Hot Stuff! Identity Management
One of the biggest acronyms in infosec is AAA (pronounced “triple-A”). Not a reference to a well-known motorists association, this refers to the “Big Three” of infosec: Administration, Authorization, and Authentication. Of these three, Authentication refers to establishing some proof of identity, and Authorization refers to using identity to control access to requested resources and services. Finally, administration comes into play in that somebody must establish and manage access control lists, define groups, manage permissions, and so forth, to establish controls to meet organizational security policy and access control requirements.
In essence, identity management fits into both authentication and authorization, in that it’s designed to manage access to applications and networks based on user identity. What makes this topic and related tools and technologies interesting is that organizations have to build ways to provide secure access to information and applications for users who may be in-house or operating at a remote location outside the organizational security perimeter. For operations that must be available to employees, partners, and customers alike, boundaries get wide and sometimes fuzzy, in a hurry.
According to Rutrell Yasin, author of an excellent story “What is Identity Management,” an identity management system incorporates some or all of the following building blocks:
- Password reset: automates password functions while enforcing password policy, and enables users to reset their own passwords and unlock accounts without resorting to help staff. Special authentication questions and answers help identify users without requiring passwords per se.
- Password synchronization: allows users to employ the same password to access multiple systems, services, and resources but does not require the kinds of changes to company IT infrastructures that single sign-on (SSO) systems often require.
- Single sign-on (SSO): raises the bar from password synchronization to permit users to access all necessary systems and applications through a single login. Various products that include CA’s eTrust Single Sign-on, Passlogix Single Sign-On, and so forth manage user authentication and provide proper credentials to systems and applications as access to them is requested.
- Access management software: controls access to systems and applications, typically using one or more methods to authenticate users including passwords, digital certificates, and hardware or software access tokens. Yasin’s story provides numerous examples of vendor products to meet such needs that support single, dual, and even multi-factor authentication technologies.
The key idea is to provide centralized control over how identity information is obtained, stored, managed, and delivered to systems and applications on behalf of users, either inside or outside organizational security boundaries. As such, this is a fascinating technology for companies seeking to reach out beyond their physical locations to better engage employees, partners, contractors, customers, and other individuals who must access their systems and resources.