Archives ||About Us || Advertise || Feedback || Subscribe-
-
Issue of August 2003 
-
  -  
 
 Home > Vendor Voice
 Print Friendly Page ||  Email this story

Vendor Voice: Identity Management

Beyond Firewalls and Passwords

Security solutions are often a trade-off between "strong security" and "user convenience." An identity management solution maximizes both security and usability. by Samal Chandran

According to the Aberdeen Group's 2003 IT Growth Outlook, the problem of identity theft will multiply in 2003. Total economic losses to consumers, business, merchants, credit issuers, and the financial industry are expected to increase approximately three-fold in 2003, to $24 billion. This compares with $8.75 billion in losses due to identity theft during 2002.

The problem is as real in India as it is globally. In fact, the CBI has just secured its first conviction in a cyber crime, when a designated court in India convicted an engineer of cyber fraud. The accused was arrested in July last year by the Cyber Crime Cracking Cell of the CBI, on the charge of defrauding an American national by misusing her credit card through the Web. He had ordered a colour television and a cordless phone using her card through an online shopping site. The engineer later admitted that he got the details from the US national during a live chat on the Internet, at the call centre where he was a technical support staffer (Ed: A classic example of Social Engineering).

A famous 1993 New Yorker cartoon depicts one dog telling another: "On the Internet, no one knows you are a dog." Experts and users alike have often quoted security concerns as the prime factor holding back Web services adoption. For business over the Web, we need to not only know, but also prove an undisputable identity for every transaction. This is where Identity Management (IM) comes in.

IDENTITY MANAGEMENT

The creation, management and use of human, machine and application identity is what Identity Management is about. It deals with secure access, authentication, authorization, privacy and confidentiality of the user community. At the heart of IM is the belief that any machine or human should be easily identifiable, in an organization where they interact, and are given accessibility in accordance with their identity status.

Security solutions are often a trade-off between "strong security" and "user convenience." This is why complex password policies often result in employees having post-it notes with passwords written on them, stuck next to their monitors. An identity management based solution avoids this situation, thereby maximizing both security and usability. This is critical since an IM solution will involve the entire enterprise and its effective use is dependent on both user convenience and trust in the system.

BUILDING BLOCKS

An identity management system is not a monolithic solution that needs to be deployed with a big bang approach. Enterprises can start small and have a roadmap that deploys more blocks as their needs progress. The advantage is, when it is done right, the smallest step can yield significant benefits in improved security, productivity, user experience and reduced administrative costs. Each of the following blocks would typically be planned at the corporate level but implemented at a granular level of a department or user group. And it is not even necessary that all departments implement all of it before you get to see advantages at the enterprise level. Your chosen implementation partner should be able to explain the advantages accrued at each stage of implementation.

Enterprise Information Structure (EIS)

As a first step, the organization must define the principals that it needs to identify. This could be humans, machines or applications. The organization must also define the basic profile to be attached to each of these identity principals.

The EIS would also define the grouping and organization of these principals. For an organization that interacts with external enterprises, the EIS would also identify the external identity principals that it interacts with, and which will interact with its applications.

Directory Services

Directory service is a network service that is commonly used to store and manage the EIS, and make it accessible to users and applications. It could be implemented using technologies varying from a spreadsheet, to a X.500 based directory product. But the de-facto standard for directory server products today is an LDAP server, and unless your needs are radically different, an LDAP based directory server is what you would use to implement this service.

Authentication Systems

An authentication mechanism identifies an identity principle to the system. The simplest authentication mechanism is a username and a secret password combination. This kind of authentication is based on 'what you know'—namely a user id/password combination. Stronger authentication mechanisms are based on other factors like "What you have"—for example a Digital Certificate, a Smart Card or a SecureID card, or on "What you are"—for example, your fingerprint, DNA or retina print. A biometric authentication system is based on the "what you are authenticates you" concept. Highly secure systems make use of a combination of these techniques for what is known as a multi-factor authentication mechanism.

Authorization Rules and Access Rights Policy

It defines who has access to the resources (where resources can be services, information or devices), where they are allowed to go, and what they are allowed to do. This is a constantly changing set for most organizations, and being able to efficiently manage this change is critical to both maintaining security and keeping costs down.

Audit and Reporting

As with any good system, the IM solution should provide easily accessible and accurate reports. It is also critical that the system provide sufficient security audit of all transactions occurring through the system—like logins/log-offs, provisioning and de-provisioning of accounts, and other critical operations like change in authentication or authorization data.

Meta-Directory Services

It is not always possible for the entire organization to standardize on a single technology or vendor for its data repositories. A meta-directory product helps bridge these disparate data sources into a single unified tree, maintaining the data consistency, and performing the necessary translations required for synchronizing the data changes.

