SlideShare une entreprise Scribd logo

Defining Enterprise Identity Management

Hitachi ID Systems, Inc.
Hitachi ID Systems, Inc.

Identity management is the combination of business process and technology used to manage data on IT systems and applications about users. Managed data includes user objects, identity attributes, security entitlements and authentication factors. This document defines the components of identity management, starting with the underlying business challenges of managing user identities and entitlements across multiple systems and applications. Identity management functions are defined in the context of these challenges.

TechnologieBusiness
1  sur  20
Télécharger pour lire hors ligne
Defining Identity Management © 2014 Hitachi ID Systems, Inc. All rights reserved.
Identity management is the combination of business process and technology used to manage data on IT systems and applications about users. Managed data includes user objects, identity attributes, security entitlements and authentication factors. This document defines the components of identity management, starting with the underlying business chal- lenges of managing user identities and entitlements across multiple systems and applications. Identity management functions are defined in the context of these challenges. Contents 1 Introduction 1 2 A variety of identity stores 2 3 Managing identities and entitlements across applications - the challenge: 3 3.1 Different kinds of users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 3.2 Different kinds of identity data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 3.3 Identity life cycle . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 3.4 Key identity challenges . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 4 Relevant technologies: the solutions 7 4.1 Directories . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 4.2 Meta Directories . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 4.3 Web access management / Web single sign-on . . . . . . . . . . . . . . . . . . . . . . . . . 8 4.4 Password management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 4.5 Enterprise single sign-on . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 4.6 User provisioning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 4.7 Role Based Access Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 4.8 Access Certification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 5 Identity management: a simple definition 14 6 Beyond the enterprise 15 7 Conclusions 17 8 References 18 i
Defining Identity Management 1 Introduction Identity management is the combination of business process and technology used to manage data on IT systems and applications about users. Managed data includes user objects, identity attributes, security entitlements and authentication factors. This document defines the components of identity management, starting with the underlying business chal- lenges of managing user identities and entitlements across multiple systems and applications. Identity management functions are defined in the context of these challenges. The remainder of this paper is organized as follows: • A variety of identity stores: A description of why organizations manage user profile data in a diversity of systems. • Managing identities and entitlements across applications - the challenge: A step-by-step description of why managing user identity data is difficult in a large organization. • Relevant technologies - the solutions: How different technologies help to streamline and secure the identity management process. • Identity management - a simple definition: A definition for what constitutes identity management, given the preceding description of the business problem and its technological solutions. • Beyond the enterprise: How identity management technologies may soon extend beyond the boundaries of a single enter- prise. • Conclusions: Some conclusions about the state of identity management today. • References: Where to learn more about identity management. © 2014 Hitachi ID Systems, Inc.. All rights reserved. 1
Defining Identity Management 2 A variety of identity stores Modern organizations run a complex mix of IT infrastructure, including: • Network operating systems, used to share files and printers. • Application servers, running web servers, databases and similar software. • Mainframe and midrange servers, typically hosting legacy applications. • E-mail and other collaboration software. • User directories, publishing lists of users and other network objects. • Human resources, payroll and contractor management systems. • A variety of line-of-business applications. • Customer relationship management (CRM) and enterprise resource planning (ERP) applications. • Electronic commerce applications. Many kinds of users access these systems, including: • Employees. • Contractors. • Partners. • Vendors. • Customers. Almost every system and application tracks its own users, how they sign in (i.e., their passwords) and their privileges (i.e., what they can see and do). This data about users must be managed, when users are hired, when their business roles or identifying information change and when they leave. The diversity of these systems, each with their own security management user interface, administrators and change request processes creates complexity. This complexity impacts the IT operation – the same human user must be managed by different IT staff on different parts of the infrastructure. The complexity also impacts users – it can take a long time to make required changes and users are forced to memorize multiple login IDs, passwords and application sign-on processes. This complexity leads to high IT cost, lower user productivity and security exposures. Identity management technologies simplify the administration of this distributed, overlapping and some- times contradictory data about users. © 2014 Hitachi ID Systems, Inc.. All rights reserved. 2
Defining Identity Management 3 Managing identities and entitlements across applications - the challenge: In this document, “enterprise” refers simply to medium to large organizations, with thousands of internal users. 3.1 Different kinds of users Enterprises manage identity data about two broad kinds of users: • Insiders: including employees and contractors. Insiders spend most of their working hours engaged with the enterprise. They often access multiple internal systems and their identity profiles are relatively complex. • Outsiders: including customers, partners and vendors. There are normally many more outsiders than insiders. Outsiders generally access only a few systems (e.g., CRM, e-Commerce, retirement benefits, etc.) and access these systems infrequently. Identity profiles about outsiders tend to be less detailed and less accurate than about insiders. The difference between insiders and outsiders and how this impacts identity management, may be illus- trated by an example: Consider a bank, with 15,000 employees, 5,000 contractors and 500,000 customers. Insiders at the bank are the 20,000 employees and contractors. Insiders log into a network operating system, corporate Intranet, line-of-business applications, corporate mainframe, e-mail systems and Internet gateway. Their identity profiles include data relating to their employment and their many login IDs to internal systems. Insiders access components of their identity profile, in particular login IDs to various systems, many times each day. Outsiders are primarily current and prospective bank customers. Their profiles may include from one to three login IDs and passwords – for Internet-, telephone- and ATM-based electronic banking. Their profiles also include customer information such as a mailing address and account numbers. Outsiders only access their login IDs occasionally. Personal profile data provided by outsiders, such as full name, home telephone number, or e-mail address may be inaccurate. 3.2 Different kinds of identity data Just as there are different kinds of users whose identity an enterprise must manage, there are different kinds of data about these users that must be managed: • Personal information. This includes names, contact information and demographic data such as gender or date of birth. © 2014 Hitachi ID Systems, Inc.. All rights reserved. 3
Defining Identity Management • Legal information. This includes information about the legal relationship between the enterprise and the user: social security number, compensation, contract, start date, termination date, etc. • Login credentials to target systems. On most systems, this is a login ID and password. Identification may also use a PKI certificate and authentication may use tokens or biometrics or a set of personal questions that the user must answer. 3.3 Identity life cycle As organizations deploy an ever wider array of IT infrastructure, managing that infrastructure and in partic- ular managing users, their identity profiles and their security privileges on those systems becomes increas- ingly challenging. Figure 1 illustrates some of the challenges faced by organizations that must manage many users across many systems. Slow: too much paper, too many people. Expensive: too many administrators doing redundant work. Role changes: add/remove rights. Policies: enforced? Audit: are privileges appropriate? Org. relationships: track and maintain. Reliable: notification of terminations. Fast: response by sysadmins. Complete: deactivation of all IDs. Passwords: too many, too weak, often forgotten. Access: Why can’t I access that application / folder / etc. Figure 1: User Lifecycle Management Challenges In the figure, there are business challenges at each phase of the user lifecycle: 1. Onboarding new users: (a) Delays and productivity: New users need to get productive quickly. Any delays in setting up access rights for new users cost money, in terms of lost productivity. (b) Requests and approvals: IT workers need to be certain that newly created accounts are appropriate. This usually means © 2014 Hitachi ID Systems, Inc.. All rights reserved. 4
Defining Identity Management a paper process for requesting, reviewing and approving security changes, such as the creation of new accounts. This approval process may be hard to use, may require excessive effort on the parts of both requesters and authorizers and may introduce delays. (c) Redundant administration: Users typically require access rights that span multiple systems. A new user may need a net- work login, an e-mail mailbox, firewall access and login rights to multiple applications. These accounts are typically created by different administrators, using different tools. This duplication is expensive and time consuming. 2. Managing change: Users often change roles and responsibilities within an organization. They may also change identity attributes (e.g., changes to a user’s surname, contact information, department, manager, etc.). Such changes trigger IT work, to adjust user identity profiles and security rights. Organizations face the same challenges in managing existing users that they face when creating new ones: (a) Delays: Reassigned users waste time waiting for IT to catch up with their requirements. (b) Change requests: Can be awkward to submit and may take time to approve. (c) Redundant administration: Similar changes are often required on different systems. 3. IT support: In the context of routine use of systems, users often encounter problems that require technical support: (a) Forgotten passwords. (b) Intruder lockouts. (c) Access denied errors. Collectively, these problems typically represent a large part of an IT help desk’s call volume. This means both direct cost (support staff) and indirect cost (lost user productivity). 4. Termination: All users leave eventually. When they do, reliable processes are needed to find and remove their security privileges. These processes must be: (a) Reliable: If an organization fails to deactivate the access rights of a departed user, then that user or an intruder impersonating him might abuse the infrastructure or compromise sensitive data. (b) Timely: Access termination must be quick, to minimize the time window available for the aforementioned exploits. (c) Complete: It is not enough to deactivate a departed user’s login IDs on major systems. Every access right should be revoked, to eliminate the possibility of abuse by users inside the network. © 2014 Hitachi ID Systems, Inc.. All rights reserved. 5
Defining Identity Management 3.4 Key identity challenges Identity management presents several challenges in most organizations: • Security: Do user entitlements exactly match their needs? Are policies, such as segregation of duties rules, violated? Do access rights persist after they are no longer needed? • Consistency: User profile data entered into different systems should be consistent. This includes name, login ID, contact information, termination date, etc. The fact that each system has its own user profile management system makes this difficult. • Efficiency: Setting a user to access multiple systems is repetitive. Doing so with the tools provided with each system is needlessly costly. • Usability: When users access multiple systems, they may be presented with multiple login IDs, multiple pass- words and multiple sign-on screens. This complexity is burdensome to users, who consequently have problems accessing systems and incur productivity and support costs. • Reliability: User profile data should be reliable – especially if it is used to control access to sensitive data or resources. That means that the process used to update user information on every system must produce data that is complete, timely and accurate. • Scalability: Enterprises manage user profile data for large numbers of people. There may be tens of thousands of insiders and hundreds of thousands of outsiders. Any identity management system used in this environment must scale to support the data volumes and peak transaction rates produced by large user populations. © 2014 Hitachi ID Systems, Inc.. All rights reserved. 6
Defining Identity Management 4 Relevant technologies: the solutions Several types of technologies are available to manage user identity data across the enterprise. In general, these systems focus on streamlining the identity management process and managing data consistently across multiple systems. 4.1 Directories The cornerstone of many identity management and access governance infrastructures is a corporate direc- tory. Directories are network services which manage information about users, the organization and IT assets such as servers and printers. They perform a function similar to white pages or yellow pages phone books do for the public telephone infrastructure – enabling users of the network to find information about each- other and about network services. Most modern network directories are accessed using the lightweight directory access protocol (LDAP), which is based on the older, more powerful, but more complicated and less popular X.500 protocol. A directory is just the starting point for identity management and access governance and provides no value in and of itself. To get value organizations must: • Directory-enable their business applications, to eliminate silos of identity information. • Implement effective technology and business processes to manage the contents of their directory. Major platform vendors make inexpensive, robust and scalable directory products. These include: • Microsoft Active Directory. • Novell eDirectory (built on top of NDS). • Sun ONE Directory (formerly Netscape and then iPlanet LDAP). • IBM Directory (formerly Tivoli Directory). • Oracle Internet Directory (OID). There are also some open source directory products, such as OpenLDAP and Red Hat Directory Server. 4.2 Meta Directories Meta directories are engines that synchronize data about users between different systems. Most modern IAG systems include what amounts to a meta directory, though it may not be labeled as such. A meta directory works as follows: • Connectors to multiple target systems are configured, to read and write user profile data. © 2014 Hitachi ID Systems, Inc.. All rights reserved. 7
