Documentation P-Synch Overview Enterprise Identity Management

Defining Enterprise Identity Management

Abstract

Identity management involves technology that manages a basic issue: information about people is distributed among too many systems, and is consequently difficult to manage. This document defines the components of enterprise identity management technologies. It describes the underlying business problem of managing user identity information on a variety of systems. It then defines identity management in the context of this problem, and describes technologies used to manage user identities effectively in the enterprise.

Introduction

Identity management involves technology that manages a basic issue: information about people is distributed among too many systems, and is consequently difficult to manage.

This document defines the components of enterprise identity management technologies. It describes the underlying business problem of managing user identity information on a variety of systems. It then defines identity management in the context of this problem, and describes technologies used to manage user identities effectively in the enterprise.

The remainder of this paper is organized as follows:

• A variety of identity stores:

  A description of why enterprises manage user profile data in a diversity of systems.

• Enterprise-wide identity management - the challenge:

  A step-by-step description of why managing user identity data is difficult in a large organization.

• Relevant technologies - the solutions:

  How different technologies help to streamline and secure the identity management process.

• Identity management - a simple definition:

  A definition for what constitutes identity management, given the preceding description of the business problem and its technological solutions.

• Beyond the enterprise:

  How identity management technologies may soon extend beyond the boundaries of a single enterprise.

• Conclusions:

  Some conclusions about the state of identity management today.

• References:

  Where to learn more about identity management.

A variety of identity stores

Modern enterprises run a complex array of IT infrastructure, including:

• Network operating systems.
• A variety of servers.
• User directories.
• Human resources, payroll and contract management systems.
• A variety of line-of-business applications.
• Customer relationship management (CRM) systems.
• Electronic commerce applications.

Many kinds of users access these systems, including:

• Employees.
• Contractors.
• Partners.
• Vendors.
• Customers.

Almost every system must track valid users, and control what they can and cannot see and do. The access management process includes management of data about:

• User identity.
• User authentication.
• Access controls over data and functions.

The diversity of these systems -- each with their own administration software, people and processes -- and the fact that users typically access multiple systems, makes managing this data about users difficult at best, and an obstacle to doing business at worst.

Identity management technologies attempt to simplify the administration of this distributed, overlapping and sometimes contradictory data about the users of an organization's information technology systems.

Enterprise-wide identity management: the challenge

Different kinds of principals

Enterprises manage identity data about two broad kinds of principals:

• Insiders: including employees and contractors.

  Insiders spend most or all of their working hours engaged with the enterprise. They typically access multiple internal systems of the enterprise, and their identity profiles are relatively detailed.

• Outsiders: including customers, partners and vendors.

  There are normally many more outsiders than insiders. Outsiders generally access only a few systems (e.g., CRM, e-Commerce, retirement benefits, etc.), and access these systems infrequently. Identity profiles about outsiders tend to be less detailed and less accurate than about insiders.

The difference between insiders and outsiders, and how this impacts identity management, may be illustrated by an example:

Consider a bank, with 15,000 employees, 5,000 contractors and 500,000 customers. Insiders at the bank are the 20,000 employees and contractors. Insiders log into a network operating system, corporate Intranet, line-of-business applications, corporate mainframe, e-mail systems and Internet gateway. Their identity profiles include data relating to their employment and their many login IDs to internal systems. Insiders access components of their identity profile, in particular login IDs to various systems, many times each day. Outsiders are primarily current and prospective bank customers. Their profiles may include from one to three login IDs and passwords -- for Internet-, telephone- and ATM-based electronic banking. Their profiles also include customer information such as a mailing address and account numbers. Outsiders only access their login IDs occasionally. Personal profile data provided by outsiders, such as full name, home telephone number, or e-mail address may be inaccurate.

Different kinds of identity data

Just as there are different kinds of principals whose identity an enterprise must manage, there are different kinds of data about these principals that must be managed:

• Personal information.

  This includes names, contact information, and demographic data such as gender or date of birth.

