- What is identity management?
- Why should I care about identity management?
- How can an identity management system benefit my business?
- How do identity management systems work?
- What is Federated Identity Management?
- What challenges or risks does implementing an identity management system present?
- What terminology should I know?
What is identity management?
Identity management is a term that refers broadly to the administration of individual identities within a system, such as a company, a network or even a country. In enterprise IT, identity management is about establishing and managing the roles and access privileges of individual network users. ID management systems provide IT managers with tools and technologies for controlling user access to critical information within an organization.
The core objective of an ID management system in a corporate setting is this: one identity per individual. But once that digital ID has been established, it has to be maintained, modified and monitored throughout what has been called the "access lifecycle." So ID management systems provide administrators with the tools and technologies to change a user's role, to track user activities and to enforce policies on an ongoing basis. These systems are designed to provide a means of administering user access across an entire enterprise and to ensure compliance with corporate policies and government regulations.
The list of technologies that fall under this category includes password-management tools, provisioning software, security-policy enforcement applications, reporting and monitoring apps, and identity repositories. Nowadays, these technologies tend to be grouped into software suites with assortments of additional capabilities, from enterprise-wide credential administration to automated smart-card and digital-certificates management.
The ID management buzz phrase of the moment is "identity lifecycle management." The concept encompasses the processes and technologies required for provisioning, de-provisioning, managing and synchronizing digital IDs, as well as features that support compliance with government regulations. Technologies that fall under the ID lifecycle-management rubric include tools for security principal creation, attribute management, identity synchronization, aggregation and deletion.
Why should I care about identity management?
ID management is inextricably linked to the security and productivity of any organization involved in electronic commerce. Companies are using ID management systems not only to protect their digital assets, but also to enhance business productivity. The systems' central management capabilities can reduce the complexity and cost of an essential process. The centralized access control also supports consistent security policy enforcement.
ID management systems also give organizations a way to control the swarm of untethered endpoints—laptops, PDAs and cell phones—buzzing around the enterprise. Many of these devices are neither owned nor provisioned by the companies whose networks they need to access. The ability to enforce a set of policies on the devices that connect with the network through the management of the identities of the users of those devices is fast becoming a must-have security capability.
And besides, the government says you have to care about identity management. In 2005, ID heists at ChoicePoint, Bank of America and LexusNexis lit a veritable bonfire under U.S. congressional behinds, and lawmakers began making moves to put the onus for safeguarding customer info squarely on the shoulders of the enterprise. Sarbanes-Oxley, Gramm-Leach-Bliley, HIPAA—each holds the company, in various ways, responsible for controlling access to customer and employee information.
How can an identity management system benefit my business?
Implementing identity management systems and associated best practices in your organization can give you a real competitive advantage in a number of ways. Nowadays, most businesses want and need to provide users outside the immediate organization with access to their internal systems. Opening your network's doors to customers, partners, suppliers, contractors and, of course, employees can increase efficiencies and lower costs. ID management systems can allow a company to extend access to its information systems without compromising security. Controlled identity and access management actually has the potential to provide greater access to outsiders, which can drive productivity, satisfaction and, ultimately, revenue.
One of the biggest cost savings touted by vendors and analysts alike comes from what might seem at first a trivial consideration: automation of password resets. Yet, depending on whose numbers you believe, somewhere around half of all help-desk calls are for password resets. ID management systems allow administrators to automate these and other time-consuming and costly tasks.
An ID management system can become a cornerstone of a secure network, because managing user identity is an essential piece of the access-control picture. An ID management system all but requires companies to define their access policies, specifically outlining who has access to what. That's a fundamental part of what a digital ID is. Consequently, well-managed IDs mean more control of user access, which translates into a reduced risk of internal and external attacks.
An ID management system can also improve regulatory compliance by providing an organization with the tools to implement comprehensive security, audit and access policies. Many systems now provide features designed to ensure that an organization is in compliance.
How do identity management systems work?
A typical ID management system today comprises four basic elements: a directory of the personal data the system uses to define individual users (think of it as an ID repository); a set of tools for adding, modifying and deleting that data (the access lifecycle management stuff); a system that regulates user access (enforcement of security policies and access privileges); and an auditing and reporting system (so you'll have a way to verify what's actually been happening on your system).