Defining Identity Management • Data streams from integrated systems are merged, to construct a master database of user profile information. • Where a user’s data in the master database differs from that user’s profile on a lower-priority target system, the target system is updated to reflect the user’s current information. • Users may be added to or removed from target systems, based on changes detected on systems of record. Meta directories simplify user administration by propagating changes from systems of record to target sys- tems, eliminating manual updates. Since meta directories need not not expose a user interface, or interact directly with users, they can be thought of as “plumbing” embedded in the IAG infrastructure. 4.3 Web access management / Web single sign-on A Web access management (WebAM) / Web single sign-on (WebSSO) system is middleware used to manage authentication and authorization of users accessing one or more web-enabled applications. Is supports single sign-on across systems and applications which do not natively support federation. A WebSSO system intercepts initial contact by the user’s web browser to a web application and either verifies that the user had already been authenticated (typically tracking authentication state in a cookie) or else redirects the user to an authentication page, where the user may use a password, token, PKI certificate or other method to authenticate himself. Once a user is authenticated, the WebAM component of the system controls the user’s access to application functions and data. This is done either by filtering what content the user can access (e.g., URL filtering) and by exposing an API that the application can use to make run-time decisions about whether to display certain forms, fields or data elements to the user. WebSSO / WebAM products typically use an LDAP directory as a back-end repository, to identify all users. They often come tightly integrated with an “identity management and access governance” application, which enables delegated and in some cases self-service administration of the contents of that single directory. Federation is almost always preferable to WebSSO. 4.4 Password management Password management is a combination of password synchronization between systems and applications and self-service password reset. Password synchronization is any process or technology that helps users to maintain a single password, subject to a single security policy, across multiple systems. Password synchronization is an effective mechanism for addressing password management problems on an enterprise network: © 2014 Hitachi ID Systems, Inc.. All rights reserved. 8
Defining Identity Management • Users with synchronized passwords tend to remember their passwords. • Simpler password management means that users make significantly fewer password-related calls to the help desk. • Users with just one or two passwords are much less likely to write down their passwords. There are two ways to implement password synchronization: • Transparent password synchronization, where native password changes, that already take place on a common system (example: Active Directory) are automatically propagated through the password management system to other systems and applications. • Web-based password synchronization, where users are asked to change all of their passwords at once, using a web application, instead of continuing to use native tools to change passwords. Self-service password reset is defined as any process or technology that allows users who have either forgotten their password or triggered an intruder lockout to authenticate with an alternate method and repair their own problem, without calling the help desk. Users who have forgotten their password or triggered an intruder lockout may launch a self-service applica- tion using an extension to their workstation login prompt, using their own or another user’s web browser or through a telephone call. Users establish their identity, without using their forgotten or disabled password, by answering a series of personal questions, using a hardware authentication token or by providing a bio- metric sample. Users can then either specify a new, unlocked password or ask that a randomly generated one be set. Self-service password reset expedites problem resolution for users after a problem has already occurred and reduces help desk call volume. It can also be used to ensure that password problems are only resolved after strong user authentication, eliminating an important weakness of many help desks: social engineering attacks. One of the core features of Hitachi ID Password Manager from Hitachi ID Systems is self-service password reset. 4.5 Enterprise single sign-on Users who log into many systems may prefer to sign into one master system and thereafter be able to launch applications having to type their ID or password again. Most legacy and client/server systems cannot share authentication with modern infrastructures such as Kerberos or SAML. However, it is possible to store user credentials outside of the various applications and automatically enter them into applications when prompted. Enterprise single sign-on (E-SSO) systems do just that: users sign into the E-SSO application, which stores every user’s login ID and password to every supported application. Users launch various applications through the E-SSO client software, which opens the appropriate client program and sends keystrokes to that program simulating the user typing his own login ID and password. © 2014 Hitachi ID Systems, Inc.. All rights reserved. 9
Defining Identity Management Since they require the installation of client software, E-SSO systems are only appropriate for use by insiders. E-SSO systems have had limited success in large production environments for a number of reasons: • Deployment and integration costs. • Concerns about security, due to the fact that the SSO system stores every user’s password to every system. • Concerns about availability, since if the SSO system fails, entire user populations will be unable to log into their systems and so will basically stop working. Note that one E-SSO system does not store user passwords, but instead relies on password synchronization (Hitachi ID Login Manager) – http://Hitachi-ID.com/Login-Manager. 4.6 User provisioning A user provisioning system is shared IT infrastructure which is used to pull the management of users, identity attributes and security entitlements out of individual systems and applications, into a shared infras- tructure. User provisioning is intended to make the creation, management and deactivation of login IDs, home direc- tories, mail folders, security entitlements and related items faster, cheaper and more reliable. This is done by automating and codifying business processes such as onboarding and termination and connecting these processes to multiple systems. User provisioning systems work by automating one or more processes: • Auto-provisioning: Detect new user records on a system of record (such as HR) and automatically provision those users with appropriate access on other systems and applications. • Auto-deactivation: Detect deleted or deactivated users on an authoritative system and automatically deactivate those users on all other systems and applications. • Identity synchronization: Detect changes to personal data, such as phone numbers or department codes, on one system and automatically make matching changes on other systems for the same user. • Self-service requests: Enable users to update their own profiles (e.g., new home phone number) and to request new entitle- ments (e.g., access to an application or share). • Delegated administration: Enable managers, application owners and other stake-holders to modify users and entitlements within their scope of authority. © 2014 Hitachi ID Systems, Inc.. All rights reserved. 10
Defining Identity Management • Access certification: Periodically invite managers and application owners to review lists of users and security entitlements within their scope of authority, flagging inappropriate entries for further review and removal. • Authorization workflow: Validate all proposed changes, regardless of their origin and invite business stake-holders to approve them before they are applied to integrated systems and applications. • Consolidated reporting: Provide data about what users have what entitlements, what accounts are dormant or orphaned, change history, etc. across multiple systems and applications. As well, a user provisioning system must be able to connect these processes to systems and applications, using connectors that can: • List existing accounts and groups. • Create new and delete existing accounts. • Read and write identity attributes associated with a user object. • Read and set flags, such as “account enabled/disabled,” “account locked,” and “intruder lockout.” • Change the login ID of an existing account (rename user). • Read a user’s group memberships. • Read a list of a group’s member users. • Add an account to or remove an account from a group. • Create, delete and set the attributes of a group. • Move a user between directory organizational units (OUs). 4.7 Role Based Access Control Role-based access control (RBAC) is an approach to managing entitlements, intended to reduce the cost of security administration, ensure that users have only appropriate entitlements and to terminate no-longer- needed entitlements reliably and promptly. In the context of a single system or application, RBAC means granting privileges directly to roles and attaching users to roles. Users acquire privileges through role membership, rather than directly. Within a single system, roles are sometimes called security groups or user groups. Single-system RBAC is a time tested and successful strategy, as it allows administrators to group users, group privileges and attach groups of privileges to groups of users, rather than attaching individual privileges to individual users. Identity management and access governance systems extend RBAC beyond single applications. Roles in an IAM system are sets of entitlements that may span multiple systems and applications. The key element of roles is to replace many technical entitlements with fewer roles that business users can understand. Business users can then a reasonable determination of which users should have which roles. This implicitly specifies which users should have which technical entitlements. Roles consist of entitlements – login accounts and security group memberships. Roles are often also nested – i.e., one role can contain others. Nesting roles can reduce the cost of role administration. © 2014 Hitachi ID Systems, Inc.. All rights reserved. 11
Defining Identity Management 4.8 Access Certification Regulatory compliance requirements and security policies increasingly demand that organizations maintain effective controls over who has access to sensitive corporate information and personal data about employ- ees and customers: • Systems must limit access to just the right users, at just the right time. • Organizations must be able to provide auditable evidence that these controls are in place and effective. Section 404 of Sarbanes-Oxley specifically states that management must assess the effectiveness of internal controls on an annual basis. • Organizations must be able to report which internal users currently have and had in the past, access to sensitive data. Meeting these requirements can be challenging as users often have unique and changing business respon- sibilities, thus making their entitlements difficult to model using formal roles and rules. The difficulty in modeling complex, heterogeneous entitlements is compounded by the fact that although users accumulate entitlements over time, they rarely ask IT to terminate old, unneeded rights. Moreover, it is difficult to predict when, after a change in responsibilities, a user will no longer function as a backup resource for his old job and so old entitlements can be safely deactivated. These challenges together mean that it is difficult to model all of the entitlements that users need across multiple systems and applications at a single point in time and likely impossible to model those needs for thousands of users, over multiple systems, over an extended period of time. Access certification is a process where business stake-holders are periodically invited to review entitle- ments, sign-off on entitlements that appear to be reasonable and flag questionable entitlements for possible removal. There are several components to access certification: • Discovery: Before entitlements can be reviewed, they have to be collected from systems and applications and mapped to users. Technical identifiers should be replaced by human-legible descriptions that review- ers will understand. Since entitlements change all the time, discovery should be a regularly scheduled, automated process, not a one-time data load. • Who performs the reviews? Options include managers – asked to review their subordinates, application or data owners – asked to review lists of users who can access their applications or data or security officers – asked to review high risk entitlements. • When are reviews performed? The frequency may vary with the business risk posed by the entitlements in question. • What kinds of entitlements are reviewed? © 2014 Hitachi ID Systems, Inc.. All rights reserved. 12
Defining Identity Management The highest level review is of employment status – should the user in question still have access to any systems? Slightly more granular is a review of roles – should the user in question still have these roles? At the lowest level of granularity are basic entitlements – should the user in question have a login ID on this system or belong to this security group? • Which entitlements warrant a review? Not every entitlement poses a significant business risk. User membership in the social committee mailing list is not really worth reviewing, for example. Some determination must be made of the risk level posed by each entitlement, as this forms the basis for deciding whether to review it and how often. • What happens to rejected entitlements? Reviewers may flag entitlements as inappropriate, in which case something should be done. Does this raise a work order in an IT issue management system or trigger a connector to revoke the entitlement immediately? Should further reviews take place before the entitlement is reviewed? © 2014 Hitachi ID Systems, Inc.. All rights reserved. 13
Defining Identity Management 5 Identity management: a simple definition With the above sections in mind, we propose a simple definition to encapsulate the various capabilities of enterprise identity management technologies: Identity management and access governance is defined as a shared platform and consistent processes for managing information about users: who they are, how they are authenticated and what they can access. © 2014 Hitachi ID Systems, Inc.. All rights reserved. 14
Defining Identity Management 6 Beyond the enterprise Identity management can extend beyond a single organization: • Customers would like to access multiple web sites without re-authenticating to each one. • Employees would like to access vendor web resources without registering or re-authenticating. • Companies would like to be able to provision their own users with access to partner and vendor resources automatically. Federation enables applications in different domains to share information about users. • Federated sites must have some pre-established relationship, bilaterally or in a group. • Information about users is exchanged: – Identity: Who is this user? – Authentication: How/when did the user sign in? – Authorization: What is the user allowed to do? • Federation enables single sign-on between sites: – User signs into one site (company A). – User clicks into another site (company B). – Site A passes information about the user to Site B. – The user is not asked for his ID/password by site B. • In some deployment pattern, federation eliminates some user management: – Site B trusts Site A to name its own users. – Site B does not create its own objects for Site A users. There are multiple standards for federation, including the security assertion markup language (SAML – v1 and v2) and WS*Security. In order to work, federation requires that software at one site can communicate identity, authentication and authorization site to software at another site: • Different organizations use different software products to manage user identity, authentication and authorization. • To interoperate, different software products rely on standard protocols. • There are multiple standards regarding federation: © 2014 Hitachi ID Systems, Inc.. All rights reserved. 15
Defining Identity Management – Liberty Alliance ID-FF and ID-WSF. – Security Assertions Markup Language (SAML). – WS-Federation. – Shibboleth. • The standards are complex, so it is reasonable to assume that different products implement them somewhat differently and may not be 100% compatible. The problem with standards is that there are so many of them... Hitachi ID Management Suite is intended to help an organization manage user identities and entitlements in a single domain – its own. It is compatible with federation products and protocols, but does not implement federation directly. © 2014 Hitachi ID Systems, Inc.. All rights reserved. 16
Defining Identity Management 7 Conclusions Identity management is a class of technologies intended to streamline the management of user identity information both inside and outside an enterprise. It includes: • Directories, especially those using LDAP. • Password management. • Enteprise single sign-on. • Web access management and web single sign-on. • User provisioning. • Federation. © 2014 Hitachi ID Systems, Inc.. All rights reserved. 17
Defining Identity Management 8 References • Various projects to make identity management span multiple systems on the Internet: – The Liberty alliance: http://www.projectliberty.org/. – W3C P3P Project: http://www.w3.org/P3P/. – Security Assertions Markup Language (SAML), http://www.oasis-open.org/committees/security/#documents. www.Hitachi-ID.com 500, 1401 - 1 Street SE, Calgary AB Canada T2G 2J3 Tel: 1.403.233.0740 Fax: 1.403.233.0725 E-Mail: sales@Hitachi-ID.com File: / pub/ wp/ documents/ define-idm/ what-is-id-management-6.tex Date: 2009-12-30

