By Stephen J. Bigelow, Senior Technology Writer
Identity management (IdM) solutions can help businesses manage users and applications in increasingly complex IT environments. Business applications are proliferating, companies are retaining more data than ever before, and there are many more users to contend with both inside and outside of the company. Manually assigning and managing the relationships of individual users and applications is simply too difficult in the face of this complexity, and it's prone to errors and security risks. The first installment of this Hot Spot Tutorial offers an overview of identity management solutions, highlights the technology's objectives and features, and outlines some of the hardware and software requirements involved.
In the traditional IT paradigm, rights, accounts and access are individually assigned, and there is no relationship between the user and the organization's resources. An IT administrator is responsible for creating accounts or assigning access, and then maintaining (and eventually removing) those resources for each user. A new hire might receive a human resources account, corporate email and intranet accounts, and limited access rights to several of the company's line-of-business applications. This manual process works for small organizations with a limited number of resources, but it's unwieldy for midsized to large companies that run dozens of applications with thousands of users.
The goal of identity management solutions is to unify disparate rights or account elements into one database. "All of the individual resources that a person needs to do their job are now tied to the person in some way," said Jim Gerken, senior practice manager in charge of identity management at Novacoast, an IT professional services and product development company headquartered in Santa Barbara, Calif. "Identity management is bringing that all back together into one 'identity' -- one person -- not a collection of independent resources that fall in your lap." A well-deployed identity management solution simplifies the creation, ongoing management and deletion of identities while eliminating oversights and errors that can compromise security.
The principal driver behind identity management solutions is growth -- "the proliferation of applications within an organization," said Andrew Plato, president of Anitian Enterprise Security, a security solution provider located in Beaverton, Ore. In addition, an increasing number of individuals need to access network resources from outside the organization, such as vendors and third-party contractors. According to Plato, identity management solutions provide the necessary mechanisms to centralize and control the myriad assignments needed for different user types.
Identity management architecture
Identity management is not a single product, technology or service. In practice, it's an amalgam of elements that can vary dramatically between client organizations, so it's impossible to distinguish a single feature set. But deployments usually involve an identity repository, application synchronization, provisioning/deprovisioning capabilities and a variety of other secondary considerations, such as self-service portals and public key infrastructure (PKI).
An IdM infrastructure starts with an identity repository database that uses Windows Active Directory, LDAP (lightweight directory access protocol) or Novell Directory Service eDirectory, among others. A variety of languages and protocols, such as SAML (security assertion markup language), interconnect the various business applications and synchronize passwords so that when a user's identity or access changes, the applications respond accordingly. A mechanism then provisions or deprovisions rights and access. IdM provisioning allows the creation of new identities, handles the assignments and changes to rights or access, and then allows the removal or destruction of identities.
There is a move to enterprise single sign-on (SSO) technologies, which allow a user to automatically log into all of their applications when they sign onto their desktop. This is similar for an outside customer accessing a business through a portal -- the portal login will sign the customer onto all of the back-end applications that they need access to.
Additional features of identity management solutions
There are additional features that can be included in an identity management solution. Self-service portals can be implemented to let users access and update personal information (e.g., their mailing address) or periodically reset their password according to established rules. Identity management may need to interoperate with a VPN or SSL to ensure security for remote users. Highly secure environments may adopt two-factor authentication, such as a password and physical electronic key, to ensure the physical presence of an employee. Network access control (NAC) can prevent nonauthenticated nodes (PCs) and their users from signing onto the network, and this technology is also appearing as a part of identity management.
Finally, public key infrastructure can play a small role in the securing identity data. "PKI is a great idea that never lived up to its promise," Gerken said, noting that it's a certificate-based scheme mainly used to encrypt identity data for transmission or storage. In the past, user identity data was not disseminated to systems that didn't need it, but when implementing single sign-on and provisioning/deprovisioning tools, that user data becomes available to a much larger number of systems -- possibly putting it at greater risk.
So PKI has some value in maintaining user confidentiality and helping the client conform to privacy regulations, but PKI has little direct impact on identity management itself. "In some small cases, we use PKI for authentication, to validate identities, but not as much anymore," Gerken said, instead emphasizing the move toward biometrics and two-factor authentication. The certificates themselves can prove problematic, requiring the use of a USB flash drive or another data-carrying device. Certificates can also be stored on computers, but loss or corruption can disrupt user access until the certificate data is restored.
Identity management deployment considerations
Although identity management solutions can involve numerous elements, their deployment is not necessarily difficult. According to Gerken, a small to medium-sized deployment may require two servers. The first server is a central directory running an identity management engine, and the second server handles Web interfaces, a workflow engine, reporting and other supporting capabilities. Larger environments are nearly identical, Gerken explained, but must incorporate the identity management solution into the client's disaster recovery scheme.
Rather than cobbling together servers and software, solution providers may opt to use specialized appliances for at least some identity management services. Several major appliances are available today, including the ID Series of identity management appliances from A10 Networks (http://www.a10networks.com/products/idseries.php), the Ignition product from Identity Engines Inc. (http://www.identityengines.com/products/), the OneSign Single Sign-On product from Imprivata (http://www.imprivata.com/onesign_sso), and the IMAG-IdM product from Apere (http://www.apere.com/pdf/IMAG-IdM.pdf).
The challenge with identity management is not in deployment, but in understanding the client's business. "Most folks have grown into their business haphazardly," Gerken said, lamenting that the erratic nature of organic business growth can make role management and any automation efforts difficult. Too often, rights and access are assigned without regard for the individual -- one person looks like everyone else in a department or across some other broad category. Even worse, people are given access to everything because administrators are too overwhelmed to sort out individual needs.
These common problems make it extremely difficult to automate role assignments, but they present a challenge and an opportunity for solution providers. Deploying the technology is relatively simple, but solution providers must precede any deployment with consulting and careful planning. Determine what the client wants to do, evaluate use cases, map out the best use, derive meaningful rules, and only select and deploy an identity management solution once rules are established and understood.
This was first published in October 2008