Identity Management for Changing Times

Identity management technology is adapting to meet enterprise needs. Learn what products can improve security and ease compliance.

Information Security
magazine, May issue


Download the entire May issue of Information Security magazine here in PDF format.

By MARK DIODATI
Does it feel like the world of identity management is calcified with the same old products and a glacial pace of innovation? Strong authentication, directory services, provisioning, Web access management, and federation have been around for years but what's new?

In fact, there are a lot of developments in the identity management space and newer technologies such as privileged account management, Active Directory (AD) bridge, and entitlement management are taking off as companies look to ensure security and meet compliance demands.

While large enterprises have deployed a mix of identity management products, few have enjoyed the synergies that these products bring when they are integrated. Let's look at some of the benefits the new technologies provide and strategies that can help an enterprise fully leverage its identity management investments.

Old School Identity Management

Traditional identity management products have become an intrinsic part of the IT infrastructure and continue to be deployed today. They include:

  • Directory services. Directory services and authentication products are the oldest examples of identity management products. Directory servers use the Lightweight Directory Access Protocol (LDAP) to present data. While relatively difficult for developers to work with, LDAP has emerged as the standard repository for user and policy information.
  • Provisioning. Provisioning systems add, delete, and modify user accounts across heterogeneous platforms. These systems typically include workflow (to enable the approval of changes to user accounts) and role management capabilities, which can provide security and compliance benefits.
  • Web access management (WAM). WAM systems provide single sign-on (SSO) and authorization services for heterogeneous Web applications. WAM systems work solely with Web applications and do not require client software besides a Web browser.
  • Strong authentication. Strong authentication systems leverage at least two factors to provide higher identity assurance. The most commonly deployed strong authentication system in the enterprise is the one-time password device (OTP). The device displays a unique code, which is combined with a personal identification number (PIN) to provide two-factor authentication. Other strong authentication mechanisms include smart cards (which also leverage a portable hardware device and a PIN) and biometrics.
  • Federation. The initial development of federation technology was a response to the challenge of providing single sign-on services to users at separate organizations. Unfortunately WAM systems weren't up to the challenge as they leveraged the HTTP cookie for session management, which did not work across corporate boundaries. The default standard in federation is Security Assertion Markup Language (SAML).

Full evaluation required
When considering an identity management suite, don't make the same mistake that many of your colleagues have made by failing to thoroughly evaluate all identity management products under consideration before a purchase.
Most organizations begin their evaluations by looking for a single product to meet a pressing need. At purchase time, the vendor then offers the customer a steep discount to compel the purchase of multiple identity management products. The deployment of the primary product goes well, but then the organization finds out that the other purchased products don't meet its needs, or require significant customization to work.
Multiple products from the same vendor can be a good fit, but organizations need to vet all of the products before writing the check. The additional evaluation work takes time, but it's worth the effort. Install the identity management products in your development environment, and test them against your existing applications, particularly your enterprise resource planning (ERP) applications and Active Directory infrastructure. Finally, don't hesitate to get a pilot user group to test the products.
-MARK DIODATI

New School Identity Management

Newer types of identity management technologies such as privileged account management, Active Directory (AD) bridge, security information management (SIM), entitlement management, virtual directory, and enterprise SSO products are seeing broad adoption. In most cases, these markets are growing at a greater rate as compared to traditional identity management products. They include:

Privileged account management

The privileged account management market segment is growing the fastest, with most large, regulated enterprises either having already deployed or planning to deploy the technology.. While provisioning systems are very good at managing user accounts belonging to real users, they are terrible at managing generic privileged accounts like the UNIX root account. These accounts are required by the target platform (try deleting the root account from a UNIX system and see what happens), so access to them needs to be controlled. The accounts are also shared by many administrators; the result is a lack of accountability.

In the hands of evil-doers, these generic privileged accounts can inflict real damage, because they can bypass security controls, destroy or breach confidential data, and cover tracks by deleting audit data. Privileged account management products provide greater accountability because the account must be checked out by the administrator and the password associated with the account is changed frequently.

AD bridge

Another segment that is seeing explosive growth is the AD bridge market These products extend authentication, authorization, and identity management from Microsoft Active Directory to non-Windows platforms like UNIX, Linux, and Mac OS. Using Active Directory, enterprises can manage identities and provide centralized authorization to these platforms. Additionally, these products enable the authentication of non-Windows users against Active Directory, and provide single sign-on between Windows, UNIX, Linux, and Mac OS platforms. AD bridge products are very popular because they enable enterprises to leverage their significant investment in Active Directory to provide security services for other platforms and close out audit findings in the process. AD bridge products can also smooth over the integration of the increased number Mac OS systems in the enterprise.

SIMs

Security information management (SIM) is not usually considered an identity management technology. Recently, however, enterprises have been using SIM products in ways that complement their identity management initiatives. In addition to incident management, enterprises are now leveraging SIM products to assist with authorization. With the SIM product, application owners can evaluate user access over a specified time at the beginning of an application security review. Getting authorization right means getting security right, with the added benefits of closing compliance gaps and audit findings.