Recommandé

Hitachi ID Identity Manager: Faster onboarding, reliable deactivation and eff...
Hitachi ID Identity Manager: Faster onboarding, reliable deactivation and eff...Hitachi ID Identity Manager: Faster onboarding, reliable deactivation and eff...
Hitachi ID Identity Manager: Faster onboarding, reliable deactivation and eff...Hitachi ID Systems, Inc.
 
Hitachi ID Identity Manager: Self-service and automated user provisioning
Hitachi ID Identity Manager: Self-service and automated user provisioningHitachi ID Identity Manager: Self-service and automated user provisioning
Hitachi ID Identity Manager: Self-service and automated user provisioningHitachi ID Systems, Inc.
 
Hitachi ID Password Manager (formerly P-Synch): Lower cost, improve service a...
Hitachi ID Password Manager (formerly P-Synch): Lower cost, improve service a...Hitachi ID Password Manager (formerly P-Synch): Lower cost, improve service a...
Hitachi ID Password Manager (formerly P-Synch): Lower cost, improve service a...Hitachi ID Systems, Inc.
 
Hitachi ID Password Manager: Enrollment, password reset and password synchron...
Hitachi ID Password Manager: Enrollment, password reset and password synchron...Hitachi ID Password Manager: Enrollment, password reset and password synchron...
Hitachi ID Password Manager: Enrollment, password reset and password synchron...Hitachi ID Systems, Inc.
 
Hitachi ID Password Manager Brochure
Hitachi ID Password Manager BrochureHitachi ID Password Manager Brochure
Hitachi ID Password Manager BrochureHitachi ID Systems, Inc.
 
Hitachi ID Identity Manager: Detailed presentation
Hitachi ID Identity Manager: Detailed presentationHitachi ID Identity Manager: Detailed presentation
Hitachi ID Identity Manager: Detailed presentationHitachi ID Systems, Inc.
 
Hitachi ID Privileged Access Manager: Randomize and control disclosure of pri...
Hitachi ID Privileged Access Manager: Randomize and control disclosure of pri...Hitachi ID Privileged Access Manager: Randomize and control disclosure of pri...
Hitachi ID Privileged Access Manager: Randomize and control disclosure of pri...Hitachi ID Systems, Inc.
 
From Password Reset to Authentication Management
From Password Reset to Authentication ManagementFrom Password Reset to Authentication Management
From Password Reset to Authentication ManagementHitachi ID Systems, Inc.
 

Recommandé

Hitachi ID Identity Manager: Faster onboarding, reliable deactivation and eff...
Hitachi ID Identity Manager: Faster onboarding, reliable deactivation and eff...Hitachi ID Identity Manager: Faster onboarding, reliable deactivation and eff...
Hitachi ID Identity Manager: Faster onboarding, reliable deactivation and eff...Hitachi ID Systems, Inc.
 
Hitachi ID Identity Manager: Self-service and automated user provisioning
Hitachi ID Identity Manager: Self-service and automated user provisioningHitachi ID Identity Manager: Self-service and automated user provisioning
Hitachi ID Identity Manager: Self-service and automated user provisioningHitachi ID Systems, Inc.
 