Application Integration Connectors

An identity management solution having the above components provide an independent system for collecting and managing identity profiles across the organization. But these identities are useless by themselves—what's missing is an application context. And, it is often the case that the applications that uses these identities are pre-existing. Hence any IM solution will require application integration as a critical phase of implementation. XML plays an increasing role in smoothening application integration wrinkles.

Administration

An IM solution built on the above building blocks would significantly reduce the administrative task of managing identities and profile information. This can further be reduced if the blocks used provide a programmatic access to their individual administrative functionality. This would allow a centralized management console application to be built. Some of the products in this space do provide such APIs and even support management standards like Java Management Extensions (JMX) or Simple Network Management Protocol (SNMP), which allow them to be managed using standard management products.

Benefits in leaps and bounds

Depending on the level of implementation, an IM solution offers various levels of benefit, each building on the previous one. Password management is the single largest IT headache, accounting for up to 30% of all support calls to most IT helpdesks. And to answer this problem there is a
multitude of password management solutions like password-reset, password synchronization and Single Sign on Software.

A well implemented IM solution can provide all these mechanisms using its central repository of identity profiles.

Provisioning, Re-provisioning and De-provisioning

The centralized management of identity profiles, de-coupled from individual applications, eases this time consuming task every time an employee joins, changes departments, or leaves the organization.

Application Integration

Having a common repository of identities, helps applications implement a common vocabulary, and provides a common frame of reference for transactions across applications. And if it is not possible to incorporate a common vocabulary into the application, as might be the case with certain legacy applications, the IM system provides a central socket for a translation plug-in.

Crossing the Enterprise borders

An identity management system supporting standards like SAML (Security Assertion Markup Language) and WS-Security (Web Services Security), and the emerging XKMS (XML Key Management Specification), provide a common platform of trust for transactions over the Web.

Federated Identity Management

Federated Identity Management (FIM) has emerged in response to the desire to simplify the way in which users are able to move between organizations. It recognizes that some identity information exists beyond the corporate firewall, and is therefore beyond any one organization's control. It also reduces multiple logins by allowing applications, systems and organizations to share user authentication and profile. And the shared circle of trust provides the user with additional benefits by virtue of being a part of the circle.

Business Advantage

Identity management in the private sector can also implicate basic business strategy, marketing and industry configurations. For example, a company may wish to leverage its superior market position to further "lock in" customers by creating a proprietary single sign-on system to intermediate business relationships between its customers and other private companies.

Another example would be when companies of roughly comparable market power agree among themselves to federate by sharing customer authentication system processes so users can easily buy from any member of the club. This could create a competitive advantage against companies outside the federation.

In addition, IM plays a fundamental role in managing risks and protecting assets. Inefficient IM can hinder business productivity with respect to timely access to data, employee access difficulties and unplanned network downtime. According to a Burton Group study, a company with a user population of 25,000 and 20 percent annual employee turnover makes 35,000 changes to employee identities each year at an average cost of $10.42 per change. The bottom line? More than $360,000 in administrative expenses alone. Making manual changes to an assortment of databases and application directories as a user's access rights change is without doubt both time-consuming and cost-prohibitive.

THE FUTURE

In the years to come, one could see employees, partners, vendors and other stakeholders securely accessing enterprise applications and conducting seamless information exchange with single sign-on capability. Customers would be the owners of their profile information, deciding whom to share information with and to what extent. In the very near future, competitive pressures will force most companies to expand their identity infrastructures from inside their corporate firewall (enterprise-centric) to outside the firewall for accommodating customers and partners.

Only a robust, scalable, standards based network identity infrastructure can support the millions of accounts that such a network will demand. In this scenario, a federated identity approach is most likely to dominate.

The longer an organization waits to implement a solution that will give the individual user seamless, secure access to information, the more it is at a competitive disadvantage and greater the risk of compromising the security of its enterprise information. It is a valuable tool that can help an organization enhance productivity, and cut costs, while improving security. It is rapidly becoming a requirement for any organization that wishes to remain competitive in today's market and enterprises are working their way towards realizing this vision.

The author was formerly with Aztec Software and Technology Services Ltd. For feedback on this article write to anjali@aztecsoft.com

 
     
- <Back to Top>-  

© Copyright 2001: Indian Express Newspapers (Bombay) Limited (Mumbai, India). All rights reserved throughout the world.
This entire site is compiled in Mumbai by the Business Publications Division (BPD) of the Indian Express Newspapers (Bombay) Limited. Site managed by BPD.