Identity Management 2.0: The Secret Revolution
You would be hard pressed to flip through any technology magazine or online IT publication without finding an article about some new Web 2.0 capability. And while there have been tremendous advancements in ways to use the Web, there are also some amazing and widely-applied developments in security and identity management technologies that go unrecognized because they quietly operate in the background. These technologies are critical for anyone who directly uses the Internet or relies on organizations that do — essentially everyone. This secret security revolution is known as Identity Management 2.0.
Identity Management 1.0
Before discussing Identity Management 2.0, it is important to define the previous generation, Identity Management 1.0 — an advance in its own right with respect to supervising network identities. Identity management is the practice of managing users' electronic identities as well as the means by which they can access various resources. Since the advent of the computer, IT security professionals have been dealing with the supervision of users. Of course, in the early days, managing users and access control was a simple process of locking the door and posting a guard to prevent anyone form coming into physical contact with the computer. Now however, companies have critical applications that need to be accessed by dozens up to millions of users. Many times, when these applications are written, developers build in their own capabilities to manage user identities. This is a flawed practice for two reasons. First, it is unlikely that the people writing these applications are experts in writing code for identity management. Second, as an organization brings more applications online, it is also introducing additional infrastructure for managing user identities that most likely doesn't integrate with existing applications.
Stand-alone identity management solutions (Identity Management 1.0) were developed to improve upon this isolated approach to managing identities within each individual application. By establishing a centralized identity management system, organizations were able to reduce costs and meet compliance needs through automated processes and with a holistic view of users across their enterprise.
Identity management can be broken down into three functional areas: directory services, identity administration and access management.
Directory services are the key building blocks for most identity management platforms. This foundational layer consists of an LDAP (Lightweight Directory Access Protocol) directory, which holds the user identity data, including user names and passwords. Most enterprise applications leverage data stored in an LDAP directory.
Identity administration is a broad functional area that encapsulates various activities such as user and group management, self-service, delegated administration and approval workflows. These capabilities are typically addressed by provisioning technologies. If you consider the directory service as the foundational layer for holding identity data, you can think of identity administration as the area that manages the complete life cycle of the identity data. IT professionals can create and manage rules and workflows that automate the process of forming, deleting or changing a user identity and its associated privileges in various applications. Further, an individual's ever-changing role in an organization can trigger these rules and workflows dynamically. While automation is a key benefit as manual processes become obsolete, individuals still need the ability to self-service their own accounts and delegate certain of their responsibilities to others within their organization.
Access management is the area in which IT professionals can control user access to enterprise resources. While identity administration manages the life cycle of the identity data, access management is the guard at the door that determines which users may access what information.
Identity Management 2.0
Identity Management 2.0 meets the definition of a revolution. Certainly the circumstances driving the development of these 2.0 technologies can be described as revolutionary. The IT world is currently faced with an unprecedented era of governance, risk and compliance ; increasingly sophisticated online attacks; and corporate consolidation from merger and acquisition activities.
The core platform of Identity Management 1.0 capabilities such as authentication , authorization, user provisioning, password management and the like has provided a base for improving security and automating manual processes to drive down operational costs. Identity Management 2.0 extends the core platform to offer stronger forms of authentication, risk-based authorization and fine-grained entitlements, user provisioning based on roles and relationships, as well as the ability to virtualize identities, all in an effort to address the next generation of requirements and threats.
Strong Authentication and Risk-Based Authorization
Anyone that has an email account without a spam filter has surely seen a message from a "financial institution" asking readers to click through to verify or update their personal account information. And while the savvy Internet user quickly recognizes this as a phishing scam to capture account information, there are far more sophisticated attacks that can take place. For example, a Trojan horse on your computer can change your DNS (Domain Name System) settings so that your attempt to access a legitimate Web site is redirected without your knowledge to a fraudulent Web site. Furthermore, these sites are designed to look every bit as real as the legitimate site, but your user information is being captured by thieves waiting to quickly deplete your account of its assets. This is one of many examples of the new types of organized crime being perpetrated on individuals and institutions the world over.
Fortunately, there are technologies designed to prevent these types of attacks. Software-based strong authenticators are available to prevent user/password/security question information from ever being captured when the user enters this type of information. These typically take the form of on-screen pads to input question/quiz/key/pin/text type data. Further, these pads can be personalized so that a user would never input information into a pad that is not recognized by him or her.
Even with all the protection of these stronger forms of authentication, users may still divulge their account information to unscrupulous people. Again, there are Identity Management 2.0 products that will halt fraudulent transactions even when the application has been given the appropriate (stolen) authentication information provided by the criminal. Through risk-based authorization, a user's session behavior is constantly monitored for atypical actions. For example, if a user typically accesses his or her account during certain hours from a specific machine, but then attempts to access his or her account outside of this usage pattern, the system can immediately shut down the transaction or prompt the user to provide further information to validate his or her identity.