Hitachi ID Password Manager (formerly P-Synch): Lower cost, improve service a...
Hitachi ID Password Manager (formerly P-Synch): Lower cost, improve service a...Hitachi ID Password Manager (formerly P-Synch): Lower cost, improve service a...
Hitachi ID Password Manager (formerly P-Synch): Lower cost, improve service a...Hitachi ID Systems, Inc.
 
Hitachi ID Password Manager: Enrollment, password reset and password synchron...
Hitachi ID Password Manager: Enrollment, password reset and password synchron...Hitachi ID Password Manager: Enrollment, password reset and password synchron...
Hitachi ID Password Manager: Enrollment, password reset and password synchron...Hitachi ID Systems, Inc.
 
Hitachi ID Password Manager Brochure
Hitachi ID Password Manager BrochureHitachi ID Password Manager Brochure
Hitachi ID Password Manager BrochureHitachi ID Systems, Inc.
 
Hitachi ID Identity Manager: Detailed presentation
Hitachi ID Identity Manager: Detailed presentationHitachi ID Identity Manager: Detailed presentation
Hitachi ID Identity Manager: Detailed presentationHitachi ID Systems, Inc.
 
Hitachi ID Privileged Access Manager: Randomize and control disclosure of pri...
Hitachi ID Privileged Access Manager: Randomize and control disclosure of pri...Hitachi ID Privileged Access Manager: Randomize and control disclosure of pri...
Hitachi ID Privileged Access Manager: Randomize and control disclosure of pri...Hitachi ID Systems, Inc.
 
From Password Reset to Authentication Management
From Password Reset to Authentication ManagementFrom Password Reset to Authentication Management
From Password Reset to Authentication ManagementHitachi ID Systems, Inc.
 
Managing Passwords for Mobile Users
Managing Passwords for Mobile Users Managing Passwords for Mobile Users
Managing Passwords for Mobile Users Hitachi ID Systems, Inc.
 
Hitachi ID Password Manager
Hitachi ID Password ManagerHitachi ID Password Manager
Hitachi ID Password ManagerHitachi ID Systems, Inc.
 
Hitachi ID Group Manager
Hitachi ID Group ManagerHitachi ID Group Manager
Hitachi ID Group ManagerHitachi ID Systems, Inc.
 
Hitachi ID Password Manager
Hitachi ID Password ManagerHitachi ID Password Manager
Hitachi ID Password ManagerHitachi ID Systems, Inc.
 
Hitachi ID Access Certifier: Find and remove stale privileges with periodic r...
Hitachi ID Access Certifier: Find and remove stale privileges with periodic r...Hitachi ID Access Certifier: Find and remove stale privileges with periodic r...
Hitachi ID Access Certifier: Find and remove stale privileges with periodic r...Hitachi ID Systems, Inc.
 
Hitachi ID Solutions Support GLB Compliance
Hitachi ID Solutions Support GLB ComplianceHitachi ID Solutions Support GLB Compliance
Hitachi ID Solutions Support GLB ComplianceHitachi ID Systems, Inc.
 
Hitachi ID Password Manager
Hitachi ID Password ManagerHitachi ID Password Manager
Hitachi ID Password ManagerHitachi ID Systems, Inc.
 
Maximizing Value
Maximizing ValueMaximizing Value
Maximizing ValueHitachi ID Systems, Inc.
 
Data Securities Corporate Technology Information Presentation
Data Securities Corporate Technology Information PresentationData Securities Corporate Technology Information Presentation
Data Securities Corporate Technology Information Presentationguestf018d88
 
Enhancing Novell SecureLogin with Multi-factor Authentication
Enhancing Novell SecureLogin with Multi-factor AuthenticationEnhancing Novell SecureLogin with Multi-factor Authentication
Enhancing Novell SecureLogin with Multi-factor AuthenticationNovell
 
Oracle tech fmw-05-idm-neum-16.04.2010
Oracle tech fmw-05-idm-neum-16.04.2010Oracle tech fmw-05-idm-neum-16.04.2010
Oracle tech fmw-05-idm-neum-16.04.2010Oracle BH
 
Cso oow12-summit-sonny-sing hv4
Cso oow12-summit-sonny-sing hv4Cso oow12-summit-sonny-sing hv4
Cso oow12-summit-sonny-sing hv4OracleIDM
 
A better waytosecureapps-finalv1
A better waytosecureapps-finalv1A better waytosecureapps-finalv1
A better waytosecureapps-finalv1OracleIDM
 
test
testtest
testpixeldemo
 
Large Scale User Provisioning with Hitachi ID Identity Manager
Large Scale User Provisioning with Hitachi ID Identity ManagerLarge Scale User Provisioning with Hitachi ID Identity Manager
Large Scale User Provisioning with Hitachi ID Identity ManagerHitachi ID Systems, Inc.
 
Password Management Before User Provisioning
Password Management Before User ProvisioningPassword Management Before User Provisioning
Password Management Before User ProvisioningHitachi ID Systems, Inc.
 
Why IAM is the Need of the Hour
Why IAM is the Need of the HourWhy IAM is the Need of the Hour
Why IAM is the Need of the HourTechdemocracy
 
Identity_Management_Vendor_Evaluation
Identity_Management_Vendor_EvaluationIdentity_Management_Vendor_Evaluation
Identity_Management_Vendor_EvaluationJerry Ruggieri
 
Intro To Secure Identity Management
Intro To Secure Identity ManagementIntro To Secure Identity Management
Intro To Secure Identity ManagementProduct Marketing Services
 
Intelligence Driven Identity and Access Management
Intelligence Driven Identity and Access ManagementIntelligence Driven Identity and Access Management
Intelligence Driven Identity and Access ManagementEMC
 
Beyond Roles: A Practical Approach to Enterprise User Provisioning
Beyond Roles: A Practical Approach to Enterprise User ProvisioningBeyond Roles: A Practical Approach to Enterprise User Provisioning
Beyond Roles: A Practical Approach to Enterprise User ProvisioningHitachi ID Systems, Inc.
 
I Series User Management
I Series User ManagementI Series User Management
I Series User ManagementSJeffrey23
 

Contenu connexe

Tendances

Hitachi ID Access Certifier: Find and remove stale privileges with periodic r...
Hitachi ID Access Certifier: Find and remove stale privileges with periodic r...Hitachi ID Access Certifier: Find and remove stale privileges with periodic r...
Hitachi ID Access Certifier: Find and remove stale privileges with periodic r...Hitachi ID Systems, Inc.
 
Hitachi ID Solutions Support GLB Compliance
Hitachi ID Solutions Support GLB ComplianceHitachi ID Solutions Support GLB Compliance
Hitachi ID Solutions Support GLB ComplianceHitachi ID Systems, Inc.
 
Data Securities Corporate Technology Information Presentation
Data Securities Corporate Technology Information PresentationData Securities Corporate Technology Information Presentation
Data Securities Corporate Technology Information Presentationguestf018d88
 
Enhancing Novell SecureLogin with Multi-factor Authentication
Enhancing Novell SecureLogin with Multi-factor AuthenticationEnhancing Novell SecureLogin with Multi-factor Authentication
Enhancing Novell SecureLogin with Multi-factor AuthenticationNovell
 
Oracle tech fmw-05-idm-neum-16.04.2010
Oracle tech fmw-05-idm-neum-16.04.2010Oracle tech fmw-05-idm-neum-16.04.2010
Oracle tech fmw-05-idm-neum-16.04.2010Oracle BH
 
Cso oow12-summit-sonny-sing hv4
Cso oow12-summit-sonny-sing hv4Cso oow12-summit-sonny-sing hv4
Cso oow12-summit-sonny-sing hv4OracleIDM
 
A better waytosecureapps-finalv1
A better waytosecureapps-finalv1A better waytosecureapps-finalv1
A better waytosecureapps-finalv1OracleIDM
 

Tendances (14)

Managing Passwords for Mobile Users
Managing Passwords for Mobile Users Managing Passwords for Mobile Users
Managing Passwords for Mobile Users
 
Hitachi ID Password Manager
Hitachi ID Password ManagerHitachi ID Password Manager
Hitachi ID Password Manager
 
Hitachi ID Group Manager
Hitachi ID Group ManagerHitachi ID Group Manager
Hitachi ID Group Manager
 
Hitachi ID Password Manager
Hitachi ID Password ManagerHitachi ID Password Manager
Hitachi ID Password Manager
 
Hitachi ID Access Certifier: Find and remove stale privileges with periodic r...
Hitachi ID Access Certifier: Find and remove stale privileges with periodic r...Hitachi ID Access Certifier: Find and remove stale privileges with periodic r...
Hitachi ID Access Certifier: Find and remove stale privileges with periodic r...
 
