• Site Map
• Contact Us

• Home
• Our Company
• News &  Events
• Products
• Services
• Resource Center
• Community

Documentation Identity Management Concepts and Terminology Identity Management Defined

Defining Enterprise Identity Management

Abstract

Identity management is the combination of business process and technology used to manage data on IT systems and applications about users. Managed data includes user objects, identity attributes, security privileges and authentication factors. This document defines the components of enterprise identity management. It describes the underlying business problem of managing user identity information on multiple, heterogeneous systems and applications. It then defines identity management in the context of this problem and describes technologies used to manage user identities more effectively.

Introduction

Identity management is the combination of business process and technology used to manage data on IT systems and applications about users. Managed data includes user objects, identity attributes, security privileges and authentication factors.

This document defines the components of enterprise identity management. It describes the underlying business problem of managing user identity information on multiple, heterogeneous systems and applications. It then defines identity management in the context of this problem and describes technologies used to manage user identities more effectively.

The remainder of this paper is organized as follows:

• A variety of identity stores:

  A description of why enterprises manage user profile data in a diversity of systems.

• Enterprise-wide identity management - the challenge:

  A step-by-step description of why managing user identity data is difficult in a large organization.

• Relevant technologies - the solutions:

  How different technologies help to streamline and secure the identity management process.

• Identity management - a simple definition:

  A definition for what constitutes identity management, given the preceding description of the business problem and its technological solutions.

• Beyond the enterprise:

  How identity management technologies may soon extend beyond the boundaries of a single enterprise.

• Conclusions:

  Some conclusions about the state of identity management today.

• References:

  Where to learn more about identity management.

A variety of identity stores

Modern enterprises run a complex mix of IT infrastructure, including:

• Network operating systems, used to share files and printers.
• Application servers, running web servers, databases and similar software.
• Mainframe and midrange servers, typically hosting legacy applications.
• E-mail and other collaboration software.
• User directories, publishing lists of users and other network objects.
• Human resources, payroll and contractor management systems.
• A variety of line-of-business applications.
• Customer relationship management (CRM) and enterprise resource planning (ERP) applications.
• Electronic commerce applications.

Many kinds of users access these systems, including:

• Employees.
• Contractors.
• Partners.
• Vendors.
• Customers.

Almost every system and application tracks its own users, how they sign in (i.e., their passwords) and their privileges (i.e., what they can see and do). This data about users must be managed, when users are hired, when their business roles or identifying information change and when they leave.

The diversity of these systems, each with their own security management user interface, administrators and change request processes creates complexity. This complexity impacts the IT operation -- the same human user must be managed by different IT staff on different parts of the infrastructure. The complexity also impacts users -- it can take a long time to make required changes and users are forced to memorize multiple login IDs, passwords and application sign-on processes.

This complexity leads to high IT cost, lower user productivity and security exposures.

Identity management technologies simplify the administration of this distributed, overlapping and sometimes contradictory data about users.

Enterprise-wide identity management: the challenge

In this document, "enterprise" refers simply to medium to large organizations, with thousands of internal users.

Different kinds of users

Enterprises manage identity data about two broad kinds of users:

• Insiders: including employees and contractors.

  Insiders spend most of their working hours engaged with the enterprise. They often access multiple internal systems and their identity profiles are relatively complex.

• Outsiders: including customers, partners and vendors.

  There are normally many more outsiders than insiders. Outsiders generally access only a few systems (e.g., CRM, e-Commerce, retirement benefits, etc.) and access these systems infrequently. Identity profiles about outsiders tend to be less detailed and less accurate than about insiders.

