Security Weblog Enterprise Identity And Access Management Technical White Paper
Note: Working version.
1. Setting the scene 1. Setting the scene Business has always been about creating relationships with various communities and it is widely appreciated that that customer relationships are one of the most valuable asset in business. Character of relationships has, however, changed. First, the relationships span beyond the enterprise boundary and form the basis of extended business processes that connect the enterprise with the wider business ecosystem. Second, their nature is becoming more dynamic and often of an ad-hoc character, which reflects the nature of dynamic business models. Thus to be successful, businesses today must maintain a network of dynamic relationships between customer, supplier, partner and employee communities. Third, the number of relationships is much bigger than anytime in the past.
Organisations must become more adaptive and their IT infrastructures need to be more flexible to allow for fast implementation of changes and to integrate better with the external environment. During the last decade enterprises have deployed a mix of business applications such as HR, ERP, CRM that complement their legacy bespoke systems. All these systems provide verification of user identity and authorisation of access more or less on their own. Typically, when a new relationship is introduced, user accounts and access privileges have to be set-up manually across handful of platforms. This is feasible for low numbers of users and relatively static environment. However, as the number of users increase, changes in processes and communities become almost continuous, user identity and access policies become unmanageable, and administrative costs together with security risks increase. Most of today's enterprise IT infrastructures are too fragmented and administrative facilities to manage user and customer security details are not up to par with the requirements outlined above and a new approach to manage user identity and access is, of necessity, emerging. 2. Identity and access management overview A solution to provide integrated infrastructure catering for the requirements outlined above comprises of directory, identity management, provisioning and presentation services, illustrated in an architecture as outlined by Burton Group's Jamie Lewis [1], in the diagram below.
A more detailed outline of these services is given in following sections. 2.1 Directory service The Lightweight Directory Access Protocol and related LDAP directories have emerged as a de-facto standard for storing user identity details for most groupware, network operating systems, e-business applications and many enterprise applications. As an open, vendor independent standard, LDAP provides an extendable architecture for centralized storage and management of identity details and other information that needs to be available to any distributed systems or services. A directory is, in fact, a specialised database that is optimised for reading and searching. Directory service lies at the core of identity and access management infrastructure because it stores
In the past, LDAP technology aspired to provide a single server that would serve as a centralised identity store for all enterprise applications. This has been found unachievable, but the concept of meta-directory, to provide a single point of access to several LDAP and non-LDAP directories, has been introduced. Each directory or meta-directory implementation faces several design issues. A number of technical issues are associated with the development of schemas to support several applications; political problems of identity details ownership are the key organisational challenge, found especially in internally oriented deployments. 2.2 Provisioning Where the concept of meta-directory was primarily derived from the need for a enterprise-wide single point of access to identity details, provisioning is addressing similar issues from the perspective of automated administration. Provisioning systems serve to automate the task of changing users' rights and privileges across multiple enterprise applications. They enable fast creation of new employee accounts and they augment existing security practices by allowing administrators to quickly cut off terminated accounts. The ultimate goal a provisioning system as claimed by some vendors [2] is illustrated in the following scenario: Hiring manager decides to hire a new person. She starts on Monday and needs everything ready to start working.
To implement this scenario, provisioning platforms offer roughly following functionality:
Provisioning systems are critical for complex e-business deployments with high numbers of users but even in internal deployment scenario they should offer relatively fast return on investment in about 2 years. It is worth mentioning that provisioning systems are relatively new and their implementation faces several technical problems especially in terms of interoperability. Business to employee deployments can also suffer from political problems associated with ownership of user identities, control over access rights and physical separation of internal and external directories. Identification and mapping of business processes to support provisioning activities is difficult issue that needs to be resolved in all deployments. Another point to notice is that the line between provisioning and identity management is sometimes rather blurred. Vendors of the integrated identity and access management product suites consider most of the functions outlined above to be a part of the "identity management" and provisioning service itself means the actual propagation of access rights to back-end applications for them.
