Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

Building blocks of an identity management system

Learn best practices for securing an identity management system for users inside and outside of the organization without reducing security effectiveness.


With the growth of e-business, organizations are wrestling with the challenge of managing secure access to information and applications scattered across a wide range of internal and external computing systems. Furthermore, they have to provide access to a growing number of users, both inside and outside the corporation, without diminishing security or exposing sensitive information. The management of multiple versions of user identities across multiple applications makes the task even more daunting.

Here are the building blocks of an identity management system:

Password reset relieves the management burden and costs of password-related support calls -- while enforcing strong password policies -- by enabling users to reset their own passwords and unlock their accounts without the aid of a help desk. Typically, a user accesses a password reset application through a standard browser, Windows client or telephone (interactive voice response). Users are authenticated by a set of questions to which only they should know the answers.

Password synchronization is also help desk friendly, requiring users to know just a single password across different systems, reducing the chance that they'll forget one or more passwords. However, unlike single sign-on (SSO) solutions, the user still has to enter an ID and password for each application. Synchronization products don't require the drastic changes to a company's existing IT infrastructure and cost that SSO or high-end access control management products require. The software typically resides on a server, and APIs link the software to databases, help desks and security frameworks.

Single sign-on can be considered a step up from password synchronization in that it lets a user log on once to a PC or network and access multiple applications and systems using a single password. Typically, products such as Computer Associates' eTrust Single Sign-On (www.ca.com), Passlogix's Single Sign-On and Blockade Systems' Web Single Sign-On authenticate the user at logon and present the available applications on the desktop. When the user selects an app, the SSO agent presents the authentication credentials in the background. On the downside, SSO technology requires its own infrastructure, such as an authentication server, that verifies user identity and permission rights before granting access to the various systems. As a result, SSO solutions are typically more costly and difficult to deploy and manage than password synchronization solutions.

Access management software lets the "good guys" into an enterprise network or e-business site while managing the content and the business they conduct online. An effective access management system incorporates one or more methods of authentication to verify the user, including passwords, digital certificates, or hardware or software tokens. Web access management software -- such as IBM Tivoli's Policy Director, Netegrity's SiteMinder, Entegrity's AssureAccess, RSA Security's ClearTrust (www.rsasecurity.com), Oblix's NetPoint, Baltimore Technologies's SelectAccess and Entrust's GetAccess (www.entrust.com) -- lets administrators centrally control user access, enabling SSO through a policy server that grants authorization rights to each application. An integral feature of these tools is the ability for administrators to delegate management of permission rights to business managers and partners. Administrators can also rescind user and group privileges to various resources.

About the Author:
Rutrell Yasin is a freelance writer based in Alexandria, Va. He focuses on issues related to network security and Web performance management.

This was last published in April 2002

Dig Deeper on Enterprise identity and access management