Identity Management: Today?s Business Imperative
by Fran Howarth, Principal
Trust is of fundamental importance for business. We need to trust our employees, suppliers, partners and customers in such matters as credit, non-disclosure of privileged information and compliance with corporate policies. In order to achieve that trust, it is vital that the identity of all partners in business can be established efficiently and reliably.
When we worked purely in the mainframe environment, it was much easier to maintain user accounts and rights because all information was housed on a single platform. Business rules were governed by one single management process in a unified environment. When we moved to multiple-tier technology architectures, each layer was provided with its own associated access control and security processes, making centralised management of identities and access control a much more difficult task to achieve. In addition, the number of business applications used in everyday business has grown rapidly, forcing administrators to create user profiles separately for each application.
New communications technologies have also allowed us to push out the boundaries of our organisations, enabling direct connections to the communications networks of our business partners. This brings further challenges in the management of user identities and permissions across a networked environment.
Done effectively, identity and access management technologies can help companies to increase the productivity of their workers by ensuring that they have access to the systems and information they need when they require it. These technologies enable companies to improve the services that they offer customers and business partners and help to drive down IT, support and help desk costs.
The Compliance Imperative
Other imperatives driving companies to improve the efficiency of their identity management systems have come into play over the past couple of years?namely the need for companies to prove that they are in compliance with new industry standards and government regulations. These include corporate governance regulations such as Sarbanes-Oxley and the Basel capital adequacy directives, industry standards such as the EU?s food safety directive, and regulations regarding data protection and privacy.
These regulations are driving greater accountability into business and are forcing companies to revamp their internal controls. A key requirement for achieving compliance with the regulations is the ability to prove who has accessed which corporate resources and at what time, along with the ability to prove that they have not altered or deleted key business information. Through use of identity and access management technologies, companies are a large step closer towards achieving these aims.
There are three main areas addressed by identity management:
Identification and authentication: this primarily involves the ability to ensure that every user is who they say they are, and that they have the ability to access the applications and services to which they, or their particular role in an organisation, are entitled. The most common form of identifying people and their roles is through the use of a dedicated user name and associated password. For more secure identification, biometric devices or secure certificates provide a higher level of authentication of an individual.
Access control: to ensure that access is directly linked to the identities of users, access control mechanisms should be embedded within operating systems and databases that are tied to identity information. Ideally, companies should define which data source is authoritative for all identity information and ensure that all data sources are linked and synchronised so that the data retains its integrity.
Audit: to ensure that identity management systems are working effectively, it is essential that usage records are kept so that problems can be flagged and resolved. There needs to be a central repository to which all information generated is sent so that it can be time stamped and tied to user records. To effectively audit usage in distributed environments that encompass business partners as well as internal resources, companies need to develop the ability to consolidate records from a diverse range of technology systems so that they can be collated for effective review.
One key area in which companies will see the benefits of implementing identity management technologies is in the ability to effectively provision staff and business partners with access to the resources that they need to use in a timely manner. Technology vendor IBM claims that inefficient manual processes can result in it taking up to 12 days for a new hire to receive access to the resources that they require?during which time the employee concerned is largely unproductive.
Equally important is the ability to remove access to corporate resources for employees that leave an organisation or if a business partner?s contract is revoked. This is especially important given the high proportion of security incidents that come from within an organisation. If a company is not able to gauge which resources the employee or firm have access to, they will not be able to close off all accounts?leaving that company vulnerable to risk. Through use of identity management technologies, companies can mitigate these risks by having an effective overview of all permissions associated with a particular user.
Over the past couple of years, corporate networks have been expanding rapidly, not only connecting with the networks of their business partners, but also encompassing wireless communications devices and employees working from remote locations. In many organisations, access needs to be extended to contractors, temporary workers and field service technicians?a security risk that is often overlooked.
People involved in a company?s business will need to access a wide range of applications, from e-mail and web applications to sensitive information contained in corporate databases. Companies need to provide their employees and business partners with access to services from multiple domains, without the need to remember multiple sets of user names and passwords for access to each resource.
This emerging concept of identifying users and providing access to resources across the extended enterprise network is referred to as federated identity management, in which a person is authenticated once and then given access to the resources that they need?perhaps residing on the network of a business partner?on the basis of the trust that has been established. For this to be achieved, participating companies must deploy an interoperable and decentralised architecture, which is being made easier by the provision of single sign-on and web services capabilities.
To make federated identity management viable, the web services infrastructure must be set up so that security policies set by the companies involved in the extended network are enforced. This involves putting in place standards and technologies for sharing access to user profiles and security policies, and ensuring that policies are enforced by all participants.
Early efforts at managing identities and access rights have largely been based on proprietary standards developed for particular scenarios, often meaning that specific relationships are built for each business partner. These might prove effective for managing identities within a single enterprise or with just a couple of business partners, but fully interoperable standards are required for identity management to be achieved and policies enforced across federated, often heterogeneous, environments.
Standards for federated identity management are emerging but the picture is, as yet, far from clear as to which will ultimately become dominant. Those involved in developing standards, including consortia of technology vendors, claim that the standards being developed are not actually competing with each other, but rather are complementary. This can be seen in the fact that many organisations, such as Computer Associates, Sun Microsystems, Oracle, IBM and RSA Security, are involved in standardisation efforts by both the Liberty Alliance and OASIS Security Services Technical Committee.
The Future of Identity Management Technologies
Identity and access management technologies are key weapons in the corporate technology arsenal for gaining competitive advantage through increased efficiency of operations in a highly secure environment. In addition to this, they are being used by many organisations to better control and audit how corporate assets are being used with a view to more effectively achieving compliance with a host of regulations that have been passed recently.
Going forward, the leading vendors in this space are embracing the technology standards that are emerging for identity and access management control to add federated identity management capabilities to their technology suites, including support for single sign-on and web services. As they develop these capabilities, companies should look closely at the functionality they are developing in user provisioning and policy management to ensure that companies have the best tools available for managing all corporate assets effectively and enforcing corporate policies to allow better security control and auditing capabilities.
As companies reach a more advanced stage in their identity management programmes, companies will see the benefits of using single sign-on for web-based applications for authenticating users to use assets residing on multiple networks. The next logical step will be in the increased use of strong authentication methods for even more robust methods of authentication, including biometric and token-based methods. With computer networks increasingly being compromised by attack, companies can no longer afford to be complacent.