Identity Management -Managing Identities Easier

Niraj Agarwal, Consultant, Pricewaterhouseoopers, elaborates on identity management and the various parameters involved.

Niraj Agarwal

'Identity' assumes multiple connotations in as many different contexts. While it may be the most intriguing thing to grapple with in the field of social sciences and psychology, it has nevertheless left IT pundits bewildered too. In any organisation, managing user identities has always been cumbersome. Addressing access violations, identity thefts, lost credentials, password resets etc. have been the bulk of administrative activities. Help-desk costs have been escalating ever so much. Even ex-users have a way of abusing resources they shouldn’t have access to.

Alleviating all these issues and many more by managing the entire life-cycle of a user, in terms of digital identity within an enterprise, is what identity management does.

Identity Management (aka IDM) is a comprehensive techno-functional solution to the various issues related to creation, modification and removal of a user identity in an enterprise-wide system.

It is a combination of processes and technologies to manage and secure access to the information and resources of an organization while also protecting users’ profiles.

Profile Management

The salient aspects of a digital user’s life-cycle are:

Creation/Provisioning: When a person enters an organization, there is always a mad scramble from the boss, the project manager, the HR, IT Administrator to create a profile i.e. information, tools, preferences, and resources needed in order to perform specific roles. The diversity of the systems, most likely would be proliferation of multiple ids and passwords. Not to mention, the turnaround time would also stretch given the manual interventions, provisioning process and systems behavior generally involved.

Identity Management tackles this issue by encompassing the integrations of different systems such as directories, databases, single sign-on and provisioning applications into a unified framework.

Workflow: driven approval based applications brings down the response time considerably.

Provisioning streamlines the process for giving users fast access to information resources.

Self-Service: User account maintenance has always been a high-maintenance itself. According to a Giga Information Group report, help desk costs for password resets are estimated at $25 per incident. Automating the reset process and letting employees service themselves reduces the help-desk call volume significantly. Self-services empower the users to request appropriate access to other systems or services. Such reductions in time for electronic access and maintenance results in better employee efficiency and time-savings which can be assessed directly into profits.

Removal/Deprovision: As a rule of the thumb, whenever employees/contractors leaves or changes positions in an organization, all access must be modified or revoked. But all too often, user names and passwords remain on systems long after they leave, creating situations they can easily exploit. A PricewaterhouseCoopers survey of 138 CEOs in 2002 found that ex-employees and on-site contractors pose far more of a security hazard than hackers.

Identity Management reduces risk of ex-employees retaining access to organizational resources by de-provisioning users from systems. Maintaining an audit trail is also inherent and part of this solution to nabbing illegal activities.

Compliance Matters

In order to regulate corporate and accounting practices, the Sarbanes-Oxley Act of 2002, a United States federal law, necessitated certification of financial reports by CEOs and CFOs. This led to a paradigm shift in the way companies were dealing with internal controls over financial reporting. Identity Management has since become the bellwether technology in establishing company’s internal control framework and compliance with Sarbanes-Oxley requirements.

Besides SOX, United States’ Health Insurance Portability and Accountability Act—HIPAA, the European Data Protection Directive, and the Canadian Privacy Act also relates well with Identity Management.

Identity Management reciprocates the needs of organizations to log and report all events that occur within an enterprise-wide system. As important as it is for customers that events related to account creation, modification and deletion be logged accurately. These audit trail and logs eventually facilitate the auditing and compliance needs when determining who has access to what systems to what extent.

Risks and Challenges

Clearly the best advantage of identity management is being the panacea reducing management overheads and optimizing business processes. Among other benefits, as a security initiative it integrates well with VPNs, PKI, SSO, SecurIDs, RFID, smart-cards, biometrics and other technologies thereby positioning itself as a robust solution.

However, there is much more to it than meets the eye. Technology is a great leveler. What perfects as a solution can become another problem.

Identity Management faces similar challenges. With a centralised identity solution, there is more vulnerability for security attacks as the hacker needs to just focus on one system from where he/she can potentially gain unrestricted access to information and resources within the organisation.

Another scenario is when someone is using the right identity for wrong reasons/intentions. Since an identity is fully integrated with different systems, it’s important that in an identity management solution the right identity is used in the right context.

Moreover, given the changing features of systems, databases, policies identity management is a continuously evolving technology. It has to keep adapting to the changing needs in the technological space. This means that there has to be some industry-accepted standards which ensure that when different vendors are developing their own identity solutions they are still compatible with each other.

Security Assertion Markup Language (SAML) is an XML standard for exchanging authentication and authorisation data between security domains, that is, between an identity provider and a service provider. SAML is a product of the OASIS, an international nonprofit organisation that organises and adopts e-business standards.

SPML, XACML, WS-Security (Web Services Security) are some other related standards.

But even here we are risking the assumption that the vendor’s community is going to agree on a standards–based solution in a domain where there are lots of initiatives, often not playing well with each other.

Apart from meeting organisational needs, recently there has been a move towards achieving inter-organisational solutions. This brings us to Federated Identity.

The concept of federated identity is defined as being able to extend account profile and access management to third parties who need to access resources in your organisation, and similarly, being able to project your identity or identities that you manage (either as an organisation or individual) to others. In other words, federated identity envisions disconnected systems or enterprises interoperating with each other’s concepts of identity.

Liberty Alliance Project (http://www.projectliberty.org/) is one of many initiatives with corporate partnerships that’s spearheading this concept and setting standards.

Try IDM… Catch Success

With cut-throat competition and increasing choices in this sector, companies have been boasting success stories in their identity management implementations far and wide. Some businesses which have configured identity solutions and benefitted are GE, Henkel, Athens International Airport. Further, companies like General Motors, Boeing, BKWI, Volkswagen Group, BlueCross BlueShield of Tennessee, Solomon Mutual Bank, Husky Energy and many others are opting for identity management to improve IT efficiency and controlled infrastructure.

Identity management is enabling such organisations, often with global worker base, to consolidate application access and monitoring. As a step forward, companies are also trying to provide cross-domain application access and manage external users through federated methods.

Finally...

To sum up, it would be wise to say that identity management as a holistic solution hinges as much on business process as it does on technology. Hence this strategy helps realize all the identity goals as well as streamlining the corporate vision, focus and other niche areas.

Even when the project costs are huge in some implementations, better returns on investment is an encouraging factor for business all over the world to consider identity management as a primary aimed at efficient user management, better accountability and improved productivity.