Application

Mapping identities

Identity management solutions have evolved from basic management tools to those that solve security and compliance issues, says Sushma Naik

The lack of a single sign-on (SSO) solution is often an organisation’s Achilles heel. The minute an employee leaves the company, his e-mail login is removed. That isn’t always enough, however, as during his tenure the employee may have been given access to other IT systems. Unless access is denied, ex-employees could penetrate internal networks. Not surprisingly, the Meta group estimates that on an average, only 62 percent of a user’s access is removed when the said employee leaves the organisation.

For companies having multiple IT systems, an SSO solution is necessary as managing a login for each and every application and computing system is a daunting proposition. Implementing features of a solution gives an enterprise the ability to manage user rights more effectively as it is easier for users to log on to all applications using a single login. It is expected that most organisations will have identity-based IT infrastructure where all applications are aware of identities.

While ‘identity management’ is not a very common term, progressive organisations have already implemented comprehensive identity management solutions or are in the process of evaluating these tools from a strategic standpoint. A key driver for identity management is the savings it brings in terms of operational costs from greater efficiency in data management. Traditionally, companies evaluate solutions across various parameters, especially when there are overlapping features among products. For instance, many databases and directories have their own access-control features. As identity management tools or SSO tools can be used to provide access to applications, they save considerably on IT management. Identity management tasks are typically under the purview of several departments. Because an SSO solution enables access to many applications across the network, it reduces time spent on managing user access and answering queries put to the technical help desk.

Fuelling identity management

Privacy regulations such as the EU directive create controls on how personal identification information can be processed in IT systems Bithin Talukdar Market Development & Alliances Manager HP Software	There is nearly 40 percent attrition in the BPO space, which makes manual intervention impractical. Automated identity management systems are a boon in such environments Srikiran Raghavan Regional Head RSA Security India	By using the log analysis feature of an SSO solution, organisations can enhance their efforts to enforce privileges and ensure compliance with applicable governmental regulations Ashit Panjwani National Manager Alliances and Marketing Onward Novell Software India

Compliance is driving the market for identity management solutions. Enforcing and auditing authentication practices and access control policies is a critical element of compliance projects. Multiple regulations such as Sarbanes-Oxley and HIPAA mandate different aspects of privacy or accountability. This requires organisations to have IT systems to ensure that employees get access only to resources they have permissions for. For example, Novell’s SSO Solution helps enterprises check whether their policies are being correctly implemented. It permits the detection of system break-ins.

Comments Ashit Panjwani, National Manager, Alliances and Marketing, Onward Novell Software India, “By using the log analysis feature of an SSO solution, organisations can enhance their efforts to enforce privileges and ensure compliance with applicable governmental regulations.”

Deployment of identity management solutions provides an organisation the ability to uniquely understand who their users are and what the user’s relationship with the organisation is. It also helps an organisation apply this knowledge to all its systems, thereby securely connecting users to tools that they need to be productive.

Consider an industry like BPO, where companies are subject to multiple regulations that mandate privacy and accountability. Says Bithin Talukdar, Market Development & Alliances Manager, HP Software, “Privacy regulations such as the EU directive or the US sector-specific legislation such as the Gramm-Leach-Bliley Act of 1999 create controls on how personal identity information can be processed in IT systems.” These regulations establish requirements for the privacy policy control component of an identity management system, and impose constraints on how businesses can exploit identity information.

“With advanced auditing features, it is possible to provide a log of users with the time that they log in. This can be used to detect patterns and single out exceptions,” says B Raghunandan, Senior Consultant, Computer Associates India.

Beyond SSO

SSO is no longer enough to sell an identity management solution. What is required are features such as user security management, which deals with how to provision and consolidate users into a single directory to enable access to diverse applications.

Identity management solutions support features such as self-service password, identity management where passwords are reset, and personal identity updates. For example, consider the BPO sector. Identity management solutions are useful in BPO firms as they ease user profile management. “There is nearly 40 percent attrition in the BPO space, which makes manual intervention quite impractical. Automated identity management systems are a boon in such environments,” says Srikiran Raghavan, Regional Head, RSA Security India.

With dozens of applications, users often deal with more accounts, passwords and personal identity attributes than any busy professional can be expected to keep track of. Passwords are often forgotten and personal information or attributes change. This results in users calling up the help desk for assistance. Automating this process helps deal with ghost or rogue accounts. An example of a ghost account could be a user account which is still present on the network even after the employee has left the organisation.

Provisioning provides a solution to the administrative problems caused by frequent changes in the workforce by combining the end-user self service components of secure identity management with the policy-based synchronisation of user accounts and passwords.

For a large company dealing with thousands of employees, suppliers and customers, provisioning enables fast and easy activation or deactivation of privileges. Features like user self-service management allows users to enrol and manage their profiles independently, and automatically assigns data and network entitlements based on the information users submit at the time of enrolment.

Still evolving

Identity management has evolved with time. In the nineties, the Lightweight Directory Access Protocol (LDAP) was used in identity management solutions. LDAP is a protocol for accessing information directories such as those of organisations, individuals, phone numbers, and addresses that support TCP/IP for Internet usage. As LDAP did not fully meet the demands of identity management, new technologies were considered and adopted. SAML (Security Access Markup Language) is intended to provide a session-based security solution

for authentication and authorisation across disparate systems and organisations through the use of XML. Security Provisioning Markup language has been proposed as a standard for managing the process of provisioning accounts across disparate systems. Then there is XACML, an XML specification for defining the rules that specify which, when and how users can access what information. There are other industry initiatives such as the Liberty Alliance Project which allows cross-system interaction through SSO.

Consider a situation where a certain customer is a regular user of different services from particular agencies, airlines or five-star hotels. Using SAML, based on his profile, he will be able to access all the sites of the different entities involved using a single login.

“Today, identity information can be synchronised across a wide range of directory and non-directory identity stores using technologies such as Active Directory, LDAP Interchange Format (LDIF) and Directory Services Markup Language,” says Ravi Datanwala, TS Manager, Microsoft India. Industry organisations such as the World Wide Web Consortium (W3C) are developing standards that would enable global identity management in which each individual can be uniquely identified and all applicable data and information can be linked to that identity.

In future, identity management infrastructure can be embedded even in devices such as telephones, and provisioning of telephone services for new employees can be simplified using an embedded identity infrastructure.

sushma@expresscomputeronline.com