• Legal information.

  This includes information about the legal relationship between the enterprise and the principal: social security number, compensation, contract, start date, termination date, etc.

• Login credentials to managed systems.

  On most systems, this is a login ID and password. Identification may also use a PKI certificate, and authentication may use tokens or biometrics or a set of personal questions that the user must answer.

Identity life cycle

The key problems of managing identity data in an enterprise can be understood by considering the life cycle of an identity profile:

• Initial setup:

  User profiles must be setup when a user joins the organization. The process of adding users depends on the kind of user: insider or outsiders. In any case, the requirements for the setup process are timely completion and entry of complete and accurate data.

• Change and maintenance:

  Once setup, user accounts must be managed. This includes routine password changes, and administration actions such as name changes, adding and removing individual login accounts, and changing privileges on existing accounts.

• Tear-down:

  When a user leaves an organization, their record should be appropriately flagged, and their access to systems should be disabled. The key requirement the systems access of all terminated users should be disabled reliably and quickly.

Key identity challenges

Identity management presents several challenges in an enterprise-scale organization:

• Consistency:

  User profile data entered into different systems should be consistent. This includes name, login ID, contact information, termination date, etc.

  The fact that each system has its own user profile management system makes this difficult.

• Efficiency:

  Setting a user to access multiple systems is repetitive. Doing so with the tools provided with each system is needlessly costly.

• Usability:

  When users access multiple systems, they may be presented with multiple login IDs, multiple passwords and multiple sign-on screens. This complexity is burdensome to users, who consequently have problems accessing systems and incur productivity and support costs.

• Reliability:

  User profile data should be reliable -- especially if it is used to control access to sensitive data or resources. That means that the process used to update user information on every system must produce data that is complete, timely and accurate.

• Scalability:

  Enterprises manage user profile data for large numbers of people. There are typically tens of thousands of insiders, and hundreds of thousands of outsiders.

  Any identity management system used in this environment must scale to support the data volumes and peak transaction rates produced by large user populations.

Relevant technologies: the solutions

Several types of technologies are available to manage user identity data across the enterprise. In general, these systems focus on streamlining the identity management process, and managing data consistently across multiple systems.

Directories

A corporate directory is designed to consolidate the management of data about users, as well as other objects in the enterprise, such as user groups, servers, printers, etc.

Data is stored on one or more directory servers. These servers may replicate some or all of the data, to support scalability and high availability.

Client applications normally access data (read, write) through a standard protocol, such LDAP (light-weight directory access protocol) or X.500.

Using directories, it is possible to configure multiple applications to share data about users, rather than having each system manage its own list of users, authentication data, etc.

A key limitation of directories to simplifying identity management is integration with "legacy" systems. Mainframes, older applications, network operating systems and many other systems simply do not support the use of an external system to manage their own users.

Vendors with directory products include:

• Critical Path.
• IBM / Tivoli.
• Microsoft.
• Novell.
• Oracle.
• Siemens.
• Sun / iPlanet.

Web access management

Once a directory is in place, it is possible to manage user identity, authentication and authorization data on multiple web-based applications using a web access management (WAM) tool.

These systems replace the sign-on process on various web applications, typically using a plugin on the front-end web server. They authenticate users once, and maintain that user's authentication state even as the user navigates between applications. These systems normally also define user groups and attach users to privileges on the managed systems.

These systems provide effective access management and single sign-on to web applications. They do not, in general, support effective (or any) management of "legacy" systems such as network operating systems, mainframes, client/server applications, e-mail systems, etc.

Because these technologies focus on web-based applications, they have been more widely deployed to manage outside users than inside users.

Vendors with access management products include:

• Baltimore.
• Entegrity.
• Entrust.
• IBM.
• Netegrity.
• Novell.
• Oblix.
• Open Network Technologies.
• RSA.
• Wipro.