The difference between insiders and outsiders and how this impacts identity management, may be illustrated by an example:

Consider a bank, with 15,000 employees, 5,000 contractors and 500,000 customers. Insiders at the bank are the 20,000 employees and contractors. Insiders log into a network operating system, corporate Intranet, line-of-business applications, corporate mainframe, e-mail systems and Internet gateway. Their identity profiles include data relating to their employment and their many login IDs to internal systems. Insiders access components of their identity profile, in particular login IDs to various systems, many times each day. Outsiders are primarily current and prospective bank customers. Their profiles may include from one to three login IDs and passwords -- for Internet-, telephone- and ATM-based electronic banking. Their profiles also include customer information such as a mailing address and account numbers. Outsiders only access their login IDs occasionally. Personal profile data provided by outsiders, such as full name, home telephone number, or e-mail address may be inaccurate.

Different kinds of identity data

Just as there are different kinds of users whose identity an enterprise must manage, there are different kinds of data about these users that must be managed:

• Personal information.

  This includes names, contact information and demographic data such as gender or date of birth.

• Legal information.

  This includes information about the legal relationship between the enterprise and the user: social security number, compensation, contract, start date, termination date, etc.

• Login credentials to managed systems.

  On most systems, this is a login ID and password. Identification may also use a PKI certificate and authentication may use tokens or biometrics or a set of personal questions that the user must answer.

Identity life cycle

The key problems of managing identity data in an enterprise can be understood by considering the life cycle of an identity profile:

• Onboarding:

  User profiles must be setup when a user joins the organization. The process of adding users depends on the kind of user: insider or outsiders. In any case, the requirements for the setup process are timely completion and entry of complete and accurate data.

• Change and maintenance:

  Once created, user accounts must be managed. This includes routine password changes and administration actions such as name changes, adding and removing individual login accounts and changing privileges on existing accounts.

• Termination:

  When a user leaves an organization, their record should be appropriately flagged and their access to systems should be disabled. The key requirement the systems access of all terminated users should be disabled reliably and quickly.

Key identity challenges

Identity management presents several challenges in an enterprise-scale organization:

• Consistency:

  User profile data entered into different systems should be consistent. This includes name, login ID, contact information, termination date, etc.

  The fact that each system has its own user profile management system makes this difficult.

• Efficiency:

  Setting a user to access multiple systems is repetitive. Doing so with the tools provided with each system is needlessly costly.

• Usability:

  When users access multiple systems, they may be presented with multiple login IDs, multiple passwords and multiple sign-on screens. This complexity is burdensome to users, who consequently have problems accessing systems and incur productivity and support costs.

• Reliability:

  User profile data should be reliable -- especially if it is used to control access to sensitive data or resources. That means that the process used to update user information on every system must produce data that is complete, timely and accurate.

• Scalability:

  Enterprises manage user profile data for large numbers of people. There may be tens of thousands of insiders and hundreds of thousands of outsiders.

  Any identity management system used in this environment must scale to support the data volumes and peak transaction rates produced by large user populations.

Relevant technologies: the solutions

Several types of technologies are available to manage user identity data across the enterprise. In general, these systems focus on streamlining the identity management process and managing data consistently across multiple systems.

Directories

A corporate directory is designed to consolidate the management of data about users, as well as other objects in the enterprise, such as user groups, servers, printers, etc.

Data is stored on one or more directory servers. These servers may replicate some or all of the data, to support scalability and high availability.

Client applications normally access data (read, write) through a standard protocol, such LDAP (light-weight directory access protocol) or X.500.

Using directories, it is possible to configure multiple applications to share data about users, rather than having each system manage its own list of users, authentication data, etc.

A key limitation of directories to simplifying identity management is integration with "legacy" systems. Mainframes, older applications, network operating systems and many other systems simply do not support the use of an external system to manage their own users.

Web access management / Web single signon

Once a directory is in place, it is possible to manage user identity, authentication and authorization data relating to multiple web-based applications using a web access management (WebAM) tool, also known as web single signon (WebSSO)

These systems replace the sign-on process built into multiple web applications with a single, shared infrastructure. For example, this may be accomplished using a plugin on each application web server or with a reverse web proxy front-ending one or more applications. They authenticate users once and maintain that user's authentication state in a cookie. As users click into and between applications, the WebAM inserts authentication information into their HTTP streams. WebAM systems may also provide some access control rules, for example to indicate which users may sign into which applications, or which fine-grained URLs are allowed.

