Basics

The ABCs of Identity Management

Providing IT managers with tools and technologies for controlling user access to critical information within an organization.

By John K. Waters

Page 3

What is Federated Identity Management?

Federation lets you share digital IDs with trusted partners. It's an authentication-sharing mechanism designed to allow users to employ the same user name, password or other ID to gain access to more than one network. It's what is known as a "single sign-on." A single sign-on standard lets people who verify their identity on one network or website carry over that authenticated status when moving to another. The model works only among cooperating organizations—known as trusted partners—that essentially vouch for each other's users.

The federated model relies on the security assertion markup language specification, better known as SAML (pronounced "SAM-el"). This open specification defines an XML framework for exchanging security assertions among security authorities. SAML was developed by the Liberty Alliance, an organization formed to establish guidelines and best practices for federated ID management. The Sun Microsystems-backed group developed SAML to achieve interoperability across different vendor platforms that provide authentication and authorization services.

Microsoft and IBM have established a rival ID management federation standard: the WS-Federation specification. This spec is also designed to provide a standardized way for companies to share user and machine identities among disparate authentication and authorization systems and across corporate boundaries.

The federation model can simplify administration and enable companies to extend ID and access management to third-party users and third-party services.

What challenges or risks does implementing an identity management solution present?

ID management is inherently challenging. The applications in your system are likely to have their own ID data stores and authentication schemes. The ID data they contain isn't necessarily organized in a standard way. You might have had the foresight to opt for industry standards early on in your company's development, but your latest acquisition may not have been thinking ahead.

A successful implementation requires some forethought. Companies that establish a cohesive ID management strategy—clear objectives, stakeholder buy-in, defined business processes—before they begin the project are likely to be more successful.

One risk worth keeping in mind: Centralized operations present tempting targets to hackers and crackers. By putting a dashboard over all of a company's ID management activities, these systems reduce complexity for more than the administrators. Once compromised, they could allow an intruder to create IDs with extensive privileges and access to many resources.

What terminology should I know?

The buzzwords come and go, but a few key terms in the identity management space are worth knowing:

  • Access management
    You almost never see "identity management" without this term right next to it. In fact, a number of vendors and analysts are combining the two into a single concept: IAM (identity and access management). It refers to the processes and technologies used to control and monitor network access. Access management features, such as authentication, authorization, trust and security auditing, are part and parcel of the top ID management systems.

  • Credential
    An identifier employed by the user to gain access to a network. It's the user's password, public key infrastructure (PKI) certificate or biometric information (fingerprint, retinal scan).

  • De-provisioning
    The process of removing an identity from an ID repository and terminating access privileges.

  • Digital identity
    The ID itself, including the description of the user and his/her/its access privileges. ("Its" because an endpoint, such as a laptop or a cell phone, can have a digital identity.)

  • Entitlement
    The set of attributes that specify the access rights and privileges of an authenticated security principal.

  • Identity lifecycle management
    Another buzz phrase. Similar to access lifecycle management. It refers to the entire set of processes and technologies for maintaining and updating digital identities. Identity lifecycle management includes identity synchronization, provisioning, de-provisioning, and the ongoing management of user attributes, credentials and entitlements.

  • Identity synchronization
    The process of ensuring that multiple identity stores—say, the result of an acquisition—contain consistent data for a given digital ID.

  • Password reset
    In this context, it's a feature of an ID management system that allows users to re-establish their own passwords, relieving the administrators of the job and cutting support calls. The reset application is usually accessed by the user through a browser. The application asks for a secret word or a set of questions to verify the user's identity.

  • Provisioning
    The process of creating identities, defining their access privileges and adding them to an ID repository.

  • Security principal
    A digital identity with one or more credentials that can be authenticated and authorized to interact with the network.

RESOURCE CENTER
Loading...
VIRTUAL CONFERENCE
Data Center Directions Virtual Conference

Data Center VCAttend this free, 100% online event exploring tools and techniques for making your data center deliver for today and tomorrow.

» Learn more and register here

WEBCAST
The Surest Path to Effective and Efficient Compliance

VeriSignIn this webcast, we explore why and how — with best practices, practical tips and solutions that work — to ease your compliance challenge.

» View the webcast

Featured Sponsors
Sponsored Links

Digital Identity Protection and Data Security Get Personal

IDC Defines an Identity and Access Management Submarket for Managing Privileged User Accounts and Meeting GRC Requirements

Think your data is safe? Think again. It's time to Outthink the Threat. Get eBook now

Learn how the new Quad-Core AMD Opteron™ processor improves performance

IDC Defines an Identity and Access Management Submarket

Forrester Total Economic Impact (TEI) report: Save Millions in Fraud Losses.

Configuration Assessment: Choosing the Right Solution

Data Protection: Challenges for the Traveling User

Key strategies for C-level executives and security staff

7 Requirements of Data Loss Prevention

Information Security: Data Drains and How to Prevent Loss

How Are Open Source Development Communities Embracing Security Best Practices?

Using Likewise to Comply with PCI Data Security Standard

The Case for Business Software Assurance ~ Securing Your Applications

Welcome to the age of Service-Oriented Security (SOS)

Everything Today's CISO Needs to Know About Using SSO to Succeed in the Web 2.0 Era

IS/IT Project Mgt. Credentials From Villanova - 100% Online

Rolling the dice with your security? Take the Self-Assessment Test now

Solving Online Credit Fraud Using Device Reputation

Diebold: Frost & Sullivan Global Physical Security Systems Integrator of the Year

Revolutionizing Endpoint Security with a Single Agent

Envision Identity-Based Access Control for the Datacenter

E-LOAN Maintains Reputation as a Privacy Leader with Symantec

Data Loss Prevention: Keeping Sensitive Data Out of the Wrong Hands

Prudential Financial Protects its Brand with Symantec

Envision Identity-Based Access Control for the Datacenter

Enabling Compliance with Converged Mainframe Security and Storage