Identity - dictionaries say this 8-letter word means "The collective aspect of the set of characteristics by which a thing is definitively recognizable or known." So as a human living on this planet, my name, surname, address, date of birth, PAN number, Passport Number, driver's license, fingerprint, signature and so many other attributes constitute my real-world identity. In other words, identity is basically something a person IS, a person KNOWS, a person HAS, or a person DOES. A subset of these identity attributes is used to do the following things:
These five activities - identification, authentication, authorization, accountability and audit - define the major control objectives for any Identity Management system.
In this digital age, we increasingly imitate our physical life onto the digital canvas. This requires many of our identity aspects of real world (as discussed above) to be readily available in the digital world as well. Our digital identity is becoming equally as important as our real- world identity. We buy things, pay our bills, pay income tax, manage back accounts, do ticket booking, communicate with others, and even socialize over the Internet. All these online activities deal with many people and many different systems and applications. These cannot be controlled and managed easily with our same old username/password, though the username/password is still used heavily as a part of modern Identity Management system. There is an inevitable need for sophisticated technologies to manage identities.
In this article we will discuss identity management from the perspective of governing bodies or corporations that directly or indirectly deal with multiple identities. These governing bodies may be a government concerned about its citizens, a corporation managing and facilitating its employees, educational institutions managing their students, hospitals with many patients and doctors, or anyone who has to deal with a lot of digital identities. The following sections will cover:
Traditionally, identity management has been associated with maintaining user account information and controlling access to system or set of applications. From the information technology perspective, this was started mainly as multiple users (such as different Unix users) trying to gain access to a limited set of resources or applications.
The notion of identity was further refined with the advent of directory (X.500) standards. Directories have extended the user identity perspective to other identifiable objects in the organization, such as country, organization units, and even systems and hardware. As the information systems grew larger and complex, the meaning and management of Identity has also evolved greatly. Given the growth pace of businesses and information technologies around the world, the number of identities to be managed (users, systems, applications, offices) has outpaced traditional identity management practices. In the following section, we'll see why it has become inevitable to have an modern identity management story.
Ever tried changing address in your passport? It requires a fair amount of effort, if not a lot. Much identity information, such as an address, is quite dynamic in nature - and in the case of digital identities, this is even more the case. Consider the following scenarios:
All these scenarios and many more clearly depicts that digital identities and their relationships are much more dynamic as compared to our real world identity. This is just one of the reasons why do we require sophisticated technologies and specialized process, tools and practices to manage digital identities efficiently.
Let's look at some of the most important business reasons why identity management is being, or has been, among the top IT spending items for IT deployments across the globe.
As we discussed earlier, historically authentication and authorization have been the main (and perhaps the only) agenda of identity management for system administrators. Even now, they are the central need as far as security is concerned. But now the need has expanded to more advanced authentication methods and more refined and flexible authorization policies.
Another important aspect regarding security is maintaining consistent security policies and identity data across the IT infrastructure. If consistency is not maintained across heterogeneous and distributed identity deployments, then it may pose a major security risk.
Also, there may be many internal support requirements, such as employees forgetting passwords. This may become even more serious if there are multiple systems requiring different authentications for end users. The pressing need is to increase the productivity of support tasks and focus on business goals.
As information technology has matured and became part of daily routine, even users who have been "controlled" until now have started asking for their share of control. Now users want to at least control the things which solely matter to them, such as passwords, personal preferences, profiles containing their personal details, etc. This means that users must have options for self service and personalization, which has been managed by administrators until now.
How many times during the past year you have heard about companies being taken over? If you follow business proceedings even a little, the answer would be "many." These acquisitions or mergers are not only a challenging task for finance departments, they also pose a major challenge for the IT departments of the affected companies. Once such a business decision is made, the employees of both companies should be given access to shared resources and be associated with similar identities, under one umbrella company. The newly merged company may also want to adjust its business policies, security policies, and identity policies that govern access control. Given all the above, the speed of reaction to changes by IT departments is very crucial for the success of the merger or acquisition.
Another important business concern in recent years is compliance with laws and regulations for security and privacy. There are several such regulations, such as HIPAA, the Privacy Act, etc., that must be implemented across the organization. As the majority of businesses depend heavily on IT to solve crucial business needs, it is also mandatory for IT systems to comply with applicable regulations. Regulatory compliance is also one of the most important aspects of identity management deployments these days.
