 |
This article or section needs to be wikified to meet Wikipedia's quality standards. Please help improve this article with relevant internal links. (December 2007) |
In information systems, identity management, sometimes referred to as identity management systems, is the management of the identity life cycle of entities (subjects or objects) during which:
- the identity is established:
- a name (or number) is connected to the subject or object;
- the identity is re-established: a new or additional name (or number) is connected to the subject or object;
- the identity is described:
- one or more attributes which are applicable to this particular subject or object may be assigned to the identity;
- the identity is newly described: one or more attributes which are applicable to this particular subject or object may be changed;
- the identity is destroyed.
Contents |
Identity Management in Public and Private Domain
Identities may be managed by either the entities themselves or by other parties, which may be private parties, for example employers or shops, or public parties like personal records offices and immigration services. Identity management in the public domain is known by the name of National Identity Management.
Electronic Identity Management (IdM)
Identity management (IdM) has developed several interpretations in the IT industry and is now associated as the management of a user's credentials and how they might log onto an online system. However, this view is quite narrow. The focus on identity management goes back to the development of directories such as X.500 where a namespace is used to hold named objects that represent real life "identified" entities such as countries, organizations, applications, subscribers and devices. X.509 defined certificates that carried identity attributes as two directory names, the certificate subject and the certificate issuer. X.509 certificates and PKI systems are used to prove one's online "identity". Therefore we can consider identity management as the management of information (as held in a directory) that represents real life identified items (users, devices, services, etc). Engineering such systems means that explicit information and identity engineering tasks become necessary. The evolution of identity management follows the progression of the internet technology closely. In the early 90's when static web pages / portals were the norm, corporation looked into providing informative content such as, an 'white pages' employee web content. Subsequently, as the information changed, due to employee changes, provision, and deprovisioning, the ability to more efficiently allow self service, and help desk update, morphed into what is known as Identity Management today. Typical identity management functionalities includes the following: - User information self service - Password reset - Lost password management - Workflows - Provisioning and De-provisioning of identities from resources Identity management also refers to solving the age old 'N+1' problem - where anytime a new application is added, a new user datastore is created. The ability to centrally manage the provisioning and de-provisioning of identities, and to consolidate the proliferation of identity stores, are all part of the Identity management process. The term identity engineering is used where one puts engineering effort into managing large numbers of interrelated items that have identifiers or names.
IdM - Three Perspectives
In the real world context of engineering online systems, identity management can be given three perspectives:
- The pure identity paradigm - creation, management and deletion of identities without regard to access or entitlements;
- The user access (log-on) paradigm - a smart card and its associated data that a customer uses to log on to a service or services (a traditional view);
- The service paradigm - a system that delivers personalized, role-based, online, on-demand, multimedia (content), presence-based services to users and their devices.
The User Access Paradigm
Identity Management in the user "log on" perspective would be an integrated system of business processes, policies and technologies that enable organizations to facilitate and control their users' access to critical online applications and resources — while protecting confidential personal and business information from unauthorized access. It represents a category of interrelated solutions that are employed to administer user authentication, access rights, access restrictions, account profiles, passwords, and other attributes supportive of users' roles/ profiles on one or more applications or systems.
The Service Paradigm
In the service paradigm perspective, where organizations are evolving their systems to the converged services world, the scope of identity management becomes much larger and its application more critical. The scope of identity management includes all the resources of the company that are used to deliver online services. This includes devices, network equipment, servers, portals, content, applications and products as well as a user's credentials, address books, preferences, entitlements and telephone numbers. See Service Delivery Platform and Directory service.
Today many organizations are facing a major clean-up in their systems to bring identity coherence to their world. This coherence is required in order to deliver unified services to very large numbers of users on demand - cheaply and with security and single customer view facilities.
Emerging Fundamental Points of IdM
- IdM provides a significantly greater opportunity to an online business beyond the process of authenticating and authorizing users via cards, tokens and web access control systems.
- User-based IdM is evolving from username/password and web access control systems to those that embrace preferences, parental controls, entitlements, policy-based routing, presence and loyalty schemes.
- IdM provides the focus to deal with system-wide data quality and integrity issues often encountered by fragmented databases and workflow processes.
- IdM embraces what the user actually gets in terms of products and services and how and when they do that. Therefore IdM applies to the products and services of an organization such as health, media, insurance, travel or government services, as well as how these products are provisioned and assigned to (or removed from) "entitled" users.
- IdM can deliver a single customer view that includes their presence and location, single product and services and single IT infrastructure and network views to the respective parties and therefore IdM is related intrinsically to information engineering and information security and privacy.
- IdM covers the machinery (system infrastructure components) that delivers such services because a user's service could be assigned to: a particular network technology; content title; usage rights; media server; mail server; soft switch; voice mail box; product catalogue set; security domain; billing system; CRM or help desk and so on.
- Critical to IdM projects are considerations of the online services of an organization (what are the users logging on to) and how are they managed from an internal perspective and the customer self care perspective.
IdM Solutions
Solutions which fall under the category of Identity Management: Management of Identities
- Provisioning/De-provisioning of accounts
- Workflow automation
- Delegated administration
- Password synchronization
- Self Service Password Reset
Access Control
- Policy based access control
- Enterprise/Legacy Single Sign On (SSO) and Single Signout
- Web Single Sign On (SeoS)
- Reduced Sign On
Directory Services
- Identity Repository (directory services for administration of user account attributes)
- Metadata Replication/Synchronization
- Directory Virtualization (virtual directory)
- e-business scale directory systems
- Next generation systems - Composite Adaptive Directory Services (CADS) and CADS SDP - see Service Delivery Platforms
Other categories
- Role-based access control (RBAC)
- Federation of user access rights on web applications across otherwise untrusted networks
- Directory enabled networking and 802.1X EAP
Standards Initiatives
- SAML - An industry consortium
- Liberty Alliance - An industry consortium
- Shibboleth (Internet2) - Identity standards targeted towards educational environments.
Implementation challenges with Identity management(Idm)
- Getting all the stakeholders to have a common view of data
- Expectation to make the Idm as data synchornization engine for application data
- Challenges in envisaging the right business process leading to post production challenges
- Lack of leadership and support from the sponsors
- Overlooking Change Management - Expecting everybody to go through the self learning process
- Lack of Definition of Post Production phase in project plan :: For a smooth transition of the system to the end user community, this is very critical that organization is geared up for proper support through transition phase or Stabilization phase. This may take up to 3-6 months.
- Lack of focus on Integration testing
- Lack of consistent Architectural vision
- Expectations for "over automation"
References
See also
- Athens access and identity management
- Digital identity
- Directory service
- FIDIS: Future of IDentity in the Information Society
- Identity Driven Networking
- Light-Weight Identity
- Lightweight Directory Access Protocol (LDAP)
- metadirectory and virtual directory
- Network Information Service (NIS)
- Single sign-on (SSO)
- Yadis
Related websites
- Introductory tutorial of identity management
- Identity Management Overview (Computer Weekly)
- Future of Identity in the Information Society
- Identity Provisioning Open Source Software Project