Password management

Users log into most systems with a login ID and password. Since passwords may be compromised over time (users write them down, attackers may guess them, etc.), it is prudent to periodically change passwords. Most modern systems, and especially those that cater to insiders, require users to change their passwords periodically. Most enterprises enforce a password change interval ranging from 30 to 90 days.

When users have multiple passwords, on multiple systems, that expire on different dates, they tend to write them down or forget them. To overcome these problems, it is desirable to provide users with a system to manage passwords consistently across multiple systems.

Password management systems generally support one or more of the following features:

• Synchronize passwords between multiple systems.
• Allow users who forgot their passwords or triggered an intruder lockout to authenticate with some other means and reset them.
• Allow IT support staff to authenticate callers and reset their forgotten or disabled passwords.
• Allow users to register -- e.g., to identify their own login IDs or to answer personal questions that can later be used for non-password authentication.

Because insiders normally have more passwords, and their passwords change more frequently, password management solutions are most relevant to them. Outsiders frequently have just one login ID and password to an enterprise's systems, and in many cases that password does not expire.

Web access management products normally have a very simple password management capability, such as self-service password reset using a single authentication question. This is frequently adequate for outsiders.

Vendors with password management products include:

• Blockade.
• Courion.
• Hitachi ID
• Net Magic.
• Proginet.

Legacy single sign-on

Users who log into many systems may prefer to sign into one master system, and thereafter be able to access systems without repeated prompts to identify and authenticate themselves.

Most legacy systems do not support an external means to identify and authenticate their users. However, it is possible to store user credentials outside of the various applications, and automatically enter them into applications when they are launched.

Legacy single sign-on (SSO) systems do just that: users sign into the SSO application, which stores every user's login ID and password to every supported application. Users launch various applications through the SSO client software, which opens the appropriate client program, and sends keystrokes to that program simulating the user typing his own login ID and password.

Since they require the installation of client software, legacy SSO systems are only appropriate for use by insiders.

Legacy SSO systems have had limited success in large production environments for a number of reasons:

• Deployment and integration costs.
• Concerns about security, due to the fact that the SSO system stores every user's password to every system.
• Concerns about availability, since if the SSO system fails, entire user populations will be unable to log into their systems, and so will basically stop working.

Some vendors with SSO products include:

• Computer Associates.
• IBM / Tivoli.
• Novell.
• Passlogix.

Account management

One of the most costly problems for enterprises is timely creation of new systems access, adjustment of systems access as user responsibilities change, and termination of access once users leave.

Where web access management (WAM) systems address this problem for web-based applications, the problem remains for "legacy" systems, including network operating systems mainframes, database servers, ERP applications and more. These systems all manage internal user profiles, and do not have the ability to refer to an external directory to look up user identity, authentication and authorization data.

As a result, users must be provisioned access to such systems directly, and their records in these systems must be individually adjusted or deleted when their responsibilities change, or they leave the organization.

Account management systems attempt to streamline the administration of user identity across multiple systems. They normally include one or more of the following features:

• A consolidated facility for managing user access to multiple systems at once.
• A workflow system where users can submit requests for new, changed or terminated systems access, and these requests are automatically routed to the appropriate people for approvals. Approved requests trigger creation of accounts and allocation of other resources.
• Automatic replication of data, and in particular of user records, between multiple systems and directories.
• A facility for loading batch changes to user directories.
• Automatic creation, change or removal of access to system resources based on policies, and triggered by changes to information elsewhere (for example, in an HR system or corporate directory).

Account management systems focus on insiders, since outsiders are already well served by web access management systems, which typically manage this data in a single directory (e.g., using LDAP).

Account management systems normally provide one or more of the following capabilities:

• Consolidated, cross-platform security administration.

Account management systems sometimes also include a simple password management capability. As with web access management systems, this capability is usually limited.

The major drawback of access management systems is deployment time and cost. Some systems can take literally years to deploy.