Hitachi ID Solutions Support GLB Compliance
Hitachi ID Solutions Support GLB ComplianceHitachi ID Solutions Support GLB Compliance
Hitachi ID Solutions Support GLB Compliance
 
Hitachi ID Password Manager
Hitachi ID Password ManagerHitachi ID Password Manager
Hitachi ID Password Manager
 
Maximizing Value
Maximizing ValueMaximizing Value
Maximizing Value
 
Data Securities Corporate Technology Information Presentation
Data Securities Corporate Technology Information PresentationData Securities Corporate Technology Information Presentation
Data Securities Corporate Technology Information Presentation
 
Enhancing Novell SecureLogin with Multi-factor Authentication
Enhancing Novell SecureLogin with Multi-factor AuthenticationEnhancing Novell SecureLogin with Multi-factor Authentication
Enhancing Novell SecureLogin with Multi-factor Authentication
 
Oracle tech fmw-05-idm-neum-16.04.2010
Oracle tech fmw-05-idm-neum-16.04.2010Oracle tech fmw-05-idm-neum-16.04.2010
Oracle tech fmw-05-idm-neum-16.04.2010
 
Cso oow12-summit-sonny-sing hv4
Cso oow12-summit-sonny-sing hv4Cso oow12-summit-sonny-sing hv4
Cso oow12-summit-sonny-sing hv4
 
A better waytosecureapps-finalv1
A better waytosecureapps-finalv1A better waytosecureapps-finalv1
A better waytosecureapps-finalv1
 
test
testtest
test
 

Similaire à Defining Enterprise Identity Management

Large Scale User Provisioning with Hitachi ID Identity Manager
Large Scale User Provisioning with Hitachi ID Identity ManagerLarge Scale User Provisioning with Hitachi ID Identity Manager
Large Scale User Provisioning with Hitachi ID Identity ManagerHitachi ID Systems, Inc.
 
Password Management Before User Provisioning
Password Management Before User ProvisioningPassword Management Before User Provisioning
Password Management Before User ProvisioningHitachi ID Systems, Inc.
 
Why IAM is the Need of the Hour
Why IAM is the Need of the HourWhy IAM is the Need of the Hour
Why IAM is the Need of the HourTechdemocracy
 
Identity_Management_Vendor_Evaluation
Identity_Management_Vendor_EvaluationIdentity_Management_Vendor_Evaluation
Identity_Management_Vendor_EvaluationJerry Ruggieri
 
Intelligence Driven Identity and Access Management
Intelligence Driven Identity and Access ManagementIntelligence Driven Identity and Access Management
Intelligence Driven Identity and Access ManagementEMC
 
Beyond Roles: A Practical Approach to Enterprise User Provisioning
Beyond Roles: A Practical Approach to Enterprise User ProvisioningBeyond Roles: A Practical Approach to Enterprise User Provisioning
Beyond Roles: A Practical Approach to Enterprise User ProvisioningHitachi ID Systems, Inc.
 
I Series User Management
I Series User ManagementI Series User Management
I Series User ManagementSJeffrey23
 
IdM Reference Architecture
IdM Reference ArchitectureIdM Reference Architecture
IdM Reference ArchitectureHannu Kasanen
 
Successful Enterprise Single Sign-on: Addressing Deployment Challenges
Successful Enterprise Single Sign-on: Addressing Deployment ChallengesSuccessful Enterprise Single Sign-on: Addressing Deployment Challenges
Successful Enterprise Single Sign-on: Addressing Deployment ChallengesHitachi ID Systems, Inc.
 
Standard IAM Business Processes: Corporate / Intranet Deployment
Standard IAM Business Processes: Corporate / Intranet DeploymentStandard IAM Business Processes: Corporate / Intranet Deployment
Standard IAM Business Processes: Corporate / Intranet DeploymentHitachi ID Systems, Inc.
 
Securing Citizen Facing Applications Presentation Notes
Securing Citizen Facing Applications Presentation NotesSecuring Citizen Facing Applications Presentation Notes
Securing Citizen Facing Applications Presentation Notesedwinlorenzana
 
Privileged identity management
Privileged identity managementPrivileged identity management
Privileged identity managementNis
 
Cis controls v8_guide (1)
Cis controls v8_guide (1)Cis controls v8_guide (1)
Cis controls v8_guide (1)MHumaamAl
 
Hitachi ID Password Manager Security Analysis
Hitachi ID Password Manager Security AnalysisHitachi ID Password Manager Security Analysis
Hitachi ID Password Manager Security AnalysisHitachi ID Systems, Inc.
 
ANALYSIS ON IDENTITY MANAGEMENT SYSTEMS WITH EXTENDED STATE-OF-THE-ART IDM TA...
ANALYSIS ON IDENTITY MANAGEMENT SYSTEMS WITH EXTENDED STATE-OF-THE-ART IDM TA...ANALYSIS ON IDENTITY MANAGEMENT SYSTEMS WITH EXTENDED STATE-OF-THE-ART IDM TA...
ANALYSIS ON IDENTITY MANAGEMENT SYSTEMS WITH EXTENDED STATE-OF-THE-ART IDM TA...ijasuc
 
Sreedhar CV_PKI - Certificate Management
Sreedhar CV_PKI - Certificate Management Sreedhar CV_PKI - Certificate Management
Sreedhar CV_PKI - Certificate Management Sreedhar Roddam
 

Similaire à Defining Enterprise Identity Management (20)

Large Scale User Provisioning with Hitachi ID Identity Manager
Large Scale User Provisioning with Hitachi ID Identity ManagerLarge Scale User Provisioning with Hitachi ID Identity Manager
Large Scale User Provisioning with Hitachi ID Identity Manager
 
Password Management Before User Provisioning
Password Management Before User ProvisioningPassword Management Before User Provisioning
Password Management Before User Provisioning
 
Why IAM is the Need of the Hour
Why IAM is the Need of the HourWhy IAM is the Need of the Hour
Why IAM is the Need of the Hour
 
Identity_Management_Vendor_Evaluation
Identity_Management_Vendor_EvaluationIdentity_Management_Vendor_Evaluation
Identity_Management_Vendor_Evaluation
 
Intro To Secure Identity Management
Intro To Secure Identity ManagementIntro To Secure Identity Management
Intro To Secure Identity Management
 
Intelligence Driven Identity and Access Management
Intelligence Driven Identity and Access ManagementIntelligence Driven Identity and Access Management
Intelligence Driven Identity and Access Management
 
Beyond Roles: A Practical Approach to Enterprise User Provisioning
Beyond Roles: A Practical Approach to Enterprise User ProvisioningBeyond Roles: A Practical Approach to Enterprise User Provisioning
Beyond Roles: A Practical Approach to Enterprise User Provisioning
 
I Series User Management
I Series User ManagementI Series User Management
I Series User Management
 
IdM Reference Architecture
IdM Reference ArchitectureIdM Reference Architecture
IdM Reference Architecture
 
Successful Enterprise Single Sign-on: Addressing Deployment Challenges
Successful Enterprise Single Sign-on: Addressing Deployment ChallengesSuccessful Enterprise Single Sign-on: Addressing Deployment Challenges
Successful Enterprise Single Sign-on: Addressing Deployment Challenges
 
Standard IAM Business Processes: Corporate / Intranet Deployment
Standard IAM Business Processes: Corporate / Intranet DeploymentStandard IAM Business Processes: Corporate / Intranet Deployment
Standard IAM Business Processes: Corporate / Intranet Deployment
 
Securing Citizen Facing Applications Presentation Notes
Securing Citizen Facing Applications Presentation NotesSecuring Citizen Facing Applications Presentation Notes
Securing Citizen Facing Applications Presentation Notes
 
Identity Management Terminology
Identity Management TerminologyIdentity Management Terminology
Identity Management Terminology
 
Privileged identity management
Privileged identity managementPrivileged identity management
Privileged identity management
 
Cis controls v8_guide (1)
Cis controls v8_guide (1)Cis controls v8_guide (1)
Cis controls v8_guide (1)
 
Hitachi ID Password Manager Security Analysis
Hitachi ID Password Manager Security AnalysisHitachi ID Password Manager Security Analysis
Hitachi ID Password Manager Security Analysis
 
ANALYSIS ON IDENTITY MANAGEMENT SYSTEMS WITH EXTENDED STATE-OF-THE-ART IDM TA...
ANALYSIS ON IDENTITY MANAGEMENT SYSTEMS WITH EXTENDED STATE-OF-THE-ART IDM TA...ANALYSIS ON IDENTITY MANAGEMENT SYSTEMS WITH EXTENDED STATE-OF-THE-ART IDM TA...
ANALYSIS ON IDENTITY MANAGEMENT SYSTEMS WITH EXTENDED STATE-OF-THE-ART IDM TA...
 
InsiderAttack_p3.ppt
InsiderAttack_p3.pptInsiderAttack_p3.ppt
InsiderAttack_p3.ppt
 
Sreedhar CV_PKI - Certificate Management
Sreedhar CV_PKI - Certificate Management Sreedhar CV_PKI - Certificate Management
Sreedhar CV_PKI - Certificate Management
 
unit4.pptx
unit4.pptxunit4.pptx
unit4.pptx
 

Plus de Hitachi ID Systems, Inc.

Hitachi ID Identity and Access Management Suite
Hitachi ID Identity and Access Management SuiteHitachi ID Identity and Access Management Suite
Hitachi ID Identity and Access Management SuiteHitachi ID Systems, Inc.
 
Building an Identity Management Business Case
Building an Identity Management Business CaseBuilding an Identity Management Business Case
Building an Identity Management Business CaseHitachi ID Systems, Inc.
 
How Well is Your Organization Protecting its Real Crown Jewels - Identities?
How Well is Your Organization Protecting its Real Crown Jewels - Identities?How Well is Your Organization Protecting its Real Crown Jewels - Identities?
How Well is Your Organization Protecting its Real Crown Jewels - Identities?Hitachi ID Systems, Inc.
 
Hitachi ID Identity Express™ - Corporate Edition
Hitachi ID Identity Express™ - Corporate EditionHitachi ID Identity Express™ - Corporate Edition
Hitachi ID Identity Express™ - Corporate EditionHitachi ID Systems, Inc.
 