Entitlement management

It's still early days for entitlement management products. Compared to WAM systems, they provide a much deeper level of authorization capabilities with the added benefit of eXtensible Access Control Markup Language (XACML) interoperability. This interoperability provides investment protection by enabling enterprises to build components which should work with multiple entitlement management products. When the products were first introduced several years ago, enterprises had to develop their own custom components. The vendors are now providing plug-ins for application servers like IBM WebSphere and Microsoft Windows platforms (including SharePoint). Entitlement management products are hardly mainstream, but many large financial institutions with challenging compliance mandates have deployed them.

Virtual directories

Virtual directory products, provide a valuable service. They enable maximal consumption of user and policy information by the security applications that need this information. Virtual directories can present this information via LDAP. Behind the scenes, virtual directories map the information from a variety of repositories, including relational databases, LDAP directory servers, Active Directory, and even the mainframe without implementing an expensive and time-consuming meta-directory. In the past, the default consumer of information from virtual directories has been WAM systems. Recently, enterprises are deploying virtual directories for other identity applications including entitlement management, federation, and enterprise single sign-on (SSO).

Enterprise SSO

While WAM systems provide single sign-on for Web applications, enterprise SSO products try to solve the "last mile" problem by reducing the number of sign-ons to client/server and mainframe applications. Enterprise SSO products have been available for well over a decade, but their deployment has recently picked up, especially in the healthcare and financial service markets. Enterprise SSO products have become easier to deploy because they require less customization than in the past. A new trend is transaction-level integration between enterprise SSO systems and the target application. One example of transaction-level integration is a healthcare application that prompts the enterprise SSO application to re-authenticate the doctor before allowing the writing of a prescription.

Integration

In many cases, identity management products can be blended to reap additional benefits.

For example, organizations are integrating enterprise SSO with provisioning and strong authentication products to improve application security. Provisioning products provide better security because they can change passwords more frequently in both the target application and the user's enterprise SSO wallet. Strong authentication systems (like OTPs) solve the "keys to the kingdom" problem -- eliminating weak password-based authentication, which enables access to many applications.

Meanwhile, WAM and federation products are "best friends forever" because neither product provides the complete security package for Web applications, but when combined, work synergistically. WAM provides the authorization and session management, while federation provides the enterprise-to-enterprise (E2E) SSO functionality.

Another trend in the enterprise is the coupling of provisioning and strong authentication systems (e.g., OTP or smart card). When integrated, the provisioning system can manage most aspects of the authentication device. Two benefits are the elimination of near-duplicative identity management processes and timelier identity lifecycle management, which becomes especially important when employees are terminated.

Another integration example is the use of Active Directory in conjunction with an AD bridge product to provide central authentication and authorization services for non-Windows platforms. One vendor, Likewise, provides a free, open source AD bridge product that can unite Active Directory to non-Windows platforms.

Suites Not Necessarily the Answer

Instead of going to the trouble of integrating identity management products, why not just buy a suite from a single vendor? The ostensible benefits of purchasing a suite include a lower average price per product, and vendor-specific synergies between the products.

While it is probable that the average software cost per product will be lower, experience has shown that most organizations end up paying more due to substitute software products or customization services.

As for vendor-specific synergies between products, very few exist. These synergies are generally divided into two areas: a common administration console, and enhanced interoperability between products. A common administration console across the vendor's identity management products provides value if the same IT people are managing multiple identity management products. Identity management products from the same vendor provide very few interoperability features over the interoperability that exists across identity management products from different vendors. Some examples of cross-vendor interoperability include: federation products which support cookie types for different WAM systems; WAM products which work with virtually any directory server; and provisioning systems that target platforms from different vendors

IAM in a Tough Economy

While there are numerous benefits to IAM technologies, the current fiscal environment means that identity management projects are facing increased scrutiny. Organizations must be especially careful about identity management product selection, derive more value from their existing products, look for hard cost savings, and consider building identity management functionality in-house.

First, organizations should look for buried treasure within their identity management product licenses to determine if they can get more value from their existing solutions.. For example, many early WAM deployments started and ended with Web servers because the WAM technology did not provide authorization to other platforms such as application servers and ERP applications. Times have changed, and today the WAM system may be able to provide security for these platforms without additional license purchases.

Another cost-saving strategy, is the use of Active Directory in conjunction with an AD bridge product to provide central authentication and authorization services for non-Windows platforms.

As IT budget gets cut in difficult economic times, the buy versus build equation changes. In many cases, organizations can tactically solve some problems by developing small identity applications. Examples include self-service portals, provisioning connectors for internally developed applications using Service Provisioning Markup Language (SPML), and developing SIM applications using tools like Splunk.

As the economy improves, organizations will swing back to a buy mentality and identity management products will continue to evolve to meet organizational needs. Privileged account management, AD bridge, and virtual directory products will close compliance gaps and reduce costs.

Forget about the past and the perceived glacial pace of innovation. Advancements will indeed take hold where identity management technology evolves to provide identity services. What's more, the service-based approach will enable the products to interoperate more deeply via standards-based protocols offering more integration than ever before..

This was first published in May 2009

Dig deeper on Active Directory and LDAP Security

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchConsumerization

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close