It's not what you know; it's who you... are:
The identity management challenge

Brian Cincera has more than 12 years of professional experience in the design, development and implementation of enterprise security and network infrastructure systems. He has spent a considerable part of his career developing security policies and standards, application and infrastructure security testing and mitigation programs, and implementing security monitoring and management capabilities. Additionally, he has strong knowledge of and a background in enterprise-wide security assessments evaluating people, process and technical risks and controls. Prior to joining Greenwich Technology Partners as security practice director, Brian was vice president of security at two different corporations. He earned a bachelor's degree in business administration from Penn State. His professional affiliations include Information Systems Security Association and the Project Management Institute.

The old adage "It's not what you know...", when slightly twisted, represents the identity challenge that information technology and security professionals are confronted with everyday. Access controls, security, regulatory compliance and service personalization all depend on the ability to differentiate one user from another. Despite the relative anonymity of the Internet, even our most basic e-mail services require uniqueness of identity in order to see that messages are properly routed. Early computing network pioneers understood the implications of identity when they created the user@domain convention.

While somewhat of a hot topic lately, identity management is not new and is deeply engrained in our computing operations. In the broadest sense, identity management comprises the processes and tools that are used to create, manage and revoke access credentials based on characteristics about individuals. The identity management industry was spawned with the creation of the first user ID. Unfortunately, that first user ID probably still exists, and therein lies the problem.

For years, computing operations have built databases of user IDs. We have developed applications with proprietary credential stores. We have spawned directory infrastructure. We have built custom applications for creating credentials. Better application development tools have allowed us to deploy services easier and faster. Business pressures have expanded employee job descriptions. As a result, end users have access to more applications and have more access credentials than ever before. Setting aside the user's challenge of remembering all these credentials, businesses have to contend with the increasing workload of managing these credentials in an environment (regulatory or otherwise) that demands tighter access controls.

New identity management functions

Recent developments by software companies are helping to provide some solutions. There are a number of well-developed identity management product suites that are enabling improvements in the manageability of user identities. Standards like Security Assertion Markup Language (SAML) being developed by the OASIS Security Services Technical Committee offer the promise of better exchange of identity information between applications and organizations. Identity management services are commonly categorized by the functions they enable in organizations, including provisioning, user self-service, role and rule access control, and single sign-on, among others.

Identity provisioning solutions represent the core service of an identity management solution. Tackling the provisioning problem almost always shortens the time and complexity of requesting and creating new user IDs, and is frequently a source of cost savings. It is not uncommon for access credential requests to take two weeks to fulfill for new employees in most enterprises. The complex process of integrating human resources with access request forms, business approval cycles and security administration can leave new workers unproductive for days or weeks, waiting for access rights to required applications. Sound provisioning services also streamline the process of adjusting access rights when users change jobs or leave the organization.

User self-service solutions represent another opportunity for tremendous cost savings and improvement in the end user experience. Most traditional help desk organizations have work queues filled with requests to reset or unlock passwords to systems and applications. Web-based user self-service tools allow end users, who can properly authenticate by answering pre-defined questions, to reset their own passwords. Eliminating this function from the help desk may not only save money, it shifts control of the process to the end user.

Role and rule access controls can be combined to create powerful and granular authentication, authorization and auditing functions. New identity management tools allow organizations to create business roles that can be assigned to users. These roles define the more general functional capabilities of groups, for example, by job function or region. Business rules define specific capabilities that are often mapped to policies or other business-driven controls. When combined, group roles and business rules can specify granular controls that can be applied to individual end users. As an example, the role of bank teller could be modified by a business rule that allows any bank teller to approve a cash withdrawal from an account, but requires that PATRIOT Act compliance forms be processed when the amount exceeds specified limits.

Single sign-on or reduced sign-on, as is probably the more appropriate term, is considerably easier to achieve with a solid identity management core service in place. Web single sign-on success has been driven by the standardization of interfaces. Enterprise applications run the gamut from mainframe to fat client developed in every environment under the sun. While the challenge of building interfaces to these applications never goes away, a standard identity platform in an organization can reduce the administrative complexity enough to make development of interfaces justifiable. In addition, many identity management software vendors have built integration connectors with common platforms and services like Active Directory, eDirectory, RACF, Oracle, SAP and tens of others.

Key factors for a successful identity management strategy

Implementing an identity management solution is fraught with complexity. A winning identity management strategy addresses several key considerations.

• Tackle the provisioning problem first. Since creating, revoking and managing access credentials is a core function, proper design can make or break any identity management deployment.

• Consider identity management as a core service. Do not attempt to cost justify identity management on the basis of one or two applications. Identity management is complicated and crosscuts most administrative functions in a company. Done right, it can enable tremendous employee and customer benefits.

• Create globally unique identifiers. Consider the use of human resources data as a means for creating the unique identifier and eliminate the temptation of allowing application, group or regionally specific identities.

• Only deploy applications that integrate with the identity management solution. There are too many options available in the market to consider deploying any new application that does not integrate with the chosen identity management solution.

• Strive for role-based access controls. When combined with business rules and policy enforcement, roles can be very granular. Individual access control profiles are nearly unmanageable in most organizations. Roles and rules offer the same benefit with dramatically reduced administrative burden.

• Keep the technology hidden from users. Wherever possible, use vendors of custom connectors to shield the user from authentication technologies. PKI, certificates, tokens, biometrics and the like all have their place. The less users have to deal with them, the more comfortable they will be in adhering to the policies set by the organization.

The "last mile" of identity management, like the last mile of any technology deployment is the challenge of integration. Applications don't integrate because we ask nicely. Organizational politics and budgets are often responsible for derailing great technical deployments. Identity management functions as deployed today are straining under the pressure of regulation, cost controls, user expectations and security vulnerabilities. New identity management platforms offer relief in the form of higher quality service delivery, lower cost and increased speed. Those who are up to the integration demands, particularly those who prioritize, stand to win the identity management challenge.

• News & Analysis: Identity management good for bottom line
• News & Analysis: Identity management a must for the virtual enterprise
• News & Analysis: Frank talk on vendor liability, identity management and more