Securing Identity: Part 3 - Infrastructure Versus Management

Identity management is often confused with identity and permissions infrastructure. Understanding the difference is key to establishing solid identity security.

META Trend: Identity management and security needs will cause an increase in enterprise directory services adoption through 2004, as existing federated directories drive more provisioning and directory integration tool use. Enterprise/extranet directory distinctions will blur through 2005 and beyond, as internal/external identity needs converge. Directory use for some application authorization roles will increase as directory functionality expands. XML will enable component databases (as next-generation directories) and better integration capability (2006-08).

Identity management has been identified as one of the most compelling focus areas for enterprises, driven primarily by attempts to realize administrative cost savings, provide better security, and implement improved service levels during organizational change and enterprise application implementations. However, as with most “hot” trends, much confusion surrounds the actual definition of identity management, definitions for the infrastructures affected by it, and the functions that drive the need for it. IT organizations (ITOs) must separate fact from marketing to develop an approach to infrastructure and services involving identity that is secure, pragmatic, and achievable. However, the need for better identity security will not be a mandate for uncontrolled spending; some prioritization of ITO tasks will also be necessary.

Deployment of enterprise directory services and associated identity and permissons infrastructure is entering mainstream maturity and will accelerate during 2003/04 as identity infrastructure upgrades are completed, while next-generation e-business needs will result in incremental scale and function “refreshes” of existing infrastructure deployments. During 2003-05, the identity management market will coalesce around several administrative and functional areas (i.e., user provisioning, delegated administration), resulting first in a convergence of administrative functions for enterprise directory and administrative workflow (see GNS Delta 1037) and later in levels of integrated, automated administration (2005/06). Key drivers for securing identity will continue to be Web application and increasing Web service deployments, regulatory/legal requirements, and service-level goals. Directory integration, identity management, and efforts to address distributed identity stores will complete convergence during 2006+ to provide richer integration functionality for federated identity stores.

An Approach to Thinking About Identity
Many vendors delivering identity and permissions (e.g., directory, metadirectory, Web single sign-on) infrastructure during 1999-2002 are now declaring themselves identity management vendors. Vendors providing administration and management applications (e.g., delegated administration, workflow, password management) during the same period are also now claiming identity management status. Who is correct, and what comes first? One method for securing enterprise identity addresses the following three major areas:

• The primary functions of identity services (i.e., authentication, authorization, and credential storage)
• The major infrastructure components to support the delivery of these functions (e.g., directories, metadirectory utilities, Web single sign-on, operating system authentication)
• The management, administration and security “umbrella” covering the infrastructure that delivers identity services, which includes:
  -User provisioning
  -Delegated administration
  -Password reset/synchronization
  -Self-service
  -Integrated workflow
  -Auditing, logging, and reporting
  

Separating function from infrastructure and infrastructure from management are key to developing a prioritized plan to address identity security and choosing the right partners to deliver and manage it.

An Approach to Delivering Secure Identity Services

• Step 1 - defining the value of the resources to be accessed and the identity roles that will access them: ITOs must lead the planning effort to discover if a standard set of “access levels” can be defined for resources and information that can also be mapped to a set of roles for user identity. This will map authentication level with resource value level (e.g., strong authentication required for high-value resources) and provide a framework to define roles for the infrastructure (e.g., manager role = access to applications A, B, and C). This information can be used to define how authentication and authorization will be delivered via the infrastructure, and provide the framework for identity management needs.
• Step 2 - choosing the elements of identity and permissions infrastructure and implementing them: Most enterprises currently have two primary consumers of identity services - the employee or internal worker (e.g., contractor), and the customer or business partner. This is often represented by an identity infrastructure for the enterprise and an infrastructure for the Internet. An authoritative credential and identity store for future application deployments in both areas is a best practice for secure identity services and will halt the proliferation of additional identity directories and databases required by those applications. Selecting a common approach to Web-based single sign-on and directory integration is also key in this step (see GNS Delta 916).
• Step 3 - choosing the elements of identity and permissions management that are most urgently needed and most mature, and implementing them: Steps 1 and 2 represent the “plan” and “build” aspects of secure identity services. Choosing an approach to identity and permissions management is “run” part of building those services (i.e., providing an operational base to deliver administration and management services). E-business needs have driven the adoption of delegated administration and self-service tools, while enterprise needs have driven the adoption of password management and single-point administration available in many network operating systems. Mapping the roles from Step 1 into a user provisioning system with integrated workflow and augmenting it with rules-based processing represent a broader, more sophisticated phase of identity management that is only now being realized.

Strategic Results From Tactical Steps
Although many enterprises can realize value from a multifaceted approach to identity management, it represents substantial infrastructure investments that will challenge already strained budgets. Many enterprises are realizing real savings or better security through incremental introductions. For some, a basic user provisioning tool established to initially handle a major enterprise application implementation can start as a foundation. Building on an existing delegated administration deployment from e-business is another, as is expanding password reset services to include synchronization. The initial planning done in Step 1 will help identify and prioritize the most urgent operational needs to ensure an incremental method that can also be an investment approach to delivering secure identity services.

Business Impact: Securing identity effectively ensures that the right people can access the appropriate resources and information in the most efficient manner available.

Bottom Line: Enterprises seeking to establish true, effective identity management must accommodate a broader view of enterprise identity, involving sound process, infrastructure, architecture, security, and business planning organizations to develop a prioritized list of steps to take when selecting infrastructure components, management, and administration systems.

META Group originally published this article on 13 March 2003.