Vendor Voice: Identity Management
Identity Management - Managing Digital Identities

People access multiple corporate applications and e-business interfaces and have a unique user name and ID for each. Identity Management practices can enforce policies regarding access to electronic resources without compromising a user’s identity. by Surendra Singh

As the business world evolves toward collaborative commerce models, the pressure to automate business processes is becoming intense. Internet users face a multiplicity of corporate applications and e-business interfaces. Many such applications and interfaces require a unique user name and as a result, an individual typically possesses not one but several digital identities.

The staggering proliferation of identities on the Internet calls for an immediate need to manage these digital identities and unless addressed, it is likely to impede the growth of e-business. The need of creation and management of digital identities will give emergence to Identity Management. Identity Management is about being able to manage the full life cycle of a digital identity from creation and maintenance to termination, as well as enforce organizational policies regarding access to electronic resources.

Aggregation
There is an incalculable amount of content on the Internet available from corporate portals and content aggregators like Yahoo.

These aggregators have developed relationships with users— including capturing their online identities. When a user accesses content and services through these aggregators, his or her digital identity is captured. In an enterprise environment, this provides valuable tracking of information; for Web sites, each captured identity is an asset they can leverage for their own marketing purposes and for their business partners.

Web Services
Web services are enabling the transformation from a software purchasing and physical ownership model to a software subscription or 'rental' model with remote execution. Examples of Web services are calendaring, supply chain management, customer relationship management, order fulfillment, sales force automation, music on demand, and instant messaging. Consumers find Web services convenient and cost-effective because they don't need to go to a physical store and then purchase and install software, and updates can be downloaded from the Internet. Software companies appreciate Web services because they save packaging, inventory and distribution costs.

However, it is a significant challenge to verify a user's identity and mitigate the risk associated with providing high-value or sensitive services in an online B2B or B2C environment. Also, there are different levels of trust. A company can trust an employee's identity more than that of an external partner or customer. An identity management solution provides that trust as it confirms that a user is authenticated and authorized to access applications and services.

Online Partnerships
Many businesses are forging online partnerships with organizations offering complementary services. An example is a company's Human Resources department that allows its health plan and vendors to cross-market value-added services on the company's intranet site. A B2C example is an airline that allows customers to access hotel, rental car and other services online.

Therefore, Identity management system would help organizations do business by authenticating and authorizing digital identities.

Business Issues
There are two real audiences that would immensely benefit from an identity management system: users (employees, partners and customers) and e-businesses.

Trust, Control and Accountability
There are three primary business issues that identity management system addresses: trust, control and accountability.

Trust via Authentication - Consider an employee collaboratively developing a product in a virtual environment with a business partner. He or she will need access to internal resources, as well as controlled access to the collaborative environment and to specific partner resources. An identity management solution would enable the user to access these varied distributed resources with single sign-on convenience—but the system falls apart if the business partner can't trust the authentication process the original company used to approve its employee's credential. Strong authentication—in the form of tokens, smart cards, digital certificates or even biometrics—provides the requisite trust in the user's digital identity.

Control via Access Management - Assuming the employee's digital identity is trusted, policies should be applied to control access to protected resources. A digital identity needs to have the proper access profile attached to it in order for the employee to gain access to the partner's resources.

Enforcement, then, ensures the effectiveness of online business processes.

Accountability via Audit - As the employee moves from resource to resource, both internal and external, an audit trail must be kept of which resources are being accessed and what is being done with them to ensure that policies are being honored and enforced.

These issues are significant because companies historically have been reluctant to share customer and employee information with other organizations. Also, companies have been advised to perform their own vetting and authentication on customers, and not rely on someone else's prior approval.

Provisioning issue
In whatever form Identity management today exists; it is viewed more as data storage or provisioning issue. Though data storage and provisioning are undeniably important, it is time to take a more holistic view of the concept. An identity management solution is about intelligently using the identities that have been created to do e-business. In addition to creating, managing and revoking digital identities, it also helps develop and enforce authentication and access management policies as well as provide the accountability required in e-business today. Identity management, therefore, incorporates a broader definition, which is a technology-neutral approach to integration and a flexible architecture that enables interoperability with multiple identity systems inside and outside organizations. Therefore, the components of an identity management environment should include the following:

• Data store - The more user information that is collected, centrally stored and protected, the more layers of access and greater breadth of services an organization can provide to users.
• User provisioning - Deploying digital identities and access rights based on business policies for employees, business partners and customers must be done accurately and securely at the outset in order to reduce problems down the line. Assigning, maintaining and revoking these identities and rights should be a centralized function.
• Authentication policy management - Once someone steals a user's digital identity, the whole system becomes vulnerable. Authentication policies help ensure that organizations know who is using a digital identity, thus creating trust in the system.
• Authorization policy management- Authorization policies are designed to ensure that only appropriate resources can be accessed by a given digital identity. This helps ensure that the right people get the resources and information they need, while enterprise systems are protected from unauthorized access.
• Centralized audit - Organizations need to track what users are doing and make sure there are no blatant inconsistencies that suggest a problem. Having an audit trail of what digital identities are being used for holds users accountable.
• Integration - Putting the individual pieces together in a technology-neutral architecture enables sharing, ensures interoperability and facilitates single sign-on capabilities. It also makes the system scalable, easy to administer and quick to deploy.

Conclusion
As more and more enterprise applications and resources get pushed to the Internet—including a range of Web services that organizations deploy and procure for employees, partners and customers —companies would require establishing trust among the identities of users who seek to access them. Further, enterprises would need to manage and control authorized identities to ensure they are current and are being used in accordance with established policies.

For this reason, organizations would need to assess their own identity management needs, engage in detailed discussions with business partners about their needs and plans, and explore with a reliable vendor how to implement and integrate such a solution in their IT environments. The challenges that have brought the issue of identity management to the fore will only grow and exacerbate the problems that have stunted the growth of e-business and contributed to information security breaches around the world.

An open standard for identity management—including authentication, single sign-on and Web access management capabilities—will help organizations lower costs, accelerate commercial opportunities and increase user productivity and customer satisfaction.

Surendra Singh is Country Manager, India and SAARC, RSA Security Inc.