In the first article in this series I highlighted a
broad range of business and technology trends which demand identity
management.
Organisations have to bring together a well understood set of
identity management capabilities in an organised fashion if they
are to respond effectively to these trends, which is the subject of
this article.
Identity management paints a complex picture for users.
Organisations have - and continue to - pursue identity management
projects in response to short-term business requirements. It is
common to see multiple, siloed deplyments of identity management,
alongside a set of fragmented identity management capabilities
locked away in business applications, information repositories and
other IT resources.
Over the next 2-3 years the ongoing supplier consolidation and
the associated shift away from a best-of-breed approach towards
integrated identity management suites will mean identity management
capabilities become a part of IT infrastructure, delivered as
shared services. This will be accelerated by SOA initiatives, which
demand that common identity management capabilities such as
authentication and authorisation can be exploited by business
function and information services.
Effective control of identity management services for a SOA will
require the use of policies which define the identity-specific
requirements of each interaction, such as how a consumer of a
business function service must be authenticated or their rights to
access particular information. Since these identity services depend
on identity data, it will be necessary to maintain a reconciled and
unified view of identity information.
Regulatory compliance will also exert its influence and concerns
about identity theft and the increased emphasis will require
role-based appraoches to security which grade authentication and
authorisation to more accurately reflect the risks of all parties
in a transaction.
Another factor is that services will increasingly depend on
collaboration between service providers. This means there will be a
need for federation amongst those service providers, so that once a
user has been authenticated by one service, no futher
authentication would be required.
All of this means identity management must be delivered as a set
of horizontal, resource-agnostic capabilities, as opposed to
vertical, resource-specific, fragmented silos.
Any architecture blueprint for identity managment must be based
on a clear separation of identity management concerns, with
identity management capabilities delivered as a set of distributed
infrastructure services, underpinned by a federated identity data
repository.
Resources access these services through policy-based mediation,
which also serves to control the monitoring and audit functions
required to mitigate risk and enforce and demonstrate
compliance.
Identity data must be managed throughout its lifecycle, from
core data maintenance through to provisioning and de-provisioning,
by a set of processes implemented using automated workflow and
process management technologies, to increase efficiency, enforce
consistency and facilitate integration of identity management and
business processes.
Open standard protocols and data formats bridge the gaps between
the layers to facilitate interoperability between the architectural
components and the broader IT infrastructure.
Neil Macehiter is a partner at advisory company Macehiter
Ward-Dutton. The next article will cover standards initiatives for
identity management.
www.mwdadvisors.com
Core tenets of identity management
- Identity management needs to transition from an architectural
approach which is resource-centric to one which is
identity-centric
- The authentication mechanisms must reflect the levels of risk
and the granularity of the resources associated with that risk,
without over-burdening the individual
- Hybrid identity data integration approaches are required to
combine the benefits of metadirectory and virtual directory
technologies, allied with tooling to assist with data
reconciliation
- There is a need to authorise access to business functions and
information at the level of each service using policy-based
approaches to the definition and enforcement of access control
requirements
- A federated approach is required for the mediation of the
relationships at the heart of identity management, which in turn
depends on managing and brokering the trust that underpins those
relationships
- Identity management capabilities must be delivered as
distributed infrastructure services, which exploit existing serives
and are defined according to clear contracts which are enforced
through policies
- Roles must be modelled at the intersection of identities,
entitlements and organisational structures and managed as part of
the broader identity management lifecycle.
Comment on this article:
computer.weekly@rbi.co.uk