The Role of Identity Management in Information Security: Part 1 - The Planning View

Identity management and information security are both current major concerns for enterprises. Some vendors claim to address both of these areas, but often there is confusion and even a vague uneasiness among some IT planners about the approach to both of these concerns. How much overlap is there between identity management and information security? Is there duplication of effort when addressing both? Is the current prioritization of activities effective in addressing identity and security concerns? Defining accurately what identity management and information security really are for the enterprise and its IT organization - and then correlating those explicit functional definitions - can provide a starting point for initial planning decisions and approaches to both identity management and information security, and ensure efficient use of IT resources.

META Trend: The strategic approach to information security will transform from a monolithic set of controls to an evolving program of principles, behaviors, and solutions (2003-05). The pervasive nature of information security will result in establishment of strategic programs - 40% of Global 2000 organizations in 2003, rising to 80% by 2006/07. These will be managed via dedicated program offices and budgets, and led by a chief security officer or equivalent.

Proper planning for identity management in the context of information security can result from defining identity, identity management, and information security from a functional business and an IT organization perspective and from determining the relationships that exist in those definitions. Subsequent META Practices will cover identity management engineering and operations contexts.

What Is Identity?

Previous META Group research provided some basic characteristics of the concept of identity as used by business users consuming IT services. For those users, identity is a key to unlock access to IT services. For IT organizations, identity is an asset that defines the service consumer and a critical element of the IT infrastructure itself. For information security, identity is viewed as an asset that needs protection and a resource that enables protection of other information resources. For business users, identity enables them to be effective, and is perhaps the most tangible point of contact they have with the information assets and the IT organization. Identity has various other definitions spanning legal, cultural, and other areas of an enterprise. For IT purposes, it is best to view identity as the digital “persona(s)” provided by the IT organization to “consumers” (most often people, but also can be applications, databases, or other IT resources) to determine the degree of interaction they can achieve with IT-provided services. In its purest sense, identity is a critical element for defining access to those services.

What Is Identity Management?

The term “identity management” has been used to describe so many different overhyped offerings that its use often results in confusion about what constitutes identity management and why it is relevant. Confusion still persists in many IT organizations about the concept of identity management and why they should care about it. There is a vague uneasiness among many IT planners that this should be an important and even critical concern for businesses and institutions, and that it is in some way related to information security plans.

The creation and use of identity in the IT organization spans several decades. During this time, numerous ways of creating, storing, and using identities have been invented and used in operating system, network, and application environments, primarily through the use of user identifiers or IDs. Typical businesses currently may have dozens of different personas (often referred to as “accounts”) for the same IT service user, merely because each system, network application, or database environment implements identity use through its own technical means. The infamous “single sign-on” (SSO) debate arose due to these multiple personas and the multiple ways of using them. This has also caused some IT organizations to confuse the concept of identity infrastructure, which delivers authentication and authorization services for applications, with identity management, which delivers management and administration services. These are related but different functions.

Identity management is best defined as, “those IT and business processes, organizations, and technologies that are applied to ensure the integrity and privacy of identity and how it translates to access.” This results in its effective use as a crucial element of IT security infrastructure. (A more detailed functional view is outlined following.) Recently, identity management has been elevated within many IT organizations to be a formal program consideration by several business drivers.

Drivers for Identity Management

• Efficiency: IT infrastructure is increasing in complexity as it is called on to support multiple application architectures across multiple platform types, using personas specifically engineered for each platform. Furthermore, these multiple platform types have given rise to multiple management processes, spanning multiple communications mechanisms (e.g., administrative requests might come through e-mail, phone, or trouble tickets). The effort to reduce IT costs by attempting to address some of this variety and complexity through use of IT solutions is an efficiency move. These efforts usually show up in operational areas such as user provisioning for new service access or password resets.
• Productivity: Related to efficiency, productivity remains a significant business driver for consideration of identity management in attempts to formalize service levels for different business units’ administrative identity functions and to create new identity services in support of new applications or services. IT organizations are considering identity management to streamline existing operational processes as well as to deliver new functionality to the end user. One way this is exhibited is in the deployment of a new workflow system for new user-access approvals, which substantially shortens the wait time for new participants in a business process. In addition, application developers can leverage common identity infrastructure to deliver solutions more rapidly, since identity needs of the application can be provided by the common infrastructure.
• Security and compliance: Information security services that deliver confidentiality and integrity play a major role in identity management planning by being an actual business driver, due in part to the significant legal and regulatory mandates that are evolving at the federal and regional levels throughout the world (e.g., US-based Sarbanes-Oxley). Issues of privacy and identity theft have also driven IT organizations to consider use of identity management solutions to address those concerns as well. Increased requirements to make access to resources more granular (i.e., resource access categorized by levels of trust), coupled with the increasing need to permit access to people other than employees, are also common. These issues can be addressed through efforts to deliver delegated administration services in support of Web application authorizations or to have the ability to report (at any given time) “who has access to what,” for compliance or audit reasons (most large organizations are seeking improve their performance on orphan account audits).

