|
|
Issue
43 - March 2005
|
Identity
Management: behind the scenes
By
Angela Tang
|
|
|
The
community of City University is expanding not just in the
increasing number of student, alumni and staff, but also diverse
relationships with the University such as prospective students/staff,
visiting scholars, exchange students, retired staff, etc.
Moreover it is common to have multiple roles and changing
roles. Identity Management is definitely the direction for
enabling the not only huge number but also heterogeneous users
to gain secure access to the suitable electronic resources
in a timely manner. Before discussing how we have started
to handle this big subject, let us talk about the complications
involved.
With
the rapid development of IT, accessing information and services
electronically has become increasingly handy and fast. In
order to determine whether a person is allowed to use certain
resources or services, it is usually handled by creating an
account on the system. Whoever has the account username and
correct password would be allowed to use the service. By doing
so, there are a few underlying problems as described below:
-
Data Integrity
User information stored on distributed systems may be different
from one another. Data integrity is difficult to maintain.
-
Account and Service Management
Account and service provision is complicated when it comes
to creating, maintaining and removing the provision. As
there is no complete picture on all the resources allocated
to a user, granting of privileges has become a tedious task
especially when a user has multiple roles i.e. when a person
is both a staff and a student in the university. Synchronization
of information among systems demands manual process by different
departments. As a result, delay may occur in information
creation and updating.
-
Username/Password
Chaos
Not only one has to remember the username/password pair
for each resource, but also separate log-in is required.
When a user forgets the password, assistance is needed for
resetting password.
The
Ultimate Solution - Identity Management
Identity
Management is an integrated set of technologies and processes
that enable secure access to the information and resources
of an enterprise in a scalable manner. That is, to allow the
right people in and give them access to the appropriate information,
system, application and service.
What
are the Benefits?
-
Reduced
Cost
As
Gartner report stated, "Identity and access management
(IAM) solutions, which can offer three-year return on investment
in the triple-digit-percent range, are becoming essential
tools for effective management of user account and access
rights information across heterogeneous IT environments,
for web and non-web applications."
-
Increased
Security
The risk of unauthorized access to resources, or disclosure
of confidential information is reduced or eliminated.
-
Improved Productivity
Reduced management overhead with the automation and centralized
management of identity. Reduced time taken to enable new
employees to get access to the required resources within
the organization.
-
Improved Service
Reduced user waiting time and frustration for faster account
creation and password reset processes.
-
Increased Compliance
Provide consistent and standard identity data to and for
applications. Audit of user access rights can be improved.
Functions
of an Identity Management System (IMS)
Digital
identity includes information which can represent a distinct
person in the electronic world. For instance, a person's unique
account name, a certificate, authentication and authorization
data, and profile data are all part of the person's identity.
In the real world, a person can be a teacher in school, a
father at home as well as a customer at supermarket. Similarly,
for a given context, digital identity also has its corresponding
relationship. A person may use the Human Resources System
as an employee, access Library system as a lecturer, logging
into the Facilities Booking system as a general user. In other
words, depending on the context, digital identity may have
different views. With this concept in mind, let us now look
at the various functions of the IMS.
Identity
Store |
LDAP
directory is the most commonly used data repository for
storing identity information and attributes. |
Authentication |
This
is the process to verify a digital identity. The most
common method is to compare the identity information like
a username and credential such as a password with the
Identity store. |
Authorization |
The
process to enforce the access rights of an authenticated
identity with a certain context. |
Access
control |
Define
policies to govern resources being used by the right person
at the right time. |
Identity
Lifecycle Management |
This
is to manage the entire lifecycle of digital identities.
A typical lifecycle includes:
- Initial
set up - Provide new users with the appropriate access
levels to the necessary resources.
- Maintenance
- As user's role may change and new context may arise,
identity information has to be kept up-to-date and
levels of access to resources adjusted accordingly
in a timely manner.
- Teardown
- Deactivate, remove and archive the digital identity
of a user when he/she is no longer affiliated with
the organization.
- Lifecycle
management process - The process includes provisioning
and decommissioning of accounts, self service for
re-setting password and updating of identity information,
and delegated administration to non-IT departments.
|
Audit |
To
ensure the information of Identity store is being properly
used and complies with privacy regulations. |
Deployment
Models
Silo
Each service has its own identity store as well as authentication
and authorization processes. User has to keep logging in and
out when moving from one service to another.
Walled
garden
There is only a single identity management for a community.
Individual services rely on it to obtain identity information
and control access to the service.
Federation
Service is granted provided the identity has already been
authenticated by a trusted external organization. For example,
after buying books on-line from company A, you may continue
to purchase air ticket from company B without re-identifying
yourself to company B.
Identity
Management Standards
For the
walled garden deployment model, an Identity management service
has to communicate with various user services. It would be
impossible or extremely difficult to implement if each user
service speaks differently. Moreover, the identity management
service of organization A has to work with another identity
management service of organization B according to the federation
deployment model. For these reasons, there must be a common
agreed way of communication when performing the Identity management
functions and thus standards come into play.
There
are quite a number of standards related to various aspects
of Identity Management. Below are the essential ones.
Federated
Identity and Standards
The concept of federated identity is defined as being
able to extend account profile and access management to third
parties who need to access resources in your organization,
and similarly, being able to project your identity or identities
that you manage to others.
- The Liberty Alliance Project
- Microsoft Federation
- Shibboleth Project
Directory
Services (for identity store)
- Lightweight Directory Access Protocol (LDAP)
- Directory Service Markup Language (DSML)
Web
Services
- Simple Object Access Protocol (SOAP)
- Web Services Description Language (WSDL)
- Universal Description, Discovery and Integration (UDDI)
Security
- Security Assertion Markup Language (SAML)
- Web Services Security Language (WSS)
- Open Security Assertion Markup Language (OpenSAML)
Conclusion
As companies
focus more on service delivery and customers demand for more
information access while the number of identity theft cases
keeps on rising, identity management has been recognized as
the key component to achieve these while control and security
are still being maintained. However, the industry is still
waiting for these tools and standards to mature. Until then,
we must rely on ourselves to properly protect our identities
such as: username and password, and be vigilant about releasing
our identity information to others.
|
|
|
|
|
|
|