Fine-Grained Entitlements
In the Identity Management 1.0 world, access management systems were a tremendous advancement for centrally managing policies and user access rights to the various connected applications. What they lacked however, was the ability to make fine-grained authorization decisions. Once a user has been granted access to the application, it is up to the application itself to police what the user can do. In the Identity Management 2.0 world, a fine-grained entitlements solution can allow or deny very specific actions within the application based on policies and contextual information. Picture a hotel with 50 rooms — a key card issued to an individual allows access to his or her assigned room. Once in the room, the individual can do whatever he or she wants to do — watch movies or get a drink from the minibar. This is roughly analogous to an Identity Management 1.0 access management solution. Applying this same analogy to a fine-grained entitlements transaction: once the user has entered the room, access to movies or the minibar can be granted based on policies and decisions with respect to how old the individual is or how much money he or she has already charged to the room. In this heightened world of regulatory controls, you quickly see how powerful a solution this is. Junior equities traders can be restricted from accumulating positions over a certain threshold, or a physician can only view patient information for patients directly under his or her care.
Role Management
Just as applications have always had the notion of users, they frequently also have had a notion of groups and roles. Unfortunately, the definition of a group or role in one application does not necessarily correlate to a group or role in another application. Additionally, roles in this context are tightly tied to the semantics of the application and oftentimes don't map back to a true business role that an organization typically defines. There is therefore a role explosion to the point that roles themselves are fairly meaningless and impossible to manage across an enterprise — an organization might have 1,000 employees and 50,000 roles defined across their applications.
A role management solution allows an organization to mine through users of its existing applications to detect clusters or patterns and then suggest rules and roles related to why certain users have access to certain responsibilities within specific applications. If the administrator of the application and the line of business owner agree, then a business role can be created to map to this specific pattern. At this point the role management solution can be used to administer the complete life cycle of the various roles within the organization.
For example, perhaps all individuals within an organization that live in Colorado have key cards which permit access to the Colorado office. If the Colorado facility manager and the administrator of the key card issuing system agree, then a Colorado employee role might be created with a rule that says all Colorado staff should get a key card issued with access to the Colorado office. Likewise, a pattern might be detected whereby there are a cluster of employees who have access to three different financial systems, and each of these employees are listed in the HR system as accounting analysts. An accounting analyst role can be created with a rule that says that all accounting analysts should have accounts created in these three financial systems. Further, if this new hire is located in Colorado, he or she is also going to get a key card issued for the Colorado office. A role management solution defines roles in easily understandable business terms, and automates the process of assigning access rights to applications.
Identity Virtualization
As noted above, directory services are the key building blocks for most identity management platforms. LDAP directories themselves are also a key building block for many enterprise applications. Applications that don't rely on directories will then typically rely on databases or other home-grown user repositories. For this reason, the more applications an enterprise has, the more repositories it typically has as well. Additionally, many applications might require user data that is stored in multiple different directories. One solution for better management of these scattered repositories is to consolidate them into a single directory, and in fact, this meta-directory approach has been a common practice for many years.
In the Identity Management 2.0 world, an alternative solution is to use a virtual directory. A virtual directory sits in front of all the user repositories and then all applications access this single virtual directory. This approach allows new applications to be brought online more quickly and provides a combined view of all user data without the need to move information from the existing user repository. It also allows an enterprise to keep user populations separated within their unique repositories, which can oftentimes be a requirement if, for example, the user repositories sit across geographic boundaries.
The Bottom Line
The general Internet user population has witnessed the rise in online fraud attempts, and most people in the IT field have also felt the growing pressure to meet a mountain of regulatory demands brought on by stricter governance policies. Fortunately, there are some software vendors that have taken charge to introduce technologies that will keep companies ahead of the growing threat of online criminal activities and make it simpler to meet and exceed any regulation whether dictated by law or corporate policy. Identity Management 2.0 is this secret revolution of technology development, but make no mistake, this won't be a secret for too much longer.
Darren Calman is a director of product management in Oracle Inc.'s Identity Management and Security Group. Calman was previously vice president of business development for Phaos Technology Corp., which Oracle acquired in 2004.
Any operational business model relies heavily on IT support and the help desk to achieve maximum uptime for all IT systems. This white paper addresses ways for help desk analysts and IT support staff to easily and efficiently handle their workload by simplifying and automating processes to increase time and operational cost savings, enhance productivity, and boost customer satisfaction. more
