What is Identity Management?

o rd
w
s
s
Pa
ent
m
e
ag
Man

Sign
e
l
g
Sin
On

Fed
erat
ion

Secure Remote
Access

Role
Managem
ent

Web Services
Security
ng &
i
t
i
d
Au
ting
r
o
p
Re

Authorization

Digital
Rights
Management

ng
Stro ntication
e
Auth

PKI

Identity Management

Identity management is the combination of business process

and technology used to manage data on IT systems and
applications about users. Managed data includes user objects,
identity attributes, security entitlements and authentication
factors.
IAM technology can be used to initiate, capture, record and
manage user identities and their related access permissions in
an automated fashion. This ensures that access privileges are
granted according to one interpretation of policy and all
individuals and services are properly authenticated, authorized
and audited.

Definitions

Identity Management (IDM): IDM is the process by which various components in an identity management system
manage the account life cycle for network entities in an organization, and most commonly refers to the management
of an organizations application users
Provisioning refers to a technology and process based solution for enforcing and managing the creation, read, update,
and deletion of user accounts based on a defined security policy. Provisioning is also a means of propagating security
policy, for example by setting access rights on management systems based on group memberships and/or role
assignments
Authentication: The process of verifying the identity claimed by an entity based on its credentials
Authorization: Authorization is the process of determining if a user has the right to access a requested resource
Authorization Policies: Declarations that define entitlements of a security principal and any constraints related to that
entitlement
Account Life Cycle : The steps that are taken to provision access for a user to a given system resource
RBAC Role based access: Providing access to a system resource based on programmatic logic based on roles
Authoritative Resource: System of reference for employment status and position description
Target System Resource: System/application where the automated provisioning will occur
LDAP: The Lightweight Directory Access Protocol is an application protocol for querying and modifying directory
services running over TCP/IP
Single Sign On: is a property of access control of multiple, related, but independent software systems. With this
property a user logs in once and gains access to all systems without being prompted to log in again at each of them.
Single sign-off is the reverse property whereby a single action of signing out terminates access to multiple software
systems

Identity Management overview

Midsize-to-large Organization identity sources

Active Directory
Other directory services
HR systems
Databases
Custom line-of-business (LOB) applications
Third-party Software as a Service (SaaS) Web
applications
Local system accounts on Windows, Linux or
Unix
Email

Different kinds of users

Enterprises manage identity data about two broad kinds

of users:
Insiders:including employees and contractors.Insiders
spend most of their working hours engaged with the
enterprise. They often access multiple internal systems
and their identity profiles are relatively complex.
Outsiders:including customers, partners and
vendors.There are normally many more outsiders than
insiders. Outsiders generally access only a few systems
(e.g., CRM, e-Commerce, retirement benefits, etc.) and
access these systems infrequently. Identity profiles
about outsiders tend to be less detailed and less
accurate than about insiders.

Different kinds of identity

data
Just as there are different kinds of users whose identity an
enterprise must manage, there are different kinds of data
about these users that must be managed:
Personal information.This includes names, contact
information and demographic data such as gender or date of
birth.
Legal information.This includes information about the legal
relationship between the enterprise and the user: social
security number, compensation, contract, start date,
termination date, etc.
Login credentials to target systems.On most systems, this
is a login ID and password. Identification may also use a PKI
certificate and authentication may use tokens or biometrics or
a set of personal questions that the user must answer

Key identity challenges

Identity management presents several challenges in most organizations:
Security:Do user entitlements exactly match their needs? Are policies, such as
segregation of duties rules, violated? Do access rights persist after they are no longer
needed?
Consistency:User profile data entered into different systems should be consistent. This
includes name, login ID, contact information, termination date, etc.
The fact that each system has its own user profile management system makes this
difficult.
Efficiency:Setting a user to access multiple systems is repetitive. Doing so with the
tools provided with each system is needlessly costly.
Usability:When users access multiple systems, they may be presented with multiple
login IDs, multiple passwords and multiple sign-on screens. This complexity is
burdensome to users, who consequently have problems accessing systems and incur
productivity and support costs.
Reliability:User profile data should be reliable -- especially if it is used to control access
to sensitive data or resources. That means that the process used to update user
information on every system must produce data that is complete, timely and accurate.
Scalability:Enterprises manage user profile data for large numbers of people. There
may be tens of thousands of insiders and hundreds of thousands of outsiders.
Any identity management system used in this environment must scale to support the
data volumes and peak transaction rates produced by large user populations.