Hitachi ID Suite 9.0 Features and Technology
Hitachi ID Suite 9.0 Features and TechnologyHitachi ID Suite 9.0 Features and Technology
Hitachi ID Suite 9.0 Features and TechnologyHitachi ID Systems, Inc.
 

Plus de Hitachi ID Systems, Inc. (20)

Hitachi ID Password Manager
Hitachi ID Password ManagerHitachi ID Password Manager
Hitachi ID Password Manager
 
Authentication Management
Authentication ManagementAuthentication Management
Authentication Management
 
Introduction to Identity Management
Introduction to Identity ManagementIntroduction to Identity Management
Introduction to Identity Management
 
Hitachi ID Access Certifier
Hitachi ID Access CertifierHitachi ID Access Certifier
Hitachi ID Access Certifier
 
Hitachi ID Group Manager
Hitachi ID Group ManagerHitachi ID Group Manager
Hitachi ID Group Manager
 
Hitachi ID Identity Manager
Hitachi ID Identity ManagerHitachi ID Identity Manager
Hitachi ID Identity Manager
 
Hitachi ID Identity Manager
Hitachi ID Identity ManagerHitachi ID Identity Manager
Hitachi ID Identity Manager
 
Hitachi ID Identity Manager
Hitachi ID Identity ManagerHitachi ID Identity Manager
Hitachi ID Identity Manager
 
Hitachi ID Identity and Access Management Suite
Hitachi ID Identity and Access Management SuiteHitachi ID Identity and Access Management Suite
Hitachi ID Identity and Access Management Suite
 
Identity and Access Lifecycle Automation
Identity and Access Lifecycle AutomationIdentity and Access Lifecycle Automation
Identity and Access Lifecycle Automation
 
Building an Identity Management Business Case
Building an Identity Management Business CaseBuilding an Identity Management Business Case
Building an Identity Management Business Case
 
Privileged Access Management
Privileged Access ManagementPrivileged Access Management
Privileged Access Management
 
Hitachi ID Access Certifier
Hitachi ID Access CertifierHitachi ID Access Certifier
Hitachi ID Access Certifier
 
How Well is Your Organization Protecting its Real Crown Jewels - Identities?
How Well is Your Organization Protecting its Real Crown Jewels - Identities?How Well is Your Organization Protecting its Real Crown Jewels - Identities?
How Well is Your Organization Protecting its Real Crown Jewels - Identities?
 
Hitachi ID Privileged Access Manager
Hitachi ID Privileged Access ManagerHitachi ID Privileged Access Manager
Hitachi ID Privileged Access Manager
 
Hitachi ID Identity Manager
Hitachi ID Identity ManagerHitachi ID Identity Manager
Hitachi ID Identity Manager
 
Hitachi ID Management Suite
Hitachi ID Management SuiteHitachi ID Management Suite
Hitachi ID Management Suite
 
Hitachi ID Identity Express™ - Corporate Edition
Hitachi ID Identity Express™ - Corporate EditionHitachi ID Identity Express™ - Corporate Edition
Hitachi ID Identity Express™ - Corporate Edition
 
Hitachi ID Suite 9.0 Features and Technology
Hitachi ID Suite 9.0 Features and TechnologyHitachi ID Suite 9.0 Features and Technology
Hitachi ID Suite 9.0 Features and Technology
 
Managing Passwords for Mobile Users
Managing Passwords for Mobile UsersManaging Passwords for Mobile Users
Managing Passwords for Mobile Users
 

Dernier

Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsMiki Katsuragi
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piececharlottematthew16
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyAlfredo García Lavilla
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 

Dernier (20)

Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering Tips
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piece
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 