Functional Areas of Identity Management

Identity management is a collection of old and new functions for maintaining and administering identities within organizations, primarily for accessing IT applications and resources. It is essentially “user life-cycle management,” reflecting the creation, maintenance, and deletion of identities over time. From a functional viewpoint, identity management includes the following areas:

• User provisioning: Creating, maintaining, and retiring user identities for access to IT systems and services
• Modeling and mapping: Using a management model (e.g., role-based) to efficiently map users to resources
• Delegated administration: Delivering a means to distributed administrators for defining a hierarchy of roles to manage access to IT systems and services
• Self-registration or self-service: Delivering delegated identity and editing down to individual users
• Workflow: Managing identity change-request approval processes
• Auditing, logging, and reporting: Managing the necessary use of tools to track history of user life-cycle management steps, and reporting that information accurately as well as reporting it against actual access-control lists on managed platforms
• Password management: Providing an administrative interface specifically for password policies, synchronization, and enforcement
• Integration: Using a “toolkit” such as a metadirectory service to link multiple identity sources together for easier updating

Clearly, identity management has a role in delivering effective information security, which indicates the need to address the following issues:

• What should security planners be concerned about when developing and delivering an identity management solution?
• How do infrastructure planners incorporate security solutions when planning the delivery of an identity management solution?

Principles of Information Security

The goal of information security planning for most IT organizations is to address the methods used to protect information assets from deliberate (or inadvertent) unauthorized access and misuse, and at the same time safely enable authorized users to access needed assets efficiently. The degree of information protection is a reflection of business risk. In essence, information security is the quantification and management of risk applied by the IT organization as directed by the business or institution, simply extending that organization’s culture.

Information security includes the following characteristics and capabilities:

• Authentication: Validating that someone really is who they say they are for the purposes of access
• Authorization: Delivering privileges or permissions that allow levels of access to IT resources
• Confidentiality: Keeping critical information secret
• Integrity: Providing the assurance that information can be modified only by those authorized to do so
• Non-repudiation: Having the ability to ensure that someone cannot deny the authenticity of their signature on a document, message, or transaction that he or she originated (i.e., having the necessary knowledge to trust that a transaction was originated by the stated source)

To deliver these capabilities requires an underlying infrastructure that identifies both the consumers of IT services and the services consumed. Services consist of computer applications, databases, and related elements that must be uniquely identified to be secured.

“Secure Identity Management”

Recent technical and marketing alliances among Web single sign-on vendors and provisioning vendors (e.g., Entrust and Waveset Technologies, RSA Security and Thor Technologies, Netegrity and Business Layers) as well as product and market positioning by vendors such as Novell, IBM Tivoli, and Computer Associates, have resulted in use of the term “secure identity management.” It is best to consider these offerings in two ways:

• “Secure identity” management: A focus on deploying and managing secured identities via strong authentication/authorization methods, the use of encryption and digital signatures, etc.
• Secure “identity management”: A focus on providing a secure framework for delivering identity management from a tool and administrative perspective as well as from a “secure identity” perspective

The alliances among provisioning and Web SSO vendors reflect the drive toward “secure identity” (in addition to an effort to bridge from one hot market to the next), as the major “framework” vendors strive to deliver a secure framework to address identity. Of the vendors in these spaces, the Entrust/Waveset alliance and Novell Nsure Resources efforts are good examples of evaluation that actually has a substantive foundation.

Identity Management and Information Security: Planning Principles

In reviewing the basic definitions and principles of identity management and information security, observations and opportunities arise for correlating planning in both areas:

• Planning for identity management is a subset of planning for information security: To effectively deliver authentication and authorization services, identity and its management are required. One can view good identity management planning as quality assurance for good information security practices, since information security functions will require identity infrastructure elements. Cost-effective information security will require cost-effective identity services. Information security planners should provide guidance to identity management planners and be part of overall project planning for identity infrastructure deployment.
• The delivery of information security capabilities such as authentication and authorization must not be confused with identity management: Although identity infrastructure provides the capabilities for delivering information security, identity management provides the capabilities for administering and managing that infrastructure in a coherent fashion, across enterprise-level complexity. For example, SSO is not actually part of identity management, but is part of identity infrastructure services. The environment created by SSO will indeed require managing, but until the occurrence of these recent vendor alliances, SSO has been deployed separately from management systems. This is not just a matter of semantics - this issue has an impact on the way identity management systems support information security programs.
• Identity management provides the tools for auditing and the privacy required by information security: An increasingly important aspect of securing a heterogeneous IT infrastructure is ensuring compliance with new legal and regulatory requirements at the local and federal levels. Key functions of identity management (i.e., auditing, logging, and reporting) can play an important role in fulfilling requirements for compliance.
• Cross-enterprise identity requirements (i.e., federation of identity) will have information security ramifications and be affected by information security policy and governance: As identity usage extends beyond the confines of a single business or institution and becomes a key element of the multi-enterprise, security concerns will need to be addressed (e.g., the acronym “SAML” stands for “Security Assertion Markup Language,” a new standard specification for authentication across enterprises).
• An effective information security program will have management processes and organizational structures that will use identity management processes and organization as its foundation: Information security processes such as risk assessment will consume information about identity, its management, and safeguards to make sound judgments about risk for information resources. Identity management functions such as user provisioning can ensure that the appropriate permissions are assigned to the appropriate IT consumers, based on information security policies.

Just as one cannot manage what cannot be measured, one cannot secure what cannot be identified. Identity management can and will play a critical role in delivering an effective information security program.

Business Impact: Use of information technology to mitigate risk does not have to compete with efforts to reduce costs and streamline IT operations. In some areas, these efforts can complement each other.

Bottom Line: Organizations considering significant identity management investment must determine where identity management and information security programs have similar goals and then create overlap for better alignment of the allocation of resources devoted to both efforts. This will help to avoid duplication of effort and competing agendas. The first step is to gain understanding of the specific identity management needed by the enterprise in the context of its security and privacy planning.

BusinessWeek Online originally published this article on 19 November 2003.