Regulating user access can involve a number of authentication methods for verifying the identity of a user, including passwords, digital certificates, tokens and smart cards. Hardware tokens and credit-card-sized smart cards have traditionally served as one component in the two-factor authentication scheme, which combines something you know (your password) with something you have (the token or the card) to verify a user's identity. A smart card carries an embedded integrated circuit chip that can be either a secure microcontroller or equivalent intelligence with internal memory or a memory chip alone. Software tokens, which can exist on any device with storage capability, from a USB drive to a cell phone, emerged in 2005.
What is Federated Identity Management?
Federation lets you share digital IDs with trusted partners. It's an authentication-sharing mechanism designed to allow users to employ the same user name, password or other ID to gain access to more than one network. It's what is known as a "single sign-on." A single sign-on standard lets people who verify their identity on one network or website carry over that authenticated status when moving to another. The model works only among cooperating organizations—known as trusted partners—that essentially vouch for each other's users.
The federated model relies on the security assertion markup language specification, better known as SAML (pronounced "SAM-el"). This open specification defines an XML framework for exchanging security assertions among security authorities. SAML was developed by the Liberty Alliance, an organization formed to establish guidelines and best practices for federated ID management. The Sun Microsystems-backed group developed SAML to achieve interoperability across different vendor platforms that provide authentication and authorization services.
Microsoft and IBM have established a rival ID management federation standard: the WS-Federation specification. This spec is also designed to provide a standardized way for companies to share user and machine identities among disparate authentication and authorization systems and across corporate boundaries.
The federation model can simplify administration and enable companies to extend ID and access management to third-party users and third-party services.
What challenges or risks does implementing an identity management solution present?
ID management is inherently challenging. The applications in your system are likely to have their own ID data stores and authentication schemes. The ID data they contain isn't necessarily organized in a standard way. You might have had the foresight to opt for industry standards early on in your company's development, but your latest acquisition may not have been thinking ahead.
A successful implementation requires some forethought. Companies that establish a cohesive ID management strategy—clear objectives, stakeholder buy-in, defined business processes—before they begin the project are likely to be more successful.
One risk worth keeping in mind: Centralized operations present tempting targets to hackers and crackers. By putting a dashboard over all of a company's ID management activities, these systems reduce complexity for more than the administrators. Once compromised, they could allow an intruder to create IDs with extensive privileges and access to many resources.
What terminology should I know?
The buzzwords come and go, but a few key terms in the identity management space are worth knowing:
- Access management
You almost never see "identity management" without this term right next to it. In fact, a number of vendors and analysts are combining the two into a single concept: IAM (identity and access management). It refers to the processes and technologies used to control and monitor network access. Access management features, such as authentication, authorization, trust and security auditing, are part and parcel of the top ID management systems.
An identifier employed by the user to gain access to a network. It's the user's password, public key infrastructure (PKI) certificate or biometric information (fingerprint, retinal scan).
The process of removing an identity from an ID repository and terminating access privileges.
- Digital identity
The ID itself, including the description of the user and his/her/its access privileges. ("Its" because an endpoint, such as a laptop or a cell phone, can have a digital identity.)
The set of attributes that specify the access rights and privileges of an authenticated security principal.
- Identity lifecycle management
Another buzz phrase. Similar to access lifecycle management. It refers to the entire set of processes and technologies for maintaining and updating digital identities. Identity lifecycle management includes identity synchronization, provisioning, de-provisioning, and the ongoing management of user attributes, credentials and entitlements.
- Identity synchronization
The process of ensuring that multiple identity stores—say, the result of an acquisition—contain consistent data for a given digital ID.
- Password reset
In this context, it's a feature of an ID management system that allows users to re-establish their own passwords, relieving the administrators of the job and cutting support calls. The reset application is usually accessed by the user through a browser. The application asks for a secret word or a set of questions to verify the user's identity.
The process of creating identities, defining their access privileges and adding them to an ID repository.
- Security principal
A digital identity with one or more credentials that can be authenticated and authorized to interact with the network.