Defining Enterprise Identity Management

  • 1. Defining Identity Management © 2014 Hitachi ID Systems, Inc. All rights reserved.
  • 2. Identity management is the combination of business process and technology used to manage data on IT systems and applications about users. Managed data includes user objects, identity attributes, security entitlements and authentication factors. This document defines the components of identity management, starting with the underlying business chal- lenges of managing user identities and entitlements across multiple systems and applications. Identity management functions are defined in the context of these challenges. Contents 1 Introduction 1 2 A variety of identity stores 2 3 Managing identities and entitlements across applications - the challenge: 3 3.1 Different kinds of users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 3.2 Different kinds of identity data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 3.3 Identity life cycle . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 3.4 Key identity challenges . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 4 Relevant technologies: the solutions 7 4.1 Directories . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 4.2 Meta Directories . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 4.3 Web access management / Web single sign-on . . . . . . . . . . . . . . . . . . . . . . . . . 8 4.4 Password management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 4.5 Enterprise single sign-on . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 4.6 User provisioning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 4.7 Role Based Access Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 4.8 Access Certification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 5 Identity management: a simple definition 14 6 Beyond the enterprise 15 7 Conclusions 17 8 References 18 i
  • 3. Defining Identity Management 1 Introduction Identity management is the combination of business process and technology used to manage data on IT systems and applications about users. Managed data includes user objects, identity attributes, security entitlements and authentication factors. This document defines the components of identity management, starting with the underlying business chal- lenges of managing user identities and entitlements across multiple systems and applications. Identity management functions are defined in the context of these challenges. The remainder of this paper is organized as follows: • A variety of identity stores: A description of why organizations manage user profile data in a diversity of systems. • Managing identities and entitlements across applications - the challenge: A step-by-step description of why managing user identity data is difficult in a large organization. • Relevant technologies - the solutions: How different technologies help to streamline and secure the identity management process. • Identity management - a simple definition: A definition for what constitutes identity management, given the preceding description of the business problem and its technological solutions. • Beyond the enterprise: How identity management technologies may soon extend beyond the boundaries of a single enter- prise. • Conclusions: Some conclusions about the state of identity management today. • References: Where to learn more about identity management. © 2014 Hitachi ID Systems, Inc.. All rights reserved. 1
  • 4. Defining Identity Management 2 A variety of identity stores Modern organizations run a complex mix of IT infrastructure, including: • Network operating systems, used to share files and printers. • Application servers, running web servers, databases and similar software. • Mainframe and midrange servers, typically hosting legacy applications. • E-mail and other collaboration software. • User directories, publishing lists of users and other network objects. • Human resources, payroll and contractor management systems. • A variety of line-of-business applications. • Customer relationship management (CRM) and enterprise resource planning (ERP) applications. • Electronic commerce applications. Many kinds of users access these systems, including: • Employees. • Contractors. • Partners. • Vendors. • Customers. Almost every system and application tracks its own users, how they sign in (i.e., their passwords) and their privileges (i.e., what they can see and do). This data about users must be managed, when users are hired, when their business roles or identifying information change and when they leave. The diversity of these systems, each with their own security management user interface, administrators and change request processes creates complexity. This complexity impacts the IT operation – the same human user must be managed by different IT staff on different parts of the infrastructure. The complexity also impacts users – it can take a long time to make required changes and users are forced to memorize multiple login IDs, passwords and application sign-on processes. This complexity leads to high IT cost, lower user productivity and security exposures. Identity management technologies simplify the administration of this distributed, overlapping and some- times contradictory data about users. © 2014 Hitachi ID Systems, Inc.. All rights reserved. 2
  • 5. Defining Identity Management 3 Managing identities and entitlements across applications - the challenge: In this document, “enterprise” refers simply to medium to large organizations, with thousands of internal users. 3.1 Different kinds of users Enterprises manage identity data about two broad kinds of users: • Insiders: including employees and contractors. Insiders spend most of their working hours engaged with the enterprise. They often access multiple internal systems and their identity profiles are relatively complex. • Outsiders: including customers, partners and vendors. There are normally many more outsiders than insiders. Outsiders generally access only a few systems (e.g., CRM, e-Commerce, retirement benefits, etc.) and access these systems infrequently. Identity profiles about outsiders tend to be less detailed and less accurate than about insiders. The difference between insiders and outsiders and how this impacts identity management, may be illus- trated by an example: Consider a bank, with 15,000 employees, 5,000 contractors and 500,000 customers. Insiders at the bank are the 20,000 employees and contractors. Insiders log into a network operating system, corporate Intranet, line-of-business applications, corporate mainframe, e-mail systems and Internet gateway. Their identity profiles include data relating to their employment and their many login IDs to internal systems. Insiders access components of their identity profile, in particular login IDs to various systems, many times each day. Outsiders are primarily current and prospective bank customers. Their profiles may include from one to three login IDs and passwords – for Internet-, telephone- and ATM-based electronic banking. Their profiles also include customer information such as a mailing address and account numbers. Outsiders only access their login IDs occasionally. Personal profile data provided by outsiders, such as full name, home telephone number, or e-mail address may be inaccurate. 3.2 Different kinds of identity data Just as there are different kinds of users whose identity an enterprise must manage, there are different kinds of data about these users that must be managed: • Personal information. This includes names, contact information and demographic data such as gender or date of birth. © 2014 Hitachi ID Systems, Inc.. All rights reserved. 3
  • 6. Defining Identity Management • Legal information. This includes information about the legal relationship between the enterprise and the user: social security number, compensation, contract, start date, termination date, etc. • Login credentials to target systems. On most systems, this is a login ID and password. Identification may also use a PKI certificate and authentication may use tokens or biometrics or a set of personal questions that the user must answer. 3.3 Identity life cycle As organizations deploy an ever wider array of IT infrastructure, managing that infrastructure and in partic- ular managing users, their identity profiles and their security privileges on those systems becomes increas- ingly challenging. Figure 1 illustrates some of the challenges faced by organizations that must manage many users across many systems. Slow: too much paper, too many people. Expensive: too many administrators doing redundant work. Role changes: add/remove rights. Policies: enforced? Audit: are privileges appropriate? Org. relationships: track and maintain. Reliable: notification of terminations. Fast: response by sysadmins. Complete: deactivation of all IDs. Passwords: too many, too weak, often forgotten. Access: Why can’t I access that application / folder / etc. Figure 1: User Lifecycle Management Challenges In the figure, there are business challenges at each phase of the user lifecycle: 1. Onboarding new users: (a) Delays and productivity: New users need to get productive quickly. Any delays in setting up access rights for new users cost money, in terms of lost productivity. (b) Requests and approvals: IT workers need to be certain that newly created accounts are appropriate. This usually means © 2014 Hitachi ID Systems, Inc.. All rights reserved. 4
  • 7. Defining Identity Management a paper process for requesting, reviewing and approving security changes, such as the creation of new accounts. This approval process may be hard to use, may require excessive effort on the parts of both requesters and authorizers and may introduce delays. (c) Redundant administration: Users typically require access rights that span multiple systems. A new user may need a net- work login, an e-mail mailbox, firewall access and login rights to multiple applications. These accounts are typically created by different administrators, using different tools. This duplication is expensive and time consuming. 2. Managing change: Users often change roles and responsibilities within an organization. They may also change identity attributes (e.g., changes to a user’s surname, contact information, department, manager, etc.). Such changes trigger IT work, to adjust user identity profiles and security rights. Organizations face the same challenges in managing existing users that they face when creating new ones: (a) Delays: Reassigned users waste time waiting for IT to catch up with their requirements. (b) Change requests: Can be awkward to submit and may take time to approve. (c) Redundant administration: Similar changes are often required on different systems. 3. IT support: In the context of routine use of systems, users often encounter problems that require technical support: (a) Forgotten passwords. (b) Intruder lockouts. (c) Access denied errors. Collectively, these problems typically represent a large part of an IT help desk’s call volume. This means both direct cost (support staff) and indirect cost (lost user productivity). 4. Termination: All users leave eventually. When they do, reliable processes are needed to find and remove their security privileges. These processes must be: (a) Reliable: If an organization fails to deactivate the access rights of a departed user, then that user or an intruder impersonating him might abuse the infrastructure or compromise sensitive data. (b) Timely: Access termination must be quick, to minimize the time window available for the aforementioned exploits. (c) Complete: It is not enough to deactivate a departed user’s login IDs on major systems. Every access right should be revoked, to eliminate the possibility of abuse by users inside the network. © 2014 Hitachi ID Systems, Inc.. All rights reserved. 5
  • 8. Defining Identity Management 3.4 Key identity challenges Identity management presents several challenges in most organizations: • Security: Do user entitlements exactly match their needs? Are policies, such as segregation of duties rules, violated? Do access rights persist after they are no longer needed? • Consistency: User profile data entered into different systems should be consistent. This includes name, login ID, contact information, termination date, etc. The fact that each system has its own user profile management system makes this difficult. • Efficiency: Setting a user to access multiple systems is repetitive. Doing so with the tools provided with each system is needlessly costly. • Usability: When users access multiple systems, they may be presented with multiple login IDs, multiple pass- words and multiple sign-on screens. This complexity is burdensome to users, who consequently have problems accessing systems and incur productivity and support costs. • Reliability: User profile data should be reliable – especially if it is used to control access to sensitive data or resources. That means that the process used to update user information on every system must produce data that is complete, timely and accurate. • Scalability: Enterprises manage user profile data for large numbers of people. There may be tens of thousands of insiders and hundreds of thousands of outsiders. Any identity management system used in this environment must scale to support the data volumes and peak transaction rates produced by large user populations. © 2014 Hitachi ID Systems, Inc.. All rights reserved. 6
  • 9. Defining Identity Management 4 Relevant technologies: the solutions Several types of technologies are available to manage user identity data across the enterprise. In general, these systems focus on streamlining the identity management process and managing data consistently across multiple systems. 4.1 Directories The cornerstone of many identity management and access governance infrastructures is a corporate direc- tory. Directories are network services which manage information about users, the organization and IT assets such as servers and printers. They perform a function similar to white pages or yellow pages phone books do for the public telephone infrastructure – enabling users of the network to find information about each- other and about network services. Most modern network directories are accessed using the lightweight directory access protocol (LDAP), which is based on the older, more powerful, but more complicated and less popular X.500 protocol. A directory is just the starting point for identity management and access governance and provides no value in and of itself. To get value organizations must: • Directory-enable their business applications, to eliminate silos of identity information. • Implement effective technology and business processes to manage the contents of their directory. Major platform vendors make inexpensive, robust and scalable directory products. These include: • Microsoft Active Directory. • Novell eDirectory (built on top of NDS). • Sun ONE Directory (formerly Netscape and then iPlanet LDAP). • IBM Directory (formerly Tivoli Directory). • Oracle Internet Directory (OID). There are also some open source directory products, such as OpenLDAP and Red Hat Directory Server. 4.2 Meta Directories Meta directories are engines that synchronize data about users between different systems. Most modern IAG systems include what amounts to a meta directory, though it may not be labeled as such. A meta directory works as follows: • Connectors to multiple target systems are configured, to read and write user profile data. © 2014 Hitachi ID Systems, Inc.. All rights reserved. 7
  • 10. Defining Identity Management • Data streams from integrated systems are merged, to construct a master database of user profile information. • Where a user’s data in the master database differs from that user’s profile on a lower-priority target system, the target system is updated to reflect the user’s current information. • Users may be added to or removed from target systems, based on changes detected on systems of record. Meta directories simplify user administration by propagating changes from systems of record to target sys- tems, eliminating manual updates. Since meta directories need not not expose a user interface, or interact directly with users, they can be thought of as “plumbing” embedded in the IAG infrastructure. 4.3 Web access management / Web single sign-on A Web access management (WebAM) / Web single sign-on (WebSSO) system is middleware used to manage authentication and authorization of users accessing one or more web-enabled applications. Is supports single sign-on across systems and applications which do not natively support federation. A WebSSO system intercepts initial contact by the user’s web browser to a web application and either verifies that the user had already been authenticated (typically tracking authentication state in a cookie) or else redirects the user to an authentication page, where the user may use a password, token, PKI certificate or other method to authenticate himself. Once a user is authenticated, the WebAM component of the system controls the user’s access to application functions and data. This is done either by filtering what content the user can access (e.g., URL filtering) and by exposing an API that the application can use to make run-time decisions about whether to display certain forms, fields or data elements to the user. WebSSO / WebAM products typically use an LDAP directory as a back-end repository, to identify all users. They often come tightly integrated with an “identity management and access governance” application, which enables delegated and in some cases self-service administration of the contents of that single directory. Federation is almost always preferable to WebSSO. 4.4 Password management Password management is a combination of password synchronization between systems and applications and self-service password reset. Password synchronization is any process or technology that helps users to maintain a single password, subject to a single security policy, across multiple systems. Password synchronization is an effective mechanism for addressing password management problems on an enterprise network: © 2014 Hitachi ID Systems, Inc.. All rights reserved. 8