WebAM systems provide effective authentication and some authorization capabilities for web-based applications. They do not, however, support signle signon or consistent authorization on "legacy" systems such as network operating systems, mainframes, client/server applications, e-mail systems, etc. They also usually have limited capabilities for managing users -- their strength is in runtime enforcement, rather than administration.

Password management

Users log into most systems with a login ID and password. Since passwords may be compromised over time (users write them down, attackers may guess them, etc.), it is prudent to periodically change passwords. Most modern systems and especially those that cater to insiders require users to change their passwords periodically. Most enterprises enforce a password change interval ranging from 30 to 90 days.

When users have multiple passwords, on multiple systems, that expire on different dates, they tend to write them down or forget them. To overcome these problems, it is desirable to provide users with a system to manage passwords consistently across multiple systems.

Password management systems generally support one or more of the following features:

• Synchronize passwords between multiple systems.
• Allow users who forgot their passwords or triggered an intruder lockout to authenticate with some other means and reset their passwords.
• Allow IT support staff to authenticate callers to the help desk and reset their forgotten or disabled passwords.
• Allow users to register -- e.g., to identify their own login IDs or to answer personal questions that can later be used for non-password authentication.

Because insiders normally have more passwords and their passwords change more frequently, password management solutions are most relevant to them. Outsiders frequently have just one login ID and password to an enterprise's systems and in many cases that password does not expire.

Enterprise single sign-on

Users who log into many systems may prefer to sign into one master system and thereafter be able to launch applications having to type their ID or password again.

Most legacy and client/server systems cannot share authentication with modern infrastructures such as Kerberos or SAML. However, it is possible to store user credentials outside of the various applications and automatically enter them into applications when prompted.

Enterprise single sign-on (E-SSO) systems do just that: users sign into the E-SSO application, which stores every user's login ID and password to every supported application. Users launch various applications through the E-SSO client software, which opens the appropriate client program and sends keystrokes to that program simulating the user typing his own login ID and password.

Since they require the installation of client software, E-SSO systems are only appropriate for use by insiders.

E-SSO systems have had limited success in large production environments for a number of reasons:

• Deployment and integration costs.
• Concerns about security, due to the fact that the SSO system stores every user's password to every system.
• Concerns about availability, since if the SSO system fails, entire user populations will be unable to log into their systems and so will basically stop working.

Note that one E-SSO system does not store user passwords, but instead relies on password synchronization (P-Synch/SSO® -- http://Hitachi-ID.com/products/addons/psynchsso.html.

User provisioning

One of the most costly problems for enterprises is timely creation of new login IDs, adjustment of user privileges as user responsibilities change and deactivation of access once users leave.

These problems apply to the whole range of enterprise systems and applications -- directories, network operating systems, mainframes, database servers, ERP applications and more. These systems all manage internal user profiles and often cannot refer to an external directory to look up user identity, authentication and authorization data.

As a result, users must be provisioned access to such systems directly and their records in these systems must be individually adjusted or deleted when their responsibilities change, or they leave the organization.

User provisioning systems streamline the administration of user identities and privileges across multiple systems. They normally include one or more of the following features:

• Automation / Change Propagation:
  Changes to user profiles on authoritative systems (e.g., HR or contractor management) trigger automatic updates to the same users' profiles on managed systems.
• Self service / Workflow:
  Users or automatic processes submit change requests -- to provision new access, change existing user profiles or deactivate users. Requests are automatically routed to business users with suitable authority, who approve or reject them. Approved changes are applied to managed systems.
• Consolidation:
  Security administrators with an enterprise-wide scope of authority update user access to multiple managed systems from a single security administration console, that creates a consolidated view of multiple security databases.
• Delegation:
  Regional or departmental security administrators are granted limited access to manage some users, on some systems, through the consolidated security administration console.
• Fulfillment:
  This is not so much a process, as the ability of one user management system to implement changes initiated on another system.

