Identity Management -Managing Identities Easier
Niraj Agarwal, Consultant, Pricewaterhouseoopers,
elaborates on identity management and the various parameters involved.
'Identity' assumes multiple connotations in as many different
contexts. While it may be the most intriguing thing to grapple with in the field
of social sciences and psychology, it has nevertheless left IT pundits bewildered
too. In any organisation, managing user identities has always been cumbersome.
Addressing access violations, identity thefts, lost credentials, password resets
etc. have been the bulk of administrative activities. Help-desk costs have been
escalating ever so much. Even ex-users have a way of abusing resources they
shouldnt have access to.
Alleviating all these issues and many more by managing the entire life-cycle
of a user, in terms of digital identity within an enterprise, is what identity
Identity Management (aka IDM) is a comprehensive techno-functional solution
to the various issues related to creation, modification and removal of a user
identity in an enterprise-wide system.
It is a combination of processes and technologies to manage and secure access
to the information and resources of an organization while also protecting users
The salient aspects of a digital users life-cycle are:
Creation/Provisioning: When a person enters an organization,
there is always a mad scramble from the boss, the project manager, the HR, IT
Administrator to create a profile i.e. information, tools, preferences, and
resources needed in order to perform specific roles. The diversity of the systems,
most likely would be proliferation of multiple ids and passwords. Not to mention,
the turnaround time would also stretch given the manual interventions, provisioning
process and systems behavior generally involved.
Identity Management tackles this issue by encompassing the integrations of different
systems such as directories, databases, single sign-on and provisioning applications
into a unified framework.
Workflow: driven approval based applications brings
down the response time considerably.
Provisioning streamlines the process for giving users fast access to information
Self-Service: User account maintenance has always
been a high-maintenance itself. According to a Giga Information Group report,
help desk costs for password resets are estimated at $25 per incident. Automating
the reset process and letting employees service themselves reduces the help-desk
call volume significantly. Self-services empower the users to request appropriate
access to other systems or services. Such reductions in time for electronic
access and maintenance results in better employee efficiency and time-savings
which can be assessed directly into profits.
Removal/Deprovision: As a rule of the thumb, whenever
employees/contractors leaves or changes positions in an organization, all access
must be modified or revoked. But all too often, user names and passwords remain
on systems long after they leave, creating situations they can easily exploit.
A PricewaterhouseCoopers survey of 138 CEOs in 2002 found that ex-employees
and on-site contractors pose far more of a security hazard than hackers.
Identity Management reduces risk of ex-employees retaining access to organizational
resources by de-provisioning users from systems. Maintaining an audit trail
is also inherent and part of this solution to nabbing illegal activities.
In order to regulate corporate and accounting practices, the Sarbanes-Oxley
Act of 2002, a United States federal law, necessitated certification of financial
reports by CEOs and CFOs. This led to a paradigm shift in the way companies
were dealing with internal controls over financial reporting. Identity Management
has since become the bellwether technology in establishing companys internal
control framework and compliance with Sarbanes-Oxley requirements.
Besides SOX, United States Health Insurance Portability and Accountability
ActHIPAA, the European Data Protection Directive, and the Canadian Privacy
Act also relates well with Identity Management.
Identity Management reciprocates the needs of organizations to log and report
all events that occur within an enterprise-wide system. As important as it is
for customers that events related to account creation, modification and deletion
be logged accurately. These audit trail and logs eventually facilitate the auditing
and compliance needs when determining who has access to what systems to what
Risks and Challenges
Clearly the best advantage of identity management is being the panacea reducing
management overheads and optimizing business processes. Among other benefits,
as a security initiative it integrates well with VPNs, PKI, SSO, SecurIDs, RFID,
smart-cards, biometrics and other technologies thereby positioning itself as
a robust solution.
However, there is much more to it than meets the eye. Technology is a great
leveler. What perfects as a solution can become another problem.
Identity Management faces similar challenges. With a centralised identity solution,
there is more vulnerability for security attacks as the hacker needs to just
focus on one system from where he/she can potentially gain unrestricted access
to information and resources within the organisation.
Another scenario is when someone is using the right identity
for wrong reasons/intentions. Since an identity is fully integrated with different
systems, its important that in an identity management solution the right
identity is used in the right context.
Moreover, given the changing features of systems, databases,
policies identity management is a continuously evolving technology. It has to
keep adapting to the changing needs in the technological space. This means that
there has to be some industry-accepted standards which ensure that when different
vendors are developing their own identity solutions they are still compatible
with each other.
Security Assertion Markup Language (SAML) is an XML standard for exchanging
authentication and authorisation data between security domains, that is, between
an identity provider and a service provider. SAML is a product of the OASIS,
an international nonprofit organisation that organises and adopts e-business
SPML, XACML, WS-Security (Web Services Security) are some other related standards.
But even here we are risking the assumption that the vendors community
is going to agree on a standardsbased solution in a domain where there
are lots of initiatives, often not playing well with each other.
Apart from meeting organisational needs, recently there has been a move towards
achieving inter-organisational solutions. This brings us to Federated Identity.
The concept of federated identity is defined as being able to extend account
profile and access management to third parties who need to access resources
in your organisation, and similarly, being able to project your identity or
identities that you manage (either as an organisation or individual) to others.
In other words, federated identity envisions disconnected systems or enterprises
interoperating with each others concepts of identity.
Liberty Alliance Project (http://www.projectliberty.org/) is one of many initiatives
with corporate partnerships thats spearheading this concept and setting
With cut-throat competition and increasing choices in this sector, companies
have been boasting success stories in their identity management implementations
far and wide. Some businesses which have configured identity solutions and benefitted
are GE, Henkel, Athens International Airport. Further, companies like General
Motors, Boeing, BKWI, Volkswagen Group, BlueCross BlueShield of Tennessee, Solomon
Mutual Bank, Husky Energy and many others are opting for identity management
to improve IT efficiency and controlled infrastructure.
Identity management is enabling such organisations, often with global worker
base, to consolidate application access and monitoring. As a step forward, companies
are also trying to provide cross-domain application access and manage external
users through federated methods.
To sum up, it would be wise to say that identity management as a holistic solution
hinges as much on business process as it does on technology. Hence this strategy
helps realize all the identity goals as well as streamlining the corporate vision,
focus and other niche areas.
Even when the project costs are huge in some implementations, better returns
on investment is an encouraging factor for business all over the world to consider
identity management as a primary aimed at efficient user management, better
accountability and improved productivity.