Guide to Identity Management
Identity Management success relies on a team effort
Best practices for identity management begin with the knowledge that this is as a business initiative, not an IT projectby Dave Kearns
The single most important "best practice" to achieving a successful, secure, efficient and effective identity management (IdM) solution within the enterprise is to make sure that the project is not led from the IT department.
A successful IdM project needs to involve the entire organization, and needs to be driven from a point high enough in the organization that the mandate is clear: this project will get done. (See "Getting boardroom buy-in.")
This is a tough hurdle to surmount, but once you have done so then the rest of the job will seem easy – provided, of course, you break it into small enough chunks, with successes shown at small enough intervals, to keep the business management buy-in that's so important to the project's success. You'll want to garner, and will strive for, the unqualified cooperation of all departments within the enterprise but you'll also find it's easier to obtain that cooperation if the senior management is backing you.
After that, you'll want to approach the implementation of a full identity management solution in a coordinated, integrated way. (See "The changing seasons of identity management.")
Think of building your IdM solution as a project not unlike building a large house or an automobile. The "solution" is made up of a number of independent systems which nevertheless all work together fairly seamlessly to deliver the concept in, seemingly, one single structure.
But just as you don't build a house by starting on the roof, nor build a car by first choosing the windshield wipers, it's important that you design and architect your solution properly. As I pointed out in the IdM newsletter recently:
A virtual directory is needed to get from the multifarious identity stores throughout the enterprise to a single one, at least as perceived by other applications and services. This then enables a provisioning system to normalize and standardize authentication systems throughout the organization – from account setup through single sign-on to automated password reset. …provisioning needs to be in place in order to successfully implement role management…roles plus rules … provide the fine grained access control that entitlement management promises. But we can now see that entitlement management isn't the end point; it's just another marker on the road to a fully implemented identity service.
Once the entitlement management, with its fine grained access control, is in place we can move on to the next major plateau – context-based access. That's even finer grained control, because it can vary by time-of-day, day-of-the-month, user-location, state-of-the-target and just about any other contextual condition we can measure: who, what, when, where, how and maybe why some user (in some role) wants to access some thing (in accordance with some rule). You might still be struggling to get your provisioning services fully deployed, but now there's even greater incentive because – down the road – that provisioning service will enable all sorts of better control, more efficient access, a more pleasant user experience and all within a more secure environment.(See:"The long road to identity services.")
And finally, learn from the problems others have encountered. (See "Survey: Half of compliance pros say their organizations are botching identity, access control.") Gather case studies from vendors interested in your business, listen to presentations by other IdM implementers at trade shows and conferences, and follow the always interesting Network World newsletters on these topics ("Security: Identity Management," "Security Strategies," ) as well as the many links in the Network World Identity Management Resource Center.
Vendors serve up an identity management buffet
In this market, a happy middle exists between the integrated suites and point products, if you know where to lookby Dave Kearns
The biggest players in the identity management arena will all likely tell you that buying a single, full-featured identity management suite from a single vendor is your best guarantee of success. Smaller vendors, with award-winning products in one or two areas of identity management will tell you that bundling your own suite of "best of breed" solutions is the road to ultimate success. They can't both be right, can they?
Well, actually, they can.
In "Feasting on identity management" I took a look at these seemingly competing philosophies and came up with this analogy:
"Best of Breed" is like dining a la carte. You choose the appetizer, soup, salad, entrée and dessert, from all of the offerings of the kitchen to put together your own vision of a meal. Perhaps the parts work well together, perhaps not.
An "integrated suite" is like a chef's tasting menu - there are few, if any, choices and all diners at the table have to have the same dishes. You don't even get to choose the courses you'd like - they're all delivered to you although you certainly don't have to eat them. The benefit, of course, is that (if the chef is good) they're all designed to integrate into a single memorable meal.
A third possibility, though, is more like a "banquet menu." You, the customer, sit down with the chef and from a limited number of choices pick the meal that will be served to all of your guests. You get to choose those things you like while relying on the chef to steer you towards choices that are complementary.
Some may prefer one method, some another. But the important thing to realize is that when it comes to the identity management feast there's more than one way to make the meal.
Depending on your own experience, the expertise available to you in-house and any strategic relationships you already have with vendors, one or another of these methods will be best for your situation. The hard part, of course, is honestly deciding what that situation is.
Stay abreast of all the latest happenings with the Identity Management market through Network World's e-mail Identity Management newsletter. Written by Dave Kearns, this newsletter will give you the information you need to evaluate, install and maintain the right directory services and identity management software for your enterprise.