Some vendors with access management products include:

• Access360
• BMC
• Business Layers
• Computer Associates
• IBM / Tivoli
• Hitachi ID
• Waveset

Profile update

User identity normally includes personal information, such as name, telephone number, e-mail address, home address, date of birth, etc.

Some of this information changes over time. Changes to personal data should be easy to manage, and be automatically reflected in systems such as the corporate directory and individual systems that users log into.

Most customer relationship management (CRM) systems include some facility to manage user profiles either administratively or using a self-service method. This capability is also available in some web access management systems, access management systems and password management systems.

It is helpful to allow users to enter and manage those parts of their own profiles where new data is either not sensitive or does not have to be validated. Examples of data that users should be able to enter themselves include their contact information outside of work, date of birth, etc.

Identity management: a simple definition

With the above sections in mind, we propose a simple definition to encapsulate the various capabilities of enterprise identity management technologies:

Identity management systems are IT infrastructures designed to consolidate and streamline the management of user identity, authentication and authorization data. For both insiders and outsiders, this includes directories and some facilities to manage user profiles. For outsiders, this includes web access management and simple password management systems. For insiders, this includes access management, full-featured password management and web access management systems.

In the context of this definition, insiders means employees and contractors who work primarily for the organization in question. Outsiders are all other users who interact with or are represented by the organization's IT systems.

Beyond the enterprise

Identity management can extend beyond a single organization:

• Customers would like to access multiple web sites without re-authenticating to each one.
• Employees would like to access vendor web resources without registering or re-authenticating.
• Companies would like to be able to provision their own users with access to partner and vendor resources automatically.

Identity management that reaches beyond a single organization requires that the IT infrastructure of one organization be compatible with the infrastructure of others. This compatibility calls for standards, and these standards are already being developed:

• Single sign-on between web sites:
  • Microsoft passport: http://www.passport.com/.
  • The Liberty alliance: http://www.projectliberty.org/.

• A standard way for web sites and web browsers to exchange information about how they manage personal user information, and what is acceptable, respectively:

  Platform for Privacy Preferences (P3P):
  http://www.w3.org/P3P/

• A standard protocol to provision users with resources, even across corporate boundaries:
  • XRPM.

• A standard protocol for one organization's servers to answer another organization's servers security questions about its own users:

  Security Assertions Markup Language (SAML)
  http://www.oasis-open.org/committees/security/#documents.

Conclusions

Identity management is an emerging class of technologies intended to streamline the management of user identity information both inside and outside an enterprise.

Identity management technologies vary in their maturity:

• Mature, widely-deployed technologies:
  • Directories, especially those using LDAP.
  • Password management.
  • Web access management and web single sign-on.

  These technologies have significant install bases in production, and demonstrate real, measurable ROI.

• Promising new technologies:
  • Access management.
  • Profile update.

  These technologies promise significant ROIs. There are relatively few large production implementations, and deployment can still be costly.

• Marginal technologies:
  • Legacy single sign-on.

  These technologies yield a relatively small ROI at a high deployment and maintenance cost.

References

• Basic functional definition of current technologies:
  • What is Identity Management?, Rutrell Yasin, Information Security Magazine, April 2002,
    http://www.infosecuritymag.com/2002/apr/cover_casestudy.shtml

  • Identity Management: The Business Context of Security, PriceWaterhouseCoopers, January 2002,
    http://www.pwcglobal.com/extweb/manissue.nsf/DocID/2019770AA6282B3C85256B4A000ED4C7.

• Various projects to make identity management span multiple systems on the Internet:
  • Microsoft passport: http://www.passport.com/.
  • The Liberty alliance: http://www.projectliberty.org/.
  • W3C P3P Project: http://www.w3.org/P3P/.
  • Identity Management Based On P3P, Oliver Berthold, Marit Khntopp, January 2001,
    http://www.koehntopp.de/marit/pub/idmanage/p3p/.
  • Security Assertions Markup Language (SAML),
    http://www.oasis-open.org/committees/security/#documents.

© Hitachi ID Systems, Inc. 2008. All rights reserved.