Approaching Identity Management

The latest Information Week (March 15, 2004), has a significant article on The Need For Identity Management. The article inspired me to start documenting APU's need for further pursuing an Identity Management (IdM) strategy. However, the article in Information Week had some intersting points of dicussion.

The promise of Identity Management is to improve security, boost worker productivity, cut costs, and reduce the "integration friction" usually connected with giving employees, business partners, customers, and suppliers access to internal systems. The process starts internally, but the long-term objective is clear: Build a series of interconnected systems so an employee logged on to his company's intranet can access a business partner's systems and have those systems automatically trust the employee's digital credentials. The way to do this is through standards. This perspective of cross organizational authorization is called Federated Identity Management. Dan Blum, of the Burton Group has a good definition for federation, "standards and agreements that make identity and entitlements portable across autonomous domains".

The article mentions SAML, Security Assertion Markup Language, an XML-based framework for exchanging security information, and the Liberty Alliance, a consortium of more than 150 companies developing an open ID-management standard which makes use of SAML. The article fails to mention the great efforts within the Internet2 on a second standard based on SAML called Shibboleth. Universities have already achieved success with online library resource vendors implementing a shared security model to allow access to restricted resources in a federated model.

American Express VP, Barret says Multiple logons just drive employees crazy, and certainly this is a universal complaint. One that APU has attempted to address by consolidating accounts on the most used services using directories. Also important is the security of passwords, Canadian Pacific Railroad Manager of IS, Val King, emphasizes the importance of conducting password-cracking tests often.

I was glad that the article pointed out the value of provisioning in saving time and money in the time it takes for new hire to gain access to services, or transition between roles. Provisioning includes applications to automate the creation of employee electronic identities and grantthem access to apps and network services.

Nextel acknowledges that they didn't attempt to sell IdM as an end to itself, but rather attached it to their PeopleSoft human resource improvement project, which created an opportunity to also work on identity management.

Even more important, however, than the attaching IdM to an iniative, is the acknowledgement that it is more of a business challenge than a technical dillema.

The technical challenges may take time, but they aren't that hard; it's the business and management decisions that take time and require planning. In some cases, it's easy to figure out which manager should grant an employee access to a specific application. But who's in charge of managing that access or turning it off when an employee takes a leave of absence or is out on a long medical leave? If it isn't clear who's in charge of granting access, "you get into a lot more work and tough decisions," Deffet says. "That includes building a consensus for the best approach that works for everybody in the process."

This confirms the falicy of thinking that a single vendor can provide you with an application called "Identity Management 1.0" thatwill solve all of your problems.

Most provisioning, access-control, and identity-management applications don't support a wide enough variety of applications, databases, and operating systems, says Gene Fredriksen, VP for information security at Raymond James & Associates. The financial-services firm is evaluating identity-management vendors. "So far, it doesn't seem like any single vendor can do everything or provide everything you need," he says.

Then there's that question of trust. As GM learned with its test, it probably won't be technical issues that keep identity-management systems from making the leap from handling internal applications and employees to managing access for nonemployees working for business partners or suppliers. It's likely to take many businesses much longer to work out the legal and security issues involved in letting outsiders gain single-sign-on access.

Its a lofty goal, but one that is critical to pursue.