Multiple Contexts
Customer satisfaction & customer intimacy
Cost competitiveness
Reach, personalization

Your SUPPLIERS

Your CUSTOMERS

Collaboration
Outsourcing
Faster business cycles;
process automation
Value chain

Your COMPANY and

your EMPLOYEES

Your REMOTE and

VIRTUAL EMPLOYEES

M&A
Mobile/global
workforce
Flexible/temp
workforce

Your PARTNERS

The Disconnected Reality

Enterprise Directory

Authenticati
on
Authorizatio
nIdentity Data

HR
System

Authenticati
on
Authorizatio
nIdentity Data

NOS

Authenticati
on
Authorizatio
nIdentity Data

Lotus
Notes Apps

Authenticati
on
Authorizatio
nIdentity Data

Infra
Application

Authenticati
on
Authorizatio
nIdentity Data

COTS
Application

Authenticati
on
Authorizatio
nIdentity Data

In-House
Application

Authenticati
on
Authorizatio
nIdentity Data

In-House
Application

Identity Chaos

Lots of users and systems required to do business

Multiple repositories of identity information; Multiple user IDs, multiple
passwords
Decentralized management, ad hoc data sharing

Pain Points

IT Admin

Too many
user
stores and
account
admin
requests
Unsafe
sync
scripts

Developer

Redundant
code in
each app
Rework
code too
often

End User

Too many
passwords
Long waits
for access
to apps,
resources

Security/
Compliance

Too many
orphaned
accounts
Limited
auditing
ability

Business
Owner

Too
expensive
to reach
new
partners,
channels
Need for
control

Enterprise Directory

Identity Integration Server

Identity Integration
Authenticati
on
Authorizatio
nIdentity
Data
Authenticati
on
Authorizatio
nIdentity
Data
Authenticati
on
Authorizatio
nIdentity
Data
Authenticati
on
Authorizatio
nIdentity
Data
Authenticati
on
Authorizatio
nIdentity
Data
Authenticati
on
Authorizatio
nIdentity
Data
Authenticati
on
Authorizatio
nIdentity
Data

HR
System
Student
Admin
Lotus
Notes Apps
Infra
Application
COTS
Application
In-House
Application
In-House
Application

IAM Benefits
Benefits today
(Tactical)
Save money and improve operational
efficiency
Improved time to deliver applications
and service

Benefits to take
you forward
(Strategic)
New ways of working

Improved time to market

Enhance Security

Regulatory Compliance and Audit

Closer Supplier, Customer,

Partner and Employee
relationships

What is IDM ?
Identity and Access as a Service
Benefits
End Users

Policy
Managers

Apps & Services

Delegated
Administration

Identity
Analytics

RBAC & SoD

SelfService
Fraud
Prevention

Identity & Role

Lifecycle Management

Authentication & Monitoring

Authorization
DBAs

Workflow

Trusted and
reliable security
Efficient
regulatory
compliance
Lower
administrative
and dev costs
Enable online
business
networks
Better end-user
experience

Account Life Cycle

What are we capturing??
Manual-New Hire-Employee Provisioning Process

Account Life Cycle

What about removal of access?

Manual Employee De-Provisioning Process

Relevant technologies: the solutions

Several types of technologies are available to manage user identity data across
the enterprise. In general, these systems focus on streamlining the identity
management process and managing data consistently across multiple systems.

Directories

The cornerstone of many identity management and access governance

infrastructures is a corporate directory.
Major platform vendors make inexpensive, robust and scalable directory
products. These include:
Microsoft Active Directory.
Novell eDirectory (built on top of NDS).
Sun ONE Directory (formerly Netscape and then iPlanet LDAP).
IBM Directory (formerly Tivoli Directory).
Oracle Internet Directory (OID).

Meta Directories

Meta directories are engines that synchronize data about users between
different systems. Most modern IAG systems include what amounts to a
meta directory, though it may not be labeled as such.

Web access management / Web single sign-on

A Web access management (WebAM) / Web single sign-on
(WebSSO) system is middleware used to manage
authentication and authorization of users accessing one or
more web-enabled applications. Is supports single sign-on
across systems and applications which do not natively support
federation.
Password management
Password synchronization is any process or technology that
helps users to maintain a single password, subject to a single
security policy, across multiple systems.
Enterprise single sign-on
Enterprise single sign-on (E-SSO) systems do just that: users
sign into the E-SSO application, which stores every user's login
ID and password to every supported application. Users launch
various applications through the E-SSO client software, which
opens the appropriate client program and sends keystrokes to
that program simulating the user typing his own login ID and
password.

Conclusions
Identity management is a class of technologies
intended to streamline the management of user
identity information both inside and outside an
enterprise. It includes:
Directories, especially those using LDAP.
Password management.
Enteprise single sign-on.
Web access management and web single sign-on.
User provisioning.
Federation.