Identity Management Journey Defined

Posted by Unknown on Thursday, January 20, 2011

Organisations can typically be defined by the stages of Identity Management they have gone through. This identification tag can be used to predict both the current pain points as well as expected future pain points. I thought it would be an interesting exercise to have a look at one view of what these stages might look like.

Stage 1 – Directory

This is the stage where attributes mean everything. Organisations are grappling with how and where to store attributes, how to keep attributes accurate, how to stop the proliferation of attributes and how to manage them. It is also the most sensitive issue both in relation to privacy and ownership. Privacy from the point of view that users want their information to be kept secure and ownership from the perspective of inter-departmental arguments over who has the ‘right’ attribute and who can access it. eDirectory, Active Directory and Sun Directory are the main players from vendor land and additional tooling can include load balancing, proxy servers and management tools.

Stage 1a – Meta Directory

Worth a special mention but not its own fully fledged stage is the Meta Directory phase where everyone madly rushed to uber- directories with the dream of having all attributes stored in a single location for ease of management and access. Ah what a dream!! CRASH…..yep not really a good idea and very hard to control. Political nightmares, legal nightmares, compliance nightmares……and the nightmares go on. Meta directories were the answer to this, create another location to reference the attributes actual location. In principal the right idea and with the advent of the virtual directory technologies, a light weight set of pointers if you like, this is today a valid way to have the dream in a virtual manner without actually relocating the attributes. Lesson learned here are that attributes belong where the are, HR attribute should stay with HR system etc…

Stage 2 – Access Management

Single sign on gives way to simplified sign on (what a security nightmare single sign on could be) as organisations look to use the attributes to manage access to applications and services. This stage is about defining policies about users access, getting rid of a yes/no answer to access and allowing a more flexible ‘yes you can under these conditions’ or ‘based on current conditions I give you access to this, if you want more provide more’. The attributes from stage 1 are authenticated using a range of security methods from username/password to biometrics, and the authentication used as a decision for authorisation of access to the applications and services. The key players include Oracle, Sun Access Manager, IBM TAM and CA Siteminder. I would also give a special call out mention to Open SSO and open source equivalent that is looking very promising with simplification and ease of use be core drivers.

Stage 2b – Federation

Another sub-stage worth pointing out is Federation, or the ability to make identities portable. Federation is access management applied to identities that exist in other domains. So its about how you can accept an authenticated identity from a trusted third party and make policy decisions based on a trusted third parties credentials without re-authentication.

The lesson of stage 2 is that the attributes, the authentication and the authorisation should all remain separate. Attributes belong with the owner of the identity, authentication should be done by whoever the user trusts and authorisation belongs to the owner of the application or service. That way the gatekeeper of the application can say ‘based on who you are (attributes), with what credentials and who/when you got them from (authentication) I will grant you access to X level (authorisation).

Stage 3 – Provisioning

The stage where most organisations have matured to is the automation of provisioning. The work flow piece that allows life-cycle management of a user and the adding, editing and deleting of application accounts from a single point. This stage provides real business value in efficiencies, security and service delivery but is very difficult to achieve without the first two stages under control. The big players again are Novell, IBM, Sun and Oracle, all of who can do the task at hand with competant product. The key in this space is implementation, getting the right partner with the right approach is critical …..for a hint see previous blog on Identity Management in 90 days.. The lessons we learn here are that roles are plentiful and difficult to manage…..

Stage 4 – Roles and Compliance

Debate could rage over whether this is one or two stages, for now it seems the market views them as one but I suspect over time they will break into two distinct stages. This stage is about identifying roles and managing compliance of things like separation of duties and role based provisioning methods. Its a very tangible ROI and there are some simple quick wins that can be done in a reasonable time frame with a minimal budget to get great results such as just being able to see who has access to what applications in your organisation…. The market in this space is still consolidating so is a bit of a moving target in relation to main players with acquisitions on the go constantly. At a basic level there is directory based role management with Microsoft and the like but at the high value end of the market is where the real returns are such as Sun Role Manager (ex-Vauu), Oracle (Bridgestream), the more recently CA aquired Eurekify and the niche stand-alone’s SailPoint and Aveksa.

These stages are largely played out in the order they appear here. This is due to the fact that each was born out of the complexities and lessons of the previous on. For example role management arose powerfully on the back of provisioning because for provisioning to be automated and value maximised, role must be known and manageable.

A footnote to this however, of late I have noticed many organisations skipping the provisioning stage to do roles and compliance first. I think there are two reasons for this, firstly the pain of roles during provisioning is profound and now quite well known and secondly roles and compliance can add immediate value without having done the previous stage. It may be over the next 12 months that we see these two stages swap places in the preferred order of the journey.

Now here is the clincher…….put the stages together in summary and I believe you get one of the better definitions of Identity management. Here is my take:

* To create a single view of a user, using accurate and authorative attributes wherever they live. Use these attributes to create policies and then provision and police access to applications and services in a secure and compliant fashion. Lastly its important to provide the tools, processes and governance that automate and manage the life-cycle of the users, roles and policies over time.

More Here


{ 0 comments... read them below or add one }

Post a Comment