Organizations have not implemented all the IT services and applications in one go; it has been a gradual process. So it's not a matter of days or month, but years. During this time, systems and applications that manage users have matured: groupware (mailing) applications, databases, text messengers, HR and Finance applications, business applications, time tracking applications, knowledge bases, and so on.
All these applications require user accounts for controlling access. Let's suppose a company enforces a security policy that requires every employee to change his or her password every two months. Now imagine the mess that would happen trying to manage identities without any sophisticated identity management practices (for example, synchronizing all the identity stores).
Taking a very simplistic view - identity management means that the right people get access to the right services. To achieve this, identity management uses set of technologies, tools, processes, social contracts, and best practices that fit into an entire enterprise IT story - including network, platforms, OS, applications, middleware, etc. In any IT implementation, all enterprise IT stack components must deal with identities in one way or the other. The business needs, as discussed in previous section, are compelling enough for any IT administrator to go ahead and deploy an identity management solution. Notably, people join and leave their employers or institutions, and companies buy other companies or do mergers - this adds to the need for solid identity management solutions.
Any Identity Management deployment process must go through these three high-level activities:
1. Establish policies to fit the organization's security requirements.
2. Once policies are in place, formulate a process and workflow to utilize the policies.
3. Select the right set of technologies to implement the process and workflow.
Because identity management is complex in nature and involves many activities, there cannot be a short and sweet answer to "What is identity management" that explains the entire story. Identity Management is a combination of various concepts and components that collectively explain its true meaning. So let's examine these various concepts and components one by one ...
Going back to our real-world identity scenario, did you notice what is the backbone of the entire IT system? You can get a driver's license by showing your date of birth proof (e.g., birth certificate) and address proof to the authorities (and of course, you must know how to drive). You can use this license to get a PAN card or a passport. You can use the passport to get a visa to another country, and so on.
This entire identity system is based on trust, which means that a particular piece of information is correct, assuming it is provided by an authentic authority. Even in the digital identity world, this trust plays a major role; it is associated to authority, risk, etc. Making or destroying trust is not a one-time activity; it is a process that takes its own course. With respect to IT, trusting a person or application gives the rights to manipulate the system within allowed limits.
One of the core objective of any Identity Management system is to maintain a digital identity life cycle: creating an identity, managing and maintaining an identity, using an identity, and finally terminating the digital identity. There may also be a requirement for temporarily suspending or resuming any identity.
Given the quantity of identity information to be managed in modern IT systems, having an automated workflow for managing identity life cycle is very important. Typically, all the above life cycle operations are important, but use and management of identities are the most important tasks for any modern day identity management system.
If trust is the backbone, then policies are the veins that hold all the pieces together. Any identity management deployment is governed by various policies, including identity, authentication, authorization, privacy, trust, password, and provisioning. Policies serve as central decision points at various stages in the identity management workflow. These decisions include how authentication for a particular resource shall be performed, who are allowed to access various resources, how much user information can be made public, and how new identities are to be established, maintained or destroyed.
Authentication policies determine how a particular resources is to be secured. Authentication is the process of establishing the identity of person or application/system to determine the "who" factor - most often, authentication is concerned with humans. With the availability of advanced authentication methods this can be done in many ways. A person can be authenticated by determining what he knows (such as a password), what he poses (smart card or token), or who he is (a fingerprint or other biometric authentication method).
Any mature Identity Management system uses the concept of Roles for access control and authorization. Roles are typically established if a person belongs to a particular group of person who shares the same characteristics. For example, this could be the managers in an organization or the people working in the Finance department. Alternatively, roles can be assigned based on other attributes. For example, all persons below 18 years of age can be assigned a role of "minor." Roles help define policies at very high level without worrying about changes in personal attributes.
As we discussed above, authentication helps in determining the "who" factor. Once the "who" is identified, the next step is the "what is allowed" factor, which is called authorization. Authorization is typically governed by various authorization policies, but like the advancement of authentication methods, the authorization process has also matured. Now people talk about Role Based Access Control (RBAC) or Attribute Based Access Control (ABAC). Both RBAC and ABAC were indirectly discussed in the Roles section above; access control decisions are made depending on whether a person belongs to a particular group or has certain attributes.
