David Stern, CISSP
Depending on where you sit, Identity Management (IDM) is irrelevant, a holy grail, or a complete boondoggle. Having experienced all three situations at one time or another, and more recently seeing it actually work, itâ€™s time to demystify the subject matter. In this article, we will cover the conceptual framework of Identity Management, and touch on some of the more important terms and methodologies.
Let us start out by defining an Identity. Your average enterprise uses a mix of Windows, UNIX, Mainframe, databases, applications, and networking elements. Each of these requires user interaction, which starts with a login and a password. These credentials authenticate you to the system and then determine what you are authorized to do. Your digital identity must encompass authentication and authorization information, as well as â€œwhite pagesâ€ type of information (phone number, address, title) that tie it back to the physical world. When a user presents his credentials to a system by logging in, it is known as â€œasserting credentials.â€ In the perfect IDM world, all of this information is stored in a single, universally accessible directory, sometimes known as a Meta Directory.
Single Sign On (SSO) is IDMâ€™s close cousin. In an SSO environment, a user only needs to assert his login credentials once. After that, every system and application would automatically allow him access based on his one time identity assertion. Obviously, to make this work, every system in scope needs to share the same credential store, making IDM a virtual requirement.
The business drivers for Identity Management are quite compelling. Identity Management at its highest level is a conceptual framework from which an individualâ€™s login credentials or identity is centrally managed. Outside of this framework I would need separate credentials for every server, PC, network device, web page and application that I use on a daily basis. That could amount to dozens of accounts that need to be managed individually. Inside of an Identity Management framework, my identity is created and access rights are established in one stroke. The same thing happens when my identity or rights need to be removed.
For the sake of IT newcomers, I will state that this works nicely on paper, but in reality has hurdles as high as K2. Until recently, systems have been written with no thought of commonality. Going back and rewriting or re-architecting enterprise systems can be compared to trying to change the tires on an Indy car flying down the straight away. However, the pain of distributed management was significant enough to push the industry to address the problem. Identity Management was born from this pain.
In the next part, we will look at interim solutions to the IDM challenge.