Identity management for SOA era

In the first article in this series I highlighted a broad range of business and technology trends which demand identity management.

In the first article in this series I highlighted a broad range of business and technology trends which demand identity management.

Organisations have to bring together a well understood set of identity management capabilities in an organised fashion if they are to respond effectively to these trends, which is the subject of this article.

Identity management paints a complex picture for users. Organisations have - and continue to - pursue identity management projects in response to short-term business requirements. It is common to see multiple, siloed deplyments of identity management, alongside a set of fragmented identity management capabilities locked away in business applications, information repositories and other IT resources.

Over the next 2-3 years the ongoing supplier consolidation and the associated shift away from a best-of-breed approach towards integrated identity management suites will mean identity management capabilities become a part of IT infrastructure, delivered as shared services. This will be accelerated by SOA initiatives, which demand that common identity management capabilities such as authentication and authorisation can be exploited by business function and information services.

Effective control of identity management services for a SOA will require the use of policies which define the identity-specific requirements of each interaction, such as how a consumer of a business function service must be authenticated or their rights to access particular information. Since these identity services depend on identity data, it will be necessary to maintain a reconciled and unified view of identity information.

Regulatory compliance will also exert its influence and concerns about identity theft and the increased emphasis will require role-based appraoches to security which grade authentication and authorisation to more accurately reflect the risks of all parties in a transaction.

Another factor is that services will increasingly depend on collaboration between service providers. This means there will be a need for federation amongst those service providers, so that once a user has been authenticated by one service, no futher authentication would be required.

All of this means identity management must be delivered as a set of horizontal, resource-agnostic capabilities, as opposed to vertical, resource-specific, fragmented silos.

Any architecture blueprint for identity managment must be based on a clear separation of identity management concerns, with identity management capabilities delivered as a set of distributed infrastructure services, underpinned by a federated identity data repository.

Resources access these services through policy-based mediation, which also serves to control the monitoring and audit functions required to mitigate risk and enforce and demonstrate compliance.

Identity data must be managed throughout its lifecycle, from core data maintenance through to provisioning and de-provisioning, by a set of processes implemented using automated workflow and process management technologies, to increase efficiency, enforce consistency and facilitate integration of identity management and business processes.

Open standard protocols and data formats bridge the gaps between the layers to facilitate interoperability between the architectural components and the broader IT infrastructure.

Neil Macehiter is a partner at advisory company Macehiter Ward-Dutton. The next article will cover standards initiatives for identity management.

Core tenets of identity management

  • Identity management needs to transition from an architectural approach which is resource-centric to one which is identity-centric
  • The authentication mechanisms must reflect the levels of risk and the granularity of the resources associated with that risk, without over-burdening the individual
  • Hybrid identity data integration approaches are required to combine the benefits of metadirectory and virtual directory technologies, allied with tooling to assist with data reconciliation
  • There is a need to authorise access to business functions and information at the level of each service using policy-based approaches to the definition and enforcement of access control requirements
  • A federated approach is required for the mediation of the relationships at the heart of identity management, which in turn depends on managing and brokering the trust that underpins those relationships
  • Identity management capabilities must be delivered as distributed infrastructure services, which exploit existing serives and are defined according to clear contracts which are enforced through policies
  • Roles must be modelled at the intersection of identities, entitlements and organisational structures and managed as part of the broader identity management lifecycle.

Comment on this article: [email protected]

Read more on IT risk management