As information technologies become commodities, users expect more convenience from any electronic system. We except our profiles to be readily available for any online transactions, if required. We want the content served to us to be of our choice: we want personalized web experiences. We want to change our password, or in case we forget our credentials, retrieve them without any intervention from anyone else. All these expectations require a user-centric approach of identity management, where the user has control over his or her identity information.
Auditing is one of the major components of modern day identity systems which helps a lot to prove compliance to latest regulatory policies by governments. Also they are quite helpful in establishing accountability within any system.
In recent times, a lot of information has been converted from paper format to electronic format. Although the electronic format enables us to store, process, and manage data much more efficiently than paper, it has its own share of challenges. Data in electronic form can be very easily replicated, shared and transmitted, which poses privacy threat to users.
Managing user privacy is another challenge for Identity Management deployments. Privacy is controlled by having privacy policies in place and technologies to safe guard personal data against theft. These days, users are given control over private information, such as how much to share and with whom to share. Privacy management is also addressed in some ways by emerging trends such as federation and distributed Identity Management, which do not require users to share their private data with each service provider.
Identity Federation is one of the hot technologies helping to complete the vision of Identity Management. Federation recognizes that an individual's identity cannot be restricted to the boundaries of an organization or a single Identity Management deployment. For example, a sales team employee may want to create a sales report by pulling information from suppliers, internal network and partners. That requires access to three different networks.
To illustrate further, let's say you are planning a vacation. You need to get an airline ticket, a hotel booking, taxi booking, or maybe local sightseeing booking. If all these entities trust each other and collaborate, then it can make life very easy. You can authenticate to and provide your personal information to just one entity (say, the airlines). Then later this can be federated across all others (hotel, taxi, travel agent, etc.).
Federation requires multiple identity providers to work together, even if they are from different vendors. This calls for standardization of sharing identity related information. Multiple standards bodies are working towards this goal, resulting in SAML (Security Assertion Markup Language), Liberty Alliance, WS-Security, etc.
Identity Management uses a mixed bag of technologies. Some of the technologies have been there for years (cryptography, directories, etc.) and are still being used by both legacy and modern systems. Others have been specifically developed for needs of identity management, such as SAML, Liberty, SSO, etc. On the one hand, mixed technologies makes some aspects challenging; on the other hand, that adaptation of multiple technologies has made Identity Management systems flexible and open to many different technologies. Let's take a look at the technologies that help in deploying any Identity Management solution ...
One of the most important requirement for any Identity Management system is to securely store data on one or more directory servers. Directories have played a key role in centralizing the identity data (such as username, password and personal attributes) to be used across different applications throughout the enterprise. A corporate directory is designed to store and manage data about users, as well as other objects in the enterprise, such as user groups, servers, printers, etc. These directory servers may replicate some or all of the data, to support scalability and high availability. Standard protocols such as LDAP (Lightweight Directory Access Protocol) or X.500 are used to access (read or write) data in directories. There are many active vendors in directory market, including IBM, Microsoft, Novell, Sun, etc.
In the previous section, we discussed the concept of Identity Federation. Federation can also be discussed in terms of the technology involved in identity management. Much work has been done to design a framework and protocol for securely exchanging identity information across systems. Federation relies heavily on standard technologies such as SAML, SOAP, WS-Security, etc. The Security Assertion Markup Language (SAML) provides a set of XML and SOAP-based services, protocols, and formats for exchanging authentication and authorization information. WS-Security defines mechanisms implemented in SOAP headers. To add to these, one of the mostly used application layer protocol in the world - HTTP/S - is used to carry information across different systems.
In Identity Management terminology, the authentication entity is also referred to as the Identity Provider, responsible for authenticating a user by associating them with a given identity. Authentication has come of age; today it stands as a very mature technology. There are multiple ways of authenticating a user, such as using passwords, smart cards, biometric scans, and PKI certificates. If multi-factor authentication is required, a combination of authentication methods can be used.