Identity management service implements facilities to enable user registration, change of his status or other details and de-registration. These activities were traditionally been a domain of user administration and were supported by tools for managing proprietary directories. The point where identity management differ from the older user administration tools is the level of automation that resolves logistics issues otherwise associated with distributed deployments. Identity management subsystems employ workflow in a way similar to provisioning subsystems to administer users on an individual, group, and organisational basis. These features can be controlled centrally; can be delegated to business units or to users via automated workflow processes. Workflows similar or to that of the provisioning subsystem are used to automate a series of execution and approval steps conducted by users themselves, user administrators and business management based. These workflows have to be based on policies pre-defined or approved by security administrators. Identity management features enable creation, deletion or modification of user profile, change of user's role or his association with a function, business unit or organisation. To improve administrative efficiency, the identity management subsystem usually provides self-service facilities that enable users to initiate the process to set up their identity in the directory by filling out customised forms, to modify their personal details such as contact information, to manage their passwords or to allow somebody else to log in as their temporary substitute while they are out of the office. Delegated administration features offered by some platforms enable a number of delegated administrators from within or without the organisation to be given authority to create or delete a user, approve request for changes or change the attributes that grant him access to resources and services, all within the limits pre-defined by business policies. Typical physical architecture of an identity management platform drawn from [3] is illustrated in the diagram. To manage user access to system resources, it is first necessary to establish user identity and then, when the user attempts to access particular resources, to check his rights of access. There are many ways to verify user identity. The most widespread and the most obvious are usernames and passwords. However, these have several downsides; such as users needing to remember many frequently changing passwords. Hardware tokens, employing combination of static PIN with a random code dynamically generated by the token, provide more secure way of authentication. Digital certificates and smart cards can also provide authentication, as well as generate electronic signatures. Different business scenarios require use of different mechanisms to verify the identity of users. While username and passwords are usually considered adequate for regular employee access to LAN based resources, or for customers doing their shopping on an e-commerce website, use of hardware token may be more appropriate for access to sensitive business information, certificates are useful in situations where transactions incur legal liability. In some situations authentication can be even be more complicated as a user may need to access information of various levels of sensitivity for which various methods of access are required. An example of this can be a legal case management application where the lawyer only can achieve full access to the system when he has authenticated using a smart-card, but can have limited read-only access when using password. In this case authentication needs to be layered and tightly integrated with access control. One of the main reasons organisations decide to implement access management product is to provide a single sign-on capability which enables users to access a number of web sites or services without the need to re-authenticate for subsystem. All access management products support this, but most of them only within boundaries of one organisation. All the important vendors are working on multi-organisation single sign-on support based on SAML open standard. In three-tier deployments, authentication can be enforced either by the proxy server placed in front of a web server or by a access management plug-in installed on the web server itself. Both architectures are depicted in the diagram below. 2.5 Access control Technically, access control consists of access control policy definition and its enforcement, which is called authorisation. Implementation of mechanisms to control access to system resources is a must in most applications. This is hardly a novel thing. However, issues of variety of access control models and of multi-application integration are specific for adaptive e-business environment. Traditionally, access control was used with user or group based access control lists; sometimes complemented by control based on location or time of access. This approach does not scale and is not flexible enough. Thus, most web-based systems employ role based access control, where access rights are assigned against specific user attributes such as their role, rank or organisation unit. Using this model it is possible for example to enforce a rule where position of an employee (i.e. Manager, Vice President, Director) determines an amount of business expenses he can authorise. In some situations such as some healthcare or legal applications, where privacy of the information is a concern, this access control model is not sufficient. In hospital, for example, only patient's primary care physician can amend patient's record, doctors associated with a particular department and nurses assigned to the patient's ward have access to the record. This case can be addressed by rule-based access control model where roles are allocated dynamically using specific language enabling creation of dynamic access control policies. Since rule-based access control models are not supported by all access management product, proper care should be exercised when selecting one. In most cases, an access control service is implemented by the same piece of software as authentication - e.g. web server plug-in or proxy. In deployments, where access to web applications is to be controlled, pre-built or bespoke agents placed at the application server are necessary.
