2008 January 13 | A Boston Technical Recruiters Blog

Archive for January 13th, 2008

Everything You wanted to Know about IdM but forgot to ask…

Sunday, January 13th, 2008

I wrote this for a Networking Class, feel free to use this paper with proper credits. Also feel free to comment.

Federated Identity Management

Introduction

The increasingly complicated enterprise networking and security environment of 21^st century business demands a solution that is flexible and secure. The job of the network manager is becoming increasingly difficult as new technologies emerge to further integrate business and create better economies of scale. In this environment of integration, company mergers, and everyday security threats the network manager must use the best tools at his disposal to perform mission critical functions, namely the design and upgrade of existing network and the day to day operations of the network. Identity management is a significant aspect of both design and operations and lies within the narrower field of security.

Security can take on many guises particularly in controlling the flow of information internally and externally. Increasingly distributed architectures such as Service Oriented Architecture are raising new questions about how to best maintain corporate security. Identity management systems address this issue by providing authentication and provisioning services to the network managers. Key aspects of Identity Management systems include adding and deleting users, assigning permission for file and document access, designating outside partner permissions and granting access to the network and facilitating Single Sign On(SSO) procedures that eliminate waste and redundancy within an enterprise architecture.

Federated IdM In Detail

IdM greatly facilitates the mundane task of managing system access across the enterprise. Federated identity management systems allow partner companies to access the secure networks and attain certain permission privileges on each others servers. [Car03] This eliminates the time needed to set up individual accounts and to perform repetitive tasks in every situation where the partners IT infrastructures connect. For example, in large organizations such as SuperValu Supermarkets, the user base is close to 1.5 million users, both internal and federated. The task of managing their identities is daunting even for their 12 man team and the SunOne IdM platform.[1] It is therefore easy to see the significance and relevance of IdM systems for huge enterprises that need to manage access permissions efficiently and quickly; it cannot be done without an automated IdM solution acting as the workhorse of the IdM team.

Identity management has several critical components. The fundamental framework of IdM is Role Based Access Control(RBAC).[NIST95] Defined in the 90’s RBAC outlines the behavior of the access granting system and is the basis of provisioning of users based on their roles within an organization. The components that spring from this model include access management, Provisioning, Authentication, and SSO. Access management relies of authentication to validate the identities of the clients attempting to gain access. It is akin to the token network system where every client needs a token to be able to transmit. In the IdM world every user has a role defined by certain environmental and hierarchical variables.

Provisioning is the act of the system or the administrator setting attributes that determine what permissions the user will have and what roles are encompassed in the workflow for that particular user. Some systems require manual provisioning, however one of the large incentives of purchasing and implementing an enterprise IdM is automatic provisioning that can be done on the user level automatically by the user without administrative interference. Many functions can be delegated to the users that free the hands of the administrators to focus on other pressing matters. Once the authentication server receives the request, it finds the keys associated with that request in the authentication server and matches the identity to the password. It then determines how the user was provisioned and what workflows he is eligible to participate in assigning to him permissions for various applications and databases.

As Federated IdM began to emerge as the idea in the market, the Liberty Group, created in 2001, became the body that oversees SSO authentication standards [Wikic], as well as providing authentication for SSO. Liberty works in hand in hand with the standards group OASIS[Oasis07] to provide standard delineation and definition to emerging technologies such as SAML.

Federated IdM relies on the Security Assertion Markup Language(SAML) to coordinate the SSO authentication between different intranets, in essence providing the glue to the Federated IdM platform. [Wikid] The technology rests heavily on XML and together with Active Directory and LDAP protocols provides the building blocks for IdM platforms.

While many companies rely on client server n-tier architectures to take care of the IdM architecture, a host based system that hosted the IdM platform would be highly effective in increasing security and minimizing the load of n-tier architectures that many IdM platforms invariably require. Thin clients can perform very well in an SSO environment especially since all the authentication is done on the server or the mainframe. The terminal can essentially be the presentation layer and leave all the application logic to the servers.

The cost of IdM systems depends on the vendor and how the client chooses to implement the solution. If the client is willing to have the professional services implement the solution the price can be 100% more then hiring an independent consultant with expertise in the implementation, but no guarantee in the case of failure implantation. On the other hand, the cost savings associated with a successful IdM implementation are found in reduced help desk and administrative costs as well as improved collaboration and user satisfaction.

Another useful feature of federation is SSO, Single Sign On. This is a key feature of identity management systems that allows for the creation of a single password to access multiple applications and network appliances without needing multiple passwords and combinations. SSO is useful for busy network manager as they attempt to juggle not only the design and maintenance of the network but also the security of the network. SSO allows for network managers to spend less time searching for lost passwords and more time doing administration work to improve the network. SSO also plays a large role in federating two disparate environments is one of the key forces behind IdM implementation.

