally, while companies can gain business advantage and benefits in terms of cost, time, productivity and efficiency, the challenges to deployment of such technologies should not be ignored or overlooked.

Puneet Mehta is a CISSP Security Architect, at SDG Corporation, an e-security consulting and e-business software services and solutions firm headquartered in Connecticut.
This was last published in June 2004

Dig Deeper on Network Security Monitoring and Analysis

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.