User provisioning systems typically focus on insiders, since outsiders may be well served by simpler processes -- for example self-service enrollment and termination handled by data scrubbing (removing inactive IDs).

Profile update

User identity normally includes personal information, such as name, telephone number, e-mail address, home address, date of birth, etc.

Some of this information changes over time. Changes to personal data should be easy to manage and be automatically reflected in systems such as the corporate directory and individual systems that users log into.

Most customer relationship management (CRM) systems include some facility to manage user profiles either administratively or using a self-service method. This capability is also available in some web access management systems, access management systems and password management systems.

It is helpful to allow users to enter and manage those parts of their own profiles where new data is either not sensitive or does not have to be validated. Examples of data that users should be able to enter themselves include their contact information outside of work, date of birth, etc.

Identity management: a simple definition

With the above sections in mind, we propose a simple definition to encapsulate the various capabilities of enterprise identity management technologies:

Identity management is defined as a shared platform and consistent processes for managing information about users: who they are, how they are authenticated and what they can access.

Beyond the enterprise

Identity management can extend beyond a single organization:

• Customers would like to access multiple web sites without re-authenticating to each one.
• Employees would like to access vendor web resources without registering or re-authenticating.
• Companies would like to be able to provision their own users with access to partner and vendor resources automatically.

Federation enables applications in different domains to share information about users.

• Federated sites must have some pre-established relationship, bilaterally or in a group.
• Information about users is exchanged:
  • Identity: Who is this user?
  • Authentication: How/when did the user sign in?
  • Authorization: What is the user allowed to do?
• Federation enables single signon between sites:
  • User signs into one site (company A).
  • User clicks into another site (company B).
  • Site A passes information about the user to Site B.
  • The user is not prompted for his ID/password by site B.
• Federation reduces administrative burden:
  • Site B trusts Site A to name its own users.
  • Site B does not create its own objects for Site A users.

In order to work, federation requires that software at one site can communicate identity, authentication and authorization site to software at another site:

• Different organizations use different software products to manage user identity, authentication and authorization.
• To interoperate, different software products rely on standard protocols.
• There are multiple standards regarding federation:
  • Liberty Alliance ID-FF and ID-WSF.
  • Security Assertions Markup Language (SAML).
  • WS-Federation.
  • Shibboleth.
  • CardSpace.
• The standards are complex, so it is reasonable to assume that different products implement them somewhat differently, and may not be 100% compatible.

The problem with standards is that there are so many of them...

Conclusions

Identity management is a class of technologies intended to streamline the management of user identity information both inside and outside an enterprise. It includes:

• Directories, especially those using LDAP.
• Password management.
• Enteprise single signon.
• Web access management and web single sign-on.
• User provisioning.
• Federation.

References

• Basic functional definition of current technologies:
  • What is Identity Management?, Rutrell Yasin, Information Security Magazine, April 2002,
    http://www.infosecuritymag.com/2002/apr/cover_casestudy.shtml

  • Identity Management: The Business Context of Security, PriceWaterhouseCoopers, January 2002,
    http://www.pwcglobal.com/extweb/manissue.nsf/DocID/2019770AA6282B3C85256B4A000ED4C7.

• Various projects to make identity management span multiple systems on the Internet:
  • The Liberty alliance: http://www.projectliberty.org/.
  • W3C P3P Project: http://www.w3.org/P3P/.
  • Identity Management Based On P3P, Oliver Berthold, Marit Khntopp, January 2001,
    http://www.koehntopp.de/marit/pub/idmanage/p3p/.
  • Security Assertions Markup Language (SAML),
    http://www.oasis-open.org/committees/security/#documents.

© Hitachi ID Systems, Inc. 2008. All rights reserved.