Identity management: still a young market
Although powerhouse players have emerged, the market is loaded with vendors (and innovation) with more on the wayby Network World Staff
The identity management market is still in its evolutionary stage, but progressing nicely. At this juncture major players have emerged and include BMC Software, CA, HP, IBM, Microsoft, Novell, Oracle and Sun. However those players are far from the only ones offering significant technology. Smaller vendors are vigorously bringing innovative new capabilities to market, particularly in the areas of role management, entitlement management and identity auditing. This in a market that so far has resisted much consolidation and counts more than 100 vendors among its members (with more on the horizon), according to the Burton Group.
IDC reports that total worldwide revenue for identity and access management reached almost $3 billion in 2006 and is forecast to reach more than $4.9 billion by 2011. The young market is divided among many players. For instance, about 12% of total worldwide revenue is the largest share a single vendor owns. IBM claimed that piece of the pie, and, even so, this from revenues between three Tivoli products, Identity Manager, Access Manager and Federated Identity Manager, IDC found. Overall, vendors that offer products that cover both the identity and access management functions do seem to be capturing more customers, IDC says. Until the market begins to mature and consolidation rules, partnerships will be the major thrust of the identity management market. Smaller vendors will compete against comprehensive wares through partnerships. Meanwhile watch for innovation to continue in hot identity-related areas such as consumer authentication and identity fraud protection.
Wintergreen Research also notes that the key area of development in the identity management market is the middleware that performs more advanced identity functions. This includes identity resolution and digital identity management. Identity resolution involves the ability to identify fraudulent people proactively, through correlating similar events across identity management systems in near realtime. Underlying that ability is digital identity management software. This allows companies to share identity- related information with each other or the government while not revealing the specific identities of people.
Understanding federated identity
Federated identity management is quickly becoming a highly popular method - here's how it worksBy William Stallings, Network World, 08/31/07
Federated identity management is a relatively new concept that is an extension of identity management, which is a centralized, automated approach to regulating access to enterprise resources by employees and other authorized individuals.
The focus of identity management is defining an identity for each user (human or process), associating attributes with the identity and enforcing a means by which a user can verify identity. Once implemented, identity-management systems support single sign-on (SSO), the ability of a user to access all network resources after a single authentication.
Federated identity management refers to the agreements, standards and technologies that enable the portability of identities, identity attributes and entitlements across multiple enterprises and numerous applications, supporting thousands, even millions, of users.
When multiple organizations implement interoperable federated identity schemes, an employee in one organization can use SSO to access services across the federation with trust relationships associated with the identity.
Beyond SSO, federated identity management provides other capabilities. One is a standardized means of representing attributes. Increasingly, digital identities incorporate attributes other than an identifier and authentication information (such as passwords and biometric information). Attributes can include account numbers, organizational roles, physical location and file ownership. And a user may have multiple identifiers associated with multiple roles, each with its own access permissions.
Another key function of federated identity management is identity mapping. Security domains may represent identities and attributes differently. Further, the amount of information associated with an individual in one domain may be more than is necessary in another domain. The federated identity-management protocols map identities and attributes of a user in one domain to the requirements of another domain.
A generic federated identity-management architecture includes identity providers and service providers. The identity provider acquires attribute information through dialog and protocol exchanges with users and administrators.
Service providers are entities that obtain and employ data maintained and provided by identity providers, often to support authorization decisions and to collect audit information. For example, a database or file server is said to consume data because they need a client's credential to know what access to provide to that client. A service provider can be in the same domain as the user and the identity provider or in a different domain.
The goal is to share digital identities so a user can be authenticated once and access applications and resources across multiple domains. The cooperating organizations form a federation based on agreed-upon standards and mutual levels of trust.
Federated identity management uses a number of standards as the building blocks for secure identity exchange. In essence, organizations issue some form of security tickets for their users that can be processed by cooperating partners. Identity federation standards are thus concerned with defining these tickets, in terms of content and format, providing protocols for exchanging them and performing a number of management tasks. These tasks include configuring systems to perform attribute transfers and identity mapping, and performing logging and auditing functions.
The principal standard for federated identity is the Security Assertion Markup Language (SAML), which defines the exchange of security information between online business partners.
SAML is part of a broader collection of standards being issued by the Organization for the Advancement of Structured Information Standards for federated identity management. For example, WS-Federation enables browser-based federation; it relies on a security token service to broker trust of identities, attributes and authentication between participating Web services.
The challenge with federated identity management is to integrate multiple technologies, standards and services to provide a secure, user-friendly utility. The key is the reliance on a few mature standards widely accepted by industry. Federated identity management seems to have reached this level of maturity.
Stallings is coauthor of the new book, Computer Security: Principles and Practice. Contact him at firstname.lastname@example.org.