Identity Management: behind the scenes

by Angela Tang

The community of City University is expanding not just in the increasing number of student, alumni and staff, but also diverse relationships with the University such as prospective students/staff, visiting scholars, exchange students, retired staff, etc. Moreover it is common to have multiple roles and changing roles. Identity Management is definitely the direction for enabling the not only huge number but also heterogeneous users to gain secure access to the suitable electronic resources in a timely manner. Before discussing how we have started to handle this big subject, let us talk about the complications involved.

With the rapid development of IT, accessing information and services electronically has become increasingly handy and fast. In order to determine whether a person is allowed to use certain resources or services, it is usually handled by creating an account on the system. Whoever has the account username and correct password would be allowed to use the service. By doing so, there are a few underlying problems as described below:

  1. Data Integrity

    User information stored on distributed systems may be different from one another. Data integrity is difficult to maintain.
     
  2. Account and Service Management

    Account and service provision is complicated when it comes to creating, maintaining and removing the provision. As there is no complete picture on all the resources allocated to a user, granting of privileges has become a tedious task especially when a user has multiple roles i.e. when a person is both a staff and a student in the university. Synchronization of information among systems demands manual process by different departments. As a result, delay may occur in information creation and updating.
     
  3. Username/Password Chaos

    Not only one has to remember the username/password pair for each resource, but also separate log-in is required. When a user forgets the password, assistance is needed for resetting password.

The Ultimate Solution - Identity Management

Identity Management is an integrated set of technologies and processes that enable secure access to the information and resources of an enterprise in a scalable manner. That is, to allow the right people in and give them access to the appropriate information, system, application and service.

What are the Benefits?

  • Reduced Cost

    As Gartner report stated, "Identity and access management (IAM) solutions, which can offer three-year return on investment in the triple-digit-percent range, are becoming essential tools for effective management of user account and access rights information across heterogeneous IT environments, for web and non-web applications."
     
  • Increased Security

    The risk of unauthorized access to resources, or disclosure of confidential information is reduced or eliminated.
     
  • Improved Productivity

    Reduced management overhead with the automation and centralized management of identity. Reduced time taken to enable new employees to get access to the required resources within the organization.
     
  • Improved Service

    Reduced user waiting time and frustration for faster account creation and password reset processes.
     
  • Increased Compliance

    Provide consistent and standard identity data to and for applications. Audit of user access rights can be improved.

Functions of an Identity Management System (IMS)

Digital identity includes information which can represent a distinct person in the electronic world. For instance, a person's unique account name, a certificate, authentication and authorization data, and profile data are all part of the person's identity. In the real world, a person can be a teacher in school, a father at home as well as a customer at supermarket. Similarly, for a given context, digital identity also has its corresponding relationship. A person may use the Human Resources System as an employee, access Library system as a lecturer, logging into the Facilities Booking system as a general user. In other words, depending on the context, digital identity may have different views. With this concept in mind, let us now look at the various functions of the IMS.

Identity Store LDAP directory is the most commonly used data repository for storing identity information and attributes.
Authentication This is the process to verify a digital identity. The most common method is to compare the identity information like a username and credential such as a password with the Identity store.
Authorization The process to enforce the access rights of an authenticated identity with a certain context.
Access control Define policies to govern resources being used by the right person at the right time.
Identity Lifecycle Management

This is to manage the entire lifecycle of digital identities. A typical lifecycle includes:

  • Initial set up - Provide new users with the appropriate access levels to the necessary resources.
  • Maintenance - As user's role may change and new context may arise, identity information has to be kept up-to-date and levels of access to resources adjusted accordingly in a timely manner.
  • Teardown - Deactivate, remove and archive the digital identity of a user when he/she is no longer affiliated with the organization.
  • Lifecycle management process - The process includes provisioning and decommissioning of accounts, self service for re-setting password and updating of identity information, and delegated administration to non-IT departments.
Audit To ensure the information of Identity store is being properly used and complies with privacy regulations.

Deployment Models

Silo
Each service has its own identity store as well as authentication and authorization processes. User has to keep logging in and out when moving from one service to another.

Walled garden
There is only a single identity management for a community. Individual services rely on it to obtain identity information and control access to the service.

Federation
Service is granted provided the identity has already been authenticated by a trusted external organization. For example, after buying books on-line from company A, you may continue to purchase air ticket from company B without re-identifying yourself to company B.

Identity Management Standards

For the walled garden deployment model, an Identity management service has to communicate with various user services. It would be impossible or extremely difficult to implement if each user service speaks differently. Moreover, the identity management service of organization A has to work with another identity management service of organization B according to the federation deployment model. For these reasons, there must be a common agreed way of communication when performing the Identity management functions and thus standards come into play.

There are quite a number of standards related to various aspects of Identity Management. Below are the essential ones.

Federated Identity and Standards

The concept of federated identity is defined as being able to extend account profile and access management to third parties who need to access resources in your organization, and similarly, being able to project your identity or identities that you manage to others.

- The Liberty Alliance Project
- Microsoft Federation
- Shibboleth Project

Directory Services (for identity store)
- Lightweight Directory Access Protocol (LDAP)
- Directory Service Markup Language (DSML)

Web Services
- Simple Object Access Protocol (SOAP)
- Web Services Description Language (WSDL)
- Universal Description, Discovery and Integration (UDDI)

Security
- Security Assertion Markup Language (SAML)
- Web Services Security Language (WSS)
- Open Security Assertion Markup Language (OpenSAML)

Conclusion

As companies focus more on service delivery and customers demand for more information access while the number of identity theft cases keeps on rising, identity management has been recognized as the key component to achieve these while control and security are still being maintained. However, the industry is still waiting for these tools and standards to mature. Until then, we must rely on ourselves to properly protect our identities such as: username and password, and be vigilant about releasing our identity information to others.