  • 11. Defining Identity Management • Users with synchronized passwords tend to remember their passwords. • Simpler password management means that users make significantly fewer password-related calls to the help desk. • Users with just one or two passwords are much less likely to write down their passwords. There are two ways to implement password synchronization: • Transparent password synchronization, where native password changes, that already take place on a common system (example: Active Directory) are automatically propagated through the password management system to other systems and applications. • Web-based password synchronization, where users are asked to change all of their passwords at once, using a web application, instead of continuing to use native tools to change passwords. Self-service password reset is defined as any process or technology that allows users who have either forgotten their password or triggered an intruder lockout to authenticate with an alternate method and repair their own problem, without calling the help desk. Users who have forgotten their password or triggered an intruder lockout may launch a self-service applica- tion using an extension to their workstation login prompt, using their own or another user’s web browser or through a telephone call. Users establish their identity, without using their forgotten or disabled password, by answering a series of personal questions, using a hardware authentication token or by providing a bio- metric sample. Users can then either specify a new, unlocked password or ask that a randomly generated one be set. Self-service password reset expedites problem resolution for users after a problem has already occurred and reduces help desk call volume. It can also be used to ensure that password problems are only resolved after strong user authentication, eliminating an important weakness of many help desks: social engineering attacks. One of the core features of Hitachi ID Password Manager from Hitachi ID Systems is self-service password reset. 4.5 Enterprise single sign-on Users who log into many systems may prefer to sign into one master system and thereafter be able to launch applications having to type their ID or password again. Most legacy and client/server systems cannot share authentication with modern infrastructures such as Kerberos or SAML. However, it is possible to store user credentials outside of the various applications and automatically enter them into applications when prompted. Enterprise single sign-on (E-SSO) systems do just that: users sign into the E-SSO application, which stores every user’s login ID and password to every supported application. Users launch various applications through the E-SSO client software, which opens the appropriate client program and sends keystrokes to that program simulating the user typing his own login ID and password. © 2014 Hitachi ID Systems, Inc.. All rights reserved. 9
  • 12. Defining Identity Management Since they require the installation of client software, E-SSO systems are only appropriate for use by insiders. E-SSO systems have had limited success in large production environments for a number of reasons: • Deployment and integration costs. • Concerns about security, due to the fact that the SSO system stores every user’s password to every system. • Concerns about availability, since if the SSO system fails, entire user populations will be unable to log into their systems and so will basically stop working. Note that one E-SSO system does not store user passwords, but instead relies on password synchronization (Hitachi ID Login Manager) – http://Hitachi-ID.com/Login-Manager. 4.6 User provisioning A user provisioning system is shared IT infrastructure which is used to pull the management of users, identity attributes and security entitlements out of individual systems and applications, into a shared infras- tructure. User provisioning is intended to make the creation, management and deactivation of login IDs, home direc- tories, mail folders, security entitlements and related items faster, cheaper and more reliable. This is done by automating and codifying business processes such as onboarding and termination and connecting these processes to multiple systems. User provisioning systems work by automating one or more processes: • Auto-provisioning: Detect new user records on a system of record (such as HR) and automatically provision those users with appropriate access on other systems and applications. • Auto-deactivation: Detect deleted or deactivated users on an authoritative system and automatically deactivate those users on all other systems and applications. • Identity synchronization: Detect changes to personal data, such as phone numbers or department codes, on one system and automatically make matching changes on other systems for the same user. • Self-service requests: Enable users to update their own profiles (e.g., new home phone number) and to request new entitle- ments (e.g., access to an application or share). • Delegated administration: Enable managers, application owners and other stake-holders to modify users and entitlements within their scope of authority. © 2014 Hitachi ID Systems, Inc.. All rights reserved. 10
  • 13. Defining Identity Management • Access certification: Periodically invite managers and application owners to review lists of users and security entitlements within their scope of authority, flagging inappropriate entries for further review and removal. • Authorization workflow: Validate all proposed changes, regardless of their origin and invite business stake-holders to approve them before they are applied to integrated systems and applications. • Consolidated reporting: Provide data about what users have what entitlements, what accounts are dormant or orphaned, change history, etc. across multiple systems and applications. As well, a user provisioning system must be able to connect these processes to systems and applications, using connectors that can: • List existing accounts and groups. • Create new and delete existing accounts. • Read and write identity attributes associated with a user object. • Read and set flags, such as “account enabled/disabled,” “account locked,” and “intruder lockout.” • Change the login ID of an existing account (rename user). • Read a user’s group memberships. • Read a list of a group’s member users. • Add an account to or remove an account from a group. • Create, delete and set the attributes of a group. • Move a user between directory organizational units (OUs). 4.7 Role Based Access Control Role-based access control (RBAC) is an approach to managing entitlements, intended to reduce the cost of security administration, ensure that users have only appropriate entitlements and to terminate no-longer- needed entitlements reliably and promptly. In the context of a single system or application, RBAC means granting privileges directly to roles and attaching users to roles. Users acquire privileges through role membership, rather than directly. Within a single system, roles are sometimes called security groups or user groups. Single-system RBAC is a time tested and successful strategy, as it allows administrators to group users, group privileges and attach groups of privileges to groups of users, rather than attaching individual privileges to individual users. Identity management and access governance systems extend RBAC beyond single applications. Roles in an IAM system are sets of entitlements that may span multiple systems and applications. The key element of roles is to replace many technical entitlements with fewer roles that business users can understand. Business users can then a reasonable determination of which users should have which roles. This implicitly specifies which users should have which technical entitlements. Roles consist of entitlements – login accounts and security group memberships. Roles are often also nested – i.e., one role can contain others. Nesting roles can reduce the cost of role administration. © 2014 Hitachi ID Systems, Inc.. All rights reserved. 11
  • 14. Defining Identity Management 4.8 Access Certification Regulatory compliance requirements and security policies increasingly demand that organizations maintain effective controls over who has access to sensitive corporate information and personal data about employ- ees and customers: • Systems must limit access to just the right users, at just the right time. • Organizations must be able to provide auditable evidence that these controls are in place and effective. Section 404 of Sarbanes-Oxley specifically states that management must assess the effectiveness of internal controls on an annual basis. • Organizations must be able to report which internal users currently have and had in the past, access to sensitive data. Meeting these requirements can be challenging as users often have unique and changing business respon- sibilities, thus making their entitlements difficult to model using formal roles and rules. The difficulty in modeling complex, heterogeneous entitlements is compounded by the fact that although users accumulate entitlements over time, they rarely ask IT to terminate old, unneeded rights. Moreover, it is difficult to predict when, after a change in responsibilities, a user will no longer function as a backup resource for his old job and so old entitlements can be safely deactivated. These challenges together mean that it is difficult to model all of the entitlements that users need across multiple systems and applications at a single point in time and likely impossible to model those needs for thousands of users, over multiple systems, over an extended period of time. Access certification is a process where business stake-holders are periodically invited to review entitle- ments, sign-off on entitlements that appear to be reasonable and flag questionable entitlements for possible removal. There are several components to access certification: • Discovery: Before entitlements can be reviewed, they have to be collected from systems and applications and mapped to users. Technical identifiers should be replaced by human-legible descriptions that review- ers will understand. Since entitlements change all the time, discovery should be a regularly scheduled, automated process, not a one-time data load. • Who performs the reviews? Options include managers – asked to review their subordinates, application or data owners – asked to review lists of users who can access their applications or data or security officers – asked to review high risk entitlements. • When are reviews performed? The frequency may vary with the business risk posed by the entitlements in question. • What kinds of entitlements are reviewed? © 2014 Hitachi ID Systems, Inc.. All rights reserved. 12
  • 15. Defining Identity Management The highest level review is of employment status – should the user in question still have access to any systems? Slightly more granular is a review of roles – should the user in question still have these roles? At the lowest level of granularity are basic entitlements – should the user in question have a login ID on this system or belong to this security group? • Which entitlements warrant a review? Not every entitlement poses a significant business risk. User membership in the social committee mailing list is not really worth reviewing, for example. Some determination must be made of the risk level posed by each entitlement, as this forms the basis for deciding whether to review it and how often. • What happens to rejected entitlements? Reviewers may flag entitlements as inappropriate, in which case something should be done. Does this raise a work order in an IT issue management system or trigger a connector to revoke the entitlement immediately? Should further reviews take place before the entitlement is reviewed? © 2014 Hitachi ID Systems, Inc.. All rights reserved. 13
  • 16. Defining Identity Management 5 Identity management: a simple definition With the above sections in mind, we propose a simple definition to encapsulate the various capabilities of enterprise identity management technologies: Identity management and access governance is defined as a shared platform and consistent processes for managing information about users: who they are, how they are authenticated and what they can access. © 2014 Hitachi ID Systems, Inc.. All rights reserved. 14
  • 17. Defining Identity Management 6 Beyond the enterprise Identity management can extend beyond a single organization: • Customers would like to access multiple web sites without re-authenticating to each one. • Employees would like to access vendor web resources without registering or re-authenticating. • Companies would like to be able to provision their own users with access to partner and vendor resources automatically. Federation enables applications in different domains to share information about users. • Federated sites must have some pre-established relationship, bilaterally or in a group. • Information about users is exchanged: – Identity: Who is this user? – Authentication: How/when did the user sign in? – Authorization: What is the user allowed to do? • Federation enables single sign-on between sites: – User signs into one site (company A). – User clicks into another site (company B). – Site A passes information about the user to Site B. – The user is not asked for his ID/password by site B. • In some deployment pattern, federation eliminates some user management: – Site B trusts Site A to name its own users. – Site B does not create its own objects for Site A users. There are multiple standards for federation, including the security assertion markup language (SAML – v1 and v2) and WS*Security. In order to work, federation requires that software at one site can communicate identity, authentication and authorization site to software at another site: • Different organizations use different software products to manage user identity, authentication and authorization. • To interoperate, different software products rely on standard protocols. • There are multiple standards regarding federation: © 2014 Hitachi ID Systems, Inc.. All rights reserved. 15
  • 18. Defining Identity Management – Liberty Alliance ID-FF and ID-WSF. – Security Assertions Markup Language (SAML). – WS-Federation. – Shibboleth. • The standards are complex, so it is reasonable to assume that different products implement them somewhat differently and may not be 100% compatible. The problem with standards is that there are so many of them... Hitachi ID Management Suite is intended to help an organization manage user identities and entitlements in a single domain – its own. It is compatible with federation products and protocols, but does not implement federation directly. © 2014 Hitachi ID Systems, Inc.. All rights reserved. 16
  • 19. Defining Identity Management 7 Conclusions Identity management is a class of technologies intended to streamline the management of user identity information both inside and outside an enterprise. It includes: • Directories, especially those using LDAP. • Password management. • Enteprise single sign-on. • Web access management and web single sign-on. • User provisioning. • Federation. © 2014 Hitachi ID Systems, Inc.. All rights reserved. 17
  • 20. Defining Identity Management 8 References • Various projects to make identity management span multiple systems on the Internet: – The Liberty alliance: http://www.projectliberty.org/. – W3C P3P Project: http://www.w3.org/P3P/. – Security Assertions Markup Language (SAML), http://www.oasis-open.org/committees/security/#documents. www.Hitachi-ID.com 500, 1401 - 1 Street SE, Calgary AB Canada T2G 2J3 Tel: 1.403.233.0740 Fax: 1.403.233.0725 E-Mail: sales@Hitachi-ID.com File: / pub/ wp/ documents/ define-idm/ what-is-id-management-6.tex Date: 2009-12-30