access multiple corporate applications and e-business
interfaces and have a unique user name and ID for each.
Identity Management practices can enforce policies regarding
access to electronic resources without compromising
a userís identity. by Surendra Singh
the business world evolves toward collaborative commerce
models, the pressure to automate business processes
is becoming intense. Internet users face a multiplicity
of corporate applications and e-business interfaces.
Many such applications and interfaces require a unique
user name and as a result, an individual typically possesses
not one but several digital identities.
The staggering proliferation of identities on the Internet
calls for an immediate need to manage these digital
identities and unless addressed, it is likely to impede
the growth of e-business. The need of creation and management
of digital identities will give emergence to Identity
Management. Identity Management is about being able
to manage the full life cycle of a digital identity
from creation and maintenance to termination, as well
as enforce organizational policies regarding access
to electronic resources.
There is an incalculable amount of content on the Internet
available from corporate portals and content aggregators
These aggregators have developed relationships with
users including capturing their online identities.
When a user accesses content and services through these
aggregators, his or her digital identity is captured.
In an enterprise environment, this provides valuable
tracking of information; for Web sites, each captured
identity is an asset they can leverage for their own
marketing purposes and for their business partners.
Web services are enabling the transformation from a
software purchasing and physical ownership model to
a software subscription or 'rental' model with remote
execution. Examples of Web services are calendaring,
supply chain management, customer relationship management,
order fulfillment, sales force automation, music on
demand, and instant messaging. Consumers find Web services
convenient and cost-effective because they don't need
to go to a physical store and then purchase and install
software, and updates can be downloaded from the Internet.
Software companies appreciate Web services because they
save packaging, inventory and distribution costs.
However, it is a significant challenge to verify a user's
identity and mitigate the risk associated with providing
high-value or sensitive services in an online B2B or
B2C environment. Also, there are different levels of
trust. A company can trust an employee's identity more
than that of an external partner or customer. An identity
management solution provides that trust as it confirms
that a user is authenticated and authorized to access
applications and services.
Many businesses are forging online partnerships with
organizations offering complementary services. An example
is a company's Human Resources department that allows
its health plan and vendors to cross-market value-added
services on the company's intranet site. A B2C example
is an airline that allows customers to access hotel,
rental car and other services online.
Therefore, Identity management system would help organizations
do business by authenticating and authorizing digital
There are two real audiences that would immensely benefit
from an identity management system: users (employees,
partners and customers) and e-businesses.
Trust, Control and Accountability
There are three primary business issues that identity
management system addresses: trust, control and accountability.
Trust via Authentication - Consider an employee collaboratively
developing a product in a virtual environment with a
business partner. He or she will need access to internal
resources, as well as controlled access to the collaborative
environment and to specific partner resources. An identity
management solution would enable the user to access
these varied distributed resources with single sign-on
conveniencebut the system falls apart if the business
partner can't trust the authentication process the original
company used to approve its employee's credential. Strong
authenticationin the form of tokens, smart cards,
digital certificates or even biometricsprovides
the requisite trust in the user's digital identity.
Control via Access Management - Assuming the employee's
digital identity is trusted, policies should be applied
to control access to protected resources. A digital
identity needs to have the proper access profile attached
to it in order for the employee to gain access to the
Enforcement, then, ensures the effectiveness of online
Accountability via Audit - As the employee moves from
resource to resource, both internal and external, an
audit trail must be kept of which resources are being
accessed and what is being done with them to ensure
that policies are being honored and enforced.
These issues are significant because companies historically
have been reluctant to share customer and employee information
with other organizations. Also, companies have been
advised to perform their own vetting and authentication
on customers, and not rely on someone else's prior approval.
In whatever form Identity management today exists; it
is viewed more as data storage or provisioning issue.
Though data storage and provisioning are undeniably
important, it is time to take a more holistic view of
the concept. An identity management solution is about
intelligently using the identities that have been created
to do e-business. In addition to creating, managing
and revoking digital identities, it also helps develop
and enforce authentication and access management policies
as well as provide the accountability required in e-business
today. Identity management, therefore, incorporates
a broader definition, which is a technology-neutral
approach to integration and a flexible architecture
that enables interoperability with multiple identity
systems inside and outside organizations. Therefore,
the components of an identity management environment
should include the following:
Data store - The more user information that is collected,
centrally stored and protected, the more layers of
access and greater breadth of services an organization
can provide to users.
User provisioning - Deploying digital identities and
access rights based on business policies for employees,
business partners and customers must be done accurately
and securely at the outset in order to reduce problems
down the line. Assigning, maintaining and revoking
these identities and rights should be a centralized
Authentication policy management - Once someone steals
a user's digital identity, the whole system becomes
vulnerable. Authentication policies help ensure that
organizations know who is using a digital identity,
thus creating trust in the system.
Authorization policy management- Authorization policies
are designed to ensure that only appropriate resources
can be accessed by a given digital identity. This
helps ensure that the right people get the resources
and information they need, while enterprise systems
are protected from unauthorized access.
Centralized audit - Organizations need to track what
users are doing and make sure there are no blatant
inconsistencies that suggest a problem. Having an
audit trail of what digital identities are being used
for holds users accountable.
Integration - Putting the individual pieces together
in a technology-neutral architecture enables sharing,
ensures interoperability and facilitates single sign-on
capabilities. It also makes the system scalable, easy
to administer and quick to deploy.
As more and more enterprise applications and resources
get pushed to the Internetincluding a range of
Web services that organizations deploy and procure for
employees, partners and customers companies would
require establishing trust among the identities of users
who seek to access them. Further, enterprises would
need to manage and control authorized identities to
ensure they are current and are being used in accordance
with established policies.
For this reason, organizations would need to assess
their own identity management needs, engage in detailed
discussions with business partners about their needs
and plans, and explore with a reliable vendor how to
implement and integrate such a solution in their IT
environments. The challenges that have brought the issue
of identity management to the fore will only grow and
exacerbate the problems that have stunted the growth
of e-business and contributed to information security
breaches around the world.
An open standard for identity managementincluding
authentication, single sign-on and Web access management
capabilitieswill help organizations lower costs,
accelerate commercial opportunities and increase user
productivity and customer satisfaction.
Surendra Singh is Country Manager, India and SAARC,
RSA Security Inc.