There are many different vendor tools such as Tivoli, Openview, SunOne, and BMC. [Micro07, Nov07, Ora07, QUE07, Micro07, Sun07] There are many different vendors that offer network management solutions with identity management being a module in their platform. Each one has particular quirks and consultants that implement each one will vouch for the product they implement.[2]

The following is a comprehensive representation(courtesy of IBM Tivoli) of an IdM environment that splits into distinct layers that represent the workflow of the IdM process beginning with a SSO login and propagating through the systems attaining various permissions that are provisioned to the user.

[3]

IdM systems have the effect of securing large network segments by assigning permissions and authentication requirements to various user groups. If a user has certain permissions his password will send a script that will give him access to certain resources that are permitted to him under the system. Unauthorized personnel will not have that access and the number of network resources that will be allocated to dealing with single user authorizations will be decreased.

Furthermore, the need to have large databases that would store the keys and the identities of all these people is reduced. The number of servers that have to act as authentication servers is reduced increasing the capacity of the network and reducing the physical footprint of the resources assigned to identity management. For example, if company A is a large manufacturing company that needs to give access to its vendors to its SCM in order to facilitate parts ordering and re-supply. They can assign several administrators to monitor the voluminous password files that would result in all the different entities from the vendors trying to login tying up data communications and bogging down critical network resources or requiring for more to be purchased. With a Federated SSO, the account manager would have one password that would automatically authenticate them for numerous application accesses eliminating the need for costly upgrades and human resources.

In the increasingly competitive marketplace, having the ability to actively collaborate with your partners and clients by giving them access to your network systems without complicated red tape procedures in a well established and highly secure environment is a large competitive advantage to the firm. The ability to share documents, intranets, SCM, ERP, and CRM systems creates synergy that the enterprise can use to its advantage. Such federated networks increase the efficiencies of scale of large enterprise servers that are installed at the federated companies as they are sued not only by the company itself but by the partner companies, increasing the utilization and creating a higher data flow.

Federated IdM solutions are used both in the private sector and in the government sector. [EC302] Identity management is probably one of the oldest forms of government control and influence and in today’s turbulent times it is becoming more important then ever. Due to the ever growing size of the internet and the continuing growth of our reliance on technology to provide solutions and facilitate government transactions, IdM within the government space is becoming essential to provide a safe and secure body politic. While IdM in private corporations is becoming commonplace without any serious objections to civil liberties, the government is facing increasing pressure not to implement national identity programs that would in effect heavily rely on centralized IT IdM systems to drive these vast authentication networks due to concern over civil liberties.

As with every system that strives to reach across security borders and grants access to foreign organization there are risks involved with IdM. [Vnunet07] The risk of giving one client access to your secure system can mean the entire organization can be compromised. If one hacker gains access to one secure identity password that has access on an SSO basis across the entire organization, the whole idea behind the particular IdM set up can be throw out the window. While if this password happens to be a high level one the company can lose millions.

While IdM is useful it must be implemented carefully and federation must take place only with partner companies who have equally stringent security policies in order not to subterfuge the authentication and security measures of its partners. Failure to ensure proper security measures on the part of the partner can compromise the whole federated environment.

Conclusion

Federated Identity Management systems allow for crucial network and business communications assets to be managed effectively over a multi enterprise landscape. IdM is a security and a network management tool and it’s versatility in handling the end users makes it a very attractive application choice for any large corporation. Since companies are growing and constantly seeking to integrate partners and vendors into their ERP processes, Federated IdM plays a crucial part in providing these collaborative networks with the access that each partnering resource needs without employing an inordinate number of administrators or expanding a large amount on infrastructure.

It is likely that in the future, Federated IdM will continue to play an increasingly crucial role in the development of business partnerships and in building cooperation not only between large enterprises but also between smaller businesses, as well as governments on a national and international level. The effects of federated systems on business communications will be more and more evident as faster networks begin fusing with each other creating virtual circuits governed by IdM logic. Even with this positive outlook comes a word of warning regarding Federated Security and intrusion risks that can diminish the returns of an IdM system.

Following the pervasive networking ideology, every company will be plugged into all the suppliers, customers, and partners and having strong IdM systems to manage all of these will be a mission critical function within the Networking department. Furthermore, if business continues to rely heavily on IT for competitive advantage, Federated systems will play a large role in determining who is profitable and competitive.

References:

[Car03] Carr, David F. “What’s Federated Identity Management?”

http://www.eweek.com/article2/0,4149,1378436,00.asp

[EC302] NECCC “Identity Management: A White Paper”

http://www.ec3.org/Downloads/2002/id_management.pdf

[Inter07] Identity and Access Management

http://www.internet2.edu/pubs/200703-IS-MW.pdf

[Kau07] Nishant Kaushik Blog

http://blogs.oracle.com/talkingidentity/newsItems/departments/identityAsAService

[Micro07] Microsoft Identity Manager

http://www.microsoft.com/windowsserver2003/technologies/IdM/default.mspx

[NIST95] Ferraiolo, David “An Introduction to Role-Based-Access-Control”