Security solutions are often a trade-off
between "strong security" and "user convenience." An
identity management solution maximizes both security
and usability. by Samal Chandran
According to the
Aberdeen Group's 2003 IT Growth Outlook, the problem
of identity theft will multiply in 2003. Total economic
losses to consumers, business, merchants, credit issuers,
and the financial industry are expected to increase
approximately three-fold in 2003, to $24 billion. This
compares with $8.75 billion in losses due to identity
theft during 2002.
The problem is
as real in India as it is globally. In fact, the CBI
has just secured its first conviction in a cyber crime,
when a designated court in India convicted an engineer
of cyber fraud. The accused was arrested in July last
year by the Cyber Crime Cracking Cell of the CBI, on
the charge of defrauding an American national by misusing
her credit card through the Web. He had ordered a colour
television and a cordless phone using her card through
an online shopping site. The engineer later admitted
that he got the details from the US national during
a live chat on the Internet, at the call centre where
he was a technical support staffer (Ed: A classic example
of Social Engineering).
A famous 1993 New
Yorker cartoon depicts one dog telling another: "On
the Internet, no one knows you are a dog." Experts and
users alike have often quoted security concerns as the
prime factor holding back Web services adoption. For
business over the Web, we need to not only know, but
also prove an undisputable identity for every transaction.
This is where Identity Management (IM) comes in.
The creation, management
and use of human, machine and application identity is
what Identity Management is about. It deals with secure
access, authentication, authorization, privacy and confidentiality
of the user community. At the heart of IM is the belief
that any machine or human should be easily identifiable,
in an organization where they interact, and are given
accessibility in accordance with their identity status.
are often a trade-off between "strong security" and
"user convenience." This is why complex password policies
often result in employees having post-it notes with
passwords written on them, stuck next to their monitors.
An identity management based solution avoids this situation,
thereby maximizing both security and usability. This
is critical since an IM solution will involve the entire
enterprise and its effective use is dependent on both
user convenience and trust in the system.
An identity management
system is not a monolithic solution that needs to be
deployed with a big bang approach. Enterprises can start
small and have a roadmap that deploys more blocks as
their needs progress. The advantage is, when it is done
right, the smallest step can yield significant benefits
in improved security, productivity, user experience
and reduced administrative costs. Each of the following
blocks would typically be planned at the corporate level
but implemented at a granular level of a department
or user group. And it is not even necessary that all
departments implement all of it before you get to see
advantages at the enterprise level. Your chosen implementation
partner should be able to explain the advantages accrued
at each stage of implementation.
As a first step,
the organization must define the principals that it
needs to identify. This could be humans, machines or
applications. The organization must also define the
basic profile to be attached to each of these identity
The EIS would also
define the grouping and organization of these principals.
For an organization that interacts with external enterprises,
the EIS would also identify the external identity principals
that it interacts with, and which will interact with
is a network service that is commonly used to store
and manage the EIS, and make it accessible to users
and applications. It could be implemented using technologies
varying from a spreadsheet, to a X.500 based directory
product. But the de-facto standard for directory server
products today is an LDAP server, and unless your needs
are radically different, an LDAP based directory server
is what you would use to implement this service.
mechanism identifies an identity principle to the system.
The simplest authentication mechanism is a username
and a secret password combination. This kind of authentication
is based on 'what you know'—namely a user id/password
combination. Stronger authentication mechanisms are
based on other factors like "What you have"—for example
a Digital Certificate, a Smart Card or a SecureID card,
or on "What you are"—for example, your fingerprint,
DNA or retina print. A biometric authentication system
is based on the "what you are authenticates you" concept.
Highly secure systems make use of a combination of these
techniques for what is known as a multi-factor authentication
and Access Rights Policy
It defines who
has access to the resources (where resources can be
services, information or devices), where they are allowed
to go, and what they are allowed to do. This is a constantly
changing set for most organizations, and being able
to efficiently manage this change is critical to both
maintaining security and keeping costs down.
Audit and Reporting
As with any good
system, the IM solution should provide easily accessible
and accurate reports. It is also critical that the system
provide sufficient security audit of all transactions
occurring through the system—like logins/log-offs, provisioning
and de-provisioning of accounts, and other critical
operations like change in authentication or authorization
It is not always
possible for the entire organization to standardize
on a single technology or vendor for its data repositories.