In scenarios where application such as ERP with their own strong access control mechanisms provide the back-end services to the web portal or application, extranet components provide only authentication, but include the details on the verified identity in the message headers that is passed to the back-end systems where authorisation decisions take place. Integration of access management with other applications is another major issue. For web-based applications that utilise URLs for resource identification this is not an problem because access management web server plug-ins or proxies can use it to handle authorisation independently from applications. However, as Russel Jones illustrates in his Information Security Magazine article [4], for applications that do not use the URL for resource identification, access management system need to be integrated with the application in a bespoke manner.
Personalisation is a feature that is provided by many enterprise portals and content delivery applications that uses the data that are stored for identity management purposes. These systems may need to be integrated with identity and access management and it can be done in several ways:
3. Deployment considerations In practice it is rare to deploy identity and access management in a one step project. It is more likely that for resource, cost or timing considerations, it will be deployed by subsystems. Several factors may influence the decisions on priority of deployment. High-priority e-business application implementations may force an organization to deploy the initial stage of identity and access management on an application basis. A new B2E applications (such as HR support applications) may increase the number of end users considerably. In such cases, a provisioning solution that creates a more efficient user administrative process may be deployed first. For multi organization deployments of B2B2C type, identity management subsystem that would enable delegated multi-step user administration should be a priority. For portal implementations or for efforts to integrate disparate applications, web access management and specifically single sign-on deployment may take the lead. In most deployments, organisations will have to address the directory as part of the initial phase, as directory services are at the core of any identity and access management infrastructure. Some of the most important issues in this activity involve development of multi-application LDAP schemas and synchronisation with legacy directories. 4. Market overview Market for the identity and access management products is currently in flux and few vendors are getting near a complete integrated and open standard-based solution; there is still substantial overlap between products. However, the market has been maturing rapidly and industry analysts, such as METAGroup [5], predict consolidation of marketplace during 2002/2003. Our own research identified following key players in identity and access management market niche. Netegrity, with roots in web access management and web single sign-on products, have become one of the key players in this sector. Their main product, SiteMinder is supported by a number of third party applications ranging from portals, content management software, CRM and ERP packages. Delegated Management Services complement SiteMinder with additional identity management services. Netegrity is still lacking administrative workflow and provisioning facilities. However, they partner with BusinessLayers and Access360 to deliver an integrated product suite. Though Oblix's strength lie in Identity System identity management supported by an administrative workflow, they expanded the product suite with Access System and through alliance with Access360 they are also covering provisioning space. Currently, they are one of the key players in identity and access management space. Tivoli, another key player, has roots in traditional user and security management is strongest in access management. Their Policy Director was one of the first web access management tools whose functionality has been recently improved to support dynamic access control policies and granular access through Privacy Director product. Another recent offering, Identity Director, provides identity management and administrative workflow that ties to traditional User Administrator and Security Manager tools to provide provisioning. Not surprisingly, Tivoli is particularly strong in environments based on IBM software and hardware. Novell can be considered as an important player, with strong background in directories (eDirectory), metadirectories (DirXML) and directory management tools that can be supported by third party workflow such as Staffware to provide richer functionality. The newest addition to their portfolio is iChain authenticaton and authorisation proxy. Novell is uniquely positioned especially where identity and access management systems are to be integrated with internal applications. Besides the mentioned vendors with more or less integrated product suites, there are many others who cover specific parts of the identity and access management infrastructure, and whose ranks include iPlanet, Microsoft, Waveset, Courion, Oracle, Siemens, Securant, OpenNetwork, CriticalPath, NetIQ or Bindview. 5. Future directions Identity management is a highly dynamic area with latest developments extending its scope beyond the boundaries of an enterprise. This makes sense; these developments reflect natural relationships towards stronger integration with business environment Organisations that take lead in this direction are Microsoft with their .NET Passport, cross-industry consortium Liberty Alliance and Organization for the Advancement of Structured Information Standards (OASIS) that sponsors development of XML standards including SAML, XACML or SPML. 6. References [1] Lewis, Jamie. The Emerging Infrastructure for Identity and Access Management. Open Group In3 Conference. January 2002. < http://www.opengroup.org/security/lewis.pdf > |