Hot Stuff: Identity Management
The April 2002, issue of Information Security magazine there’s a feature cover story on identity management. Therein, the story defines identity management as a collection of tools and technologies to centralize management of access controls to information and application for users, who may be working inside (employees, temp workers, contractors, and so forth) or outside (teleworkers, contractors, partners, customers, and so on) an organization’s network perimeter. The guiding principle is to provide and manage user access without compromising security or providing unwanted access to sensitive data across multiple systems, applications, and sometimes even across multiple directory services.
Rutrell Yasmin, the article’s author, identifies the following building blocks as likely components in effective identity management systems (though not all of these are likely to occur together in any single system):
- Password reset: this permits organizations to reset user passwords and enforce password policies, without requiring admins to physically operate the individual consoles that would otherwise be involved. Password resets can often operate through a Web browser, and use multiple challenges (questions and answers) to authenticate user identity before resetting passwords automatically.
- Password synchronization: provides an infrastructure (usually transparent to users) to distribute a single password for a single user identity across multiple systems. Although the password (and often the user account name) may be the same across multiple systems and applications, this differs from single sign-on in that a separate logon for each system or application is still required.
- Single sign-on: requires that users log on only once, and manages access to all systems and applications within the access controls imposed on that user’s login session. This is more sophisticated than password reset or synchronization technologies, and generally requires a dedicated authentication server and some work to permit that server to act as an intermediary for users as they attempt to access systems and applications as needed.
- Access management software: permits administrators to set and manage user access to systems and applications centrally, using one or more methods of user authentication (which may include passwords, digital certificates, hardware or software tokens, or biometric checks on identity). This also requires an infrastructure, but allows administrators to delegate authority and access controls on a local basis, while retaining global control and management authority over the entire system.
Yasmin’s article includes pointers to numerous commercial products that implement one or more of these kinds of facilities, from companies like Computer Associates, Passlogix, Blockade Systems, Tivoli, Netegrity, RSA Security, and many others. A recent story in Security Management Digest (VOL. 5, NO. 82, OCTOBER 30, 2003) provides highlights about a new product from Courion (a company specializing in identity management solutions) that covers all of these bases except single sign-on (SSO) that is also likely to be of interest to readers seeking identity management help.