A meta-directory product helps bridge these disparate
data sources into a single unified tree, maintaining
the data consistency, and performing the necessary translations
required for synchronizing the data changes.
An identity management
solution having the above components provide an independent
system for collecting and managing identity profiles
across the organization. But these identities are useless
by themselves—what's missing is an application context.
And, it is often the case that the applications that
uses these identities are pre-existing. Hence any IM
solution will require application integration as a critical
phase of implementation. XML plays an increasing role
in smoothening application integration wrinkles.
An IM solution
built on the above building blocks would significantly
reduce the administrative task of managing identities
and profile information. This can further be reduced
if the blocks used provide a programmatic access to
their individual administrative functionality. This
would allow a centralized management console application
to be built. Some of the products in this space do provide
such APIs and even support management standards like
Java Management Extensions (JMX) or Simple Network Management
Protocol (SNMP), which allow them to be managed using
standard management products.
Benefits in leaps
Depending on the
level of implementation, an IM solution offers various
levels of benefit, each building on the previous one.
Password management is the single largest IT headache,
accounting for up to 30% of all support calls to most
IT helpdesks. And to answer this problem there is a
multitude of password management solutions like password-reset,
password synchronization and Single Sign on Software.
A well implemented
IM solution can provide all these mechanisms using its
central repository of identity profiles.
management of identity profiles, de-coupled from individual
applications, eases this time consuming task every time
an employee joins, changes departments, or leaves the
Having a common
repository of identities, helps applications implement
a common vocabulary, and provides a common frame of
reference for transactions across applications. And
if it is not possible to incorporate a common vocabulary
into the application, as might be the case with certain
legacy applications, the IM system provides a central
socket for a translation plug-in.
Crossing the Enterprise
An identity management
system supporting standards like SAML (Security Assertion
Markup Language) and WS-Security (Web Services Security),
and the emerging XKMS (XML Key Management Specification),
provide a common platform of trust for transactions
over the Web.
Management (FIM) has emerged in response to the desire
to simplify the way in which users are able to move
between organizations. It recognizes that some identity
information exists beyond the corporate firewall, and
is therefore beyond any one organization's control.
It also reduces multiple logins by allowing applications,
systems and organizations to share user authentication
and profile. And the shared circle of trust provides
the user with additional benefits by virtue of being
a part of the circle.
in the private sector can also implicate basic business
strategy, marketing and industry configurations. For
example, a company may wish to leverage its superior
market position to further "lock in" customers by creating
a proprietary single sign-on system to intermediate
business relationships between its customers and other
would be when companies of roughly comparable market
power agree among themselves to federate by sharing
customer authentication system processes so users can
easily buy from any member of the club. This
could create a competitive advantage against companies
outside the federation.
In addition, IM
plays a fundamental role in managing risks and protecting
assets. Inefficient IM can hinder business productivity
with respect to timely access to data, employee access
difficulties and unplanned network downtime. According
to a Burton Group study, a company with a user population
of 25,000 and 20 percent annual employee turnover makes
35,000 changes to employee identities each year at an
average cost of $10.42 per change. The bottom line?
More than $360,000 in administrative expenses alone.
Making manual changes to an assortment of databases
and application directories as a user's access rights
change is without doubt both time-consuming and cost-prohibitive.
In the years to
come, one could see employees, partners, vendors and
other stakeholders securely accessing enterprise applications
and conducting seamless information exchange with single
sign-on capability. Customers would be the owners of
their profile information, deciding whom to share information
with and to what extent. In the very near future, competitive
pressures will force most companies to expand their
identity infrastructures from inside their corporate
firewall (enterprise-centric) to outside the firewall
for accommodating customers and partners.
Only a robust,
scalable, standards based network identity infrastructure
can support the millions of accounts that such a network
will demand. In this scenario, a federated identity
approach is most likely to dominate.
The longer an organization
waits to implement a solution that will give the individual
user seamless, secure access to information, the more
it is at a competitive disadvantage and greater the
risk of compromising the security of its enterprise
information. It is a valuable tool that can help an
organization enhance productivity, and cut costs, while
improving security. It is rapidly becoming a requirement
for any organization that wishes to remain competitive
in today's market and enterprises are working their
way towards realizing this vision.
The author was formerly
with Aztec Software and Technology Services Ltd. For
feedback on this article write to email@example.com