Access Policies are at the heart of any Identity Management system, providing authorization and access control. Authorization providers must support various levels of access control. These may include simple OS-level access control, Role Based Access Control (RBAC), access control based on various business rules, or flexible and distributed policy based authorization at the application or service level. There is lot of work going on in the access control field with new concepts being introduced frequently, be it Role Based Access Control, Attribute Based Access Control, Rule Based Access Control, Business Policy Based Access Control, etc.
Identity provisioning has two aspects: user accounts and resources. User account provisioning deals with identity information related to individuals and their attributes. It includes many core functions, such as adding, modifying, deleting, suspending, or resuming any user identity information. Resource provisioning, on the other hand, is the provisioning of identities to systems and services that the user identity has approval to use. Standardization efforts are ongoing to automate provisioning by using OASIS standards such as SPML (Service Provisioning Markup Language). Going forward, these are likely to become mandatory inclusions for Identity Management systems.
Cryptography and PKI (certificate management) are perhaps the de facto technologies whenever information is exchanged over the wire or authentication is needed. They are very well established technologies and are core components in the identity management technology suite, used for securely exchanging identity information, for authentication, for establishing trust relationships, for federation, etc.
Auditing a server is one of the most essential technologies used in deploying identity Management. It tracks the creation of identities, their modification and usage. This information is used to determine how, when, and by whom a policy is broken, if at all.
Most organizations have already moved to provide web-based services to their users. A typical large enterprise may have 10's or even 100's of in-house web applications, with most of them requiring authentications. The organization may also require users to access applications while on the move, or from remote locations. This requires front-ending the applications using a web access management solution. These systems authenticate users once and maintain the user's authentication state, even as the user navigates among different applications. These systems normally also define user groups and attach users to privileges on the managed systems. Thus, they provide effective access management and single sign-on to web applications.
Most critical systems and applications require users to identify themselves and authenticate before they gain access. Single sign-on systems attempt to capture identification and authentication information once, and then automatically provide it to systems accessed by the user. The objective of single sign-on systems is to reduce the number of different authenticators a user must have or know, and to reduce the frequency with which the user must provide those authenticators to systems.
|Identity Management system|
|controls:||identification, authentication, authorization, accountability & audit|
|involves:||identity operations creation, modification, utilization, termination, suspension & resumption|
|is governed by these policies:||identity, authentication, access control, provisioning, privacy, trust, password, audit, authorization etc.|
|uses these technologies:||directories, SAML, SOAP, HTTP/S, Cryptography, PKI, Liberty, SSO, Web access management, WS-Security, auditing, provisioning etc.|
Table 1: Identity Management System at a glance
Although identity management is moving ahead by leaps and bounds, there are certain aspects yet to be resolved completely. Following are some of the major challenges for the identity management space:
The future of Identity Management looks very interesting and promising. With everything going "2.0" way - web 2.0, Internet 2.0, etc - even identity management is going the Identity 2.0 way. If we observe the current work being done in this space, it clearly indicates we are moving towards user-centric identity Management. Of course, identity federation is one of the best things that has happened to Identity Management, but different visionaries have already started looking beyond federation.
There is a lot happening around distributed Identity Management. Many upcoming technologies and products, such as LID, OpenID, i-names, and sxips, support the notion of URL-based identities. These identities can be distributed and hosted anywhere and can be accessed using simple web techniques.
Then there are many companies doing lot many interesting things in identity world. One example is Higgins, which is an open source framework supported by IBM/Novell. It enables users and other systems to integrate identity, profile, and relationship information across multiple heterogeneous systems. Microsoft has been working on its own vision of identity management using CardSpace, which is shipped with Windows Vista. Microsoft and IBM are working together to develop various web service protocol specifications (WS-*), including WS-Trust, WS-Policy, WS-Federation, WS-Security, etc. And Novell has developed open source version of Infocard, using technology provided by the Bandit project. Given all these, there is lot more exciting stuff in pipeline related to identity management.
Many of the concepts discussed in this article are so expansive in themselves that each of them could be covered in an entire article - or maybe even a book, for that matter. These concepts would include access control, regulatory compliance, federation, directories, privacy management, identity standards, etc. But the objective of this document is to help you understand how these different technology pieces fit together to provide a identity management solution. I hope to have met this objective, and that you have had a good experience reading through these concepts on identity management.