“Halt! Who goes there? Advance and be recognised. Speak the password. Pass, friend.” Identity and access management is certainly as old as the Romans and whether electronic or face to face the core procedure is still much the same. As consumers and employees we are all used to the simple everyday versions, PIN for ATM and credit card, password for web site and office network log-in. A surprising number of places of work, even SMEs, have introduced biometrics such as finger/hand readers as a quick and easy form of access control and time-and attendance recording.
After that it all starts to become exponentially complex. Most people who spend any length of time online will have acquired a motley collection of usernames and passwords, growing all the time. Something universal would be nice, at least in theory. But different sites have different rules, Mary Murphy will have to put up with something like marymurphy9999 for Gmail and passwords can run from four to eight digits or even more and alphanumeric may well be compulsory.
Within the organisation, information and services beyond network access and your own e-mail will increasingly demand further passwords, codes and other authentication to establish your right to view customer accounts, enter orders, place purchase orders or authorise payments. Along the way you might need other codes or PINs to print in colour or have a videoconference with America, or whatever is not available to everyone in the organisation.
Role based and SSO
Two broad concepts have now become standard in larger organisations: role-based access permissions combined with single sign-on (SSO). A set of appropriate permissions defined by management is assigned to your role, from the basic such as building access, network log-on and e-mail to the deep data penetration rights of the CFO or other senior executives. Even at that level, both good practice and compliance obligations mean that quite probably no one in the organisation has automatic rights to access everything. Then when you log on to the organisation’s core network, LAN or WAN, on-premise or remotely, you remain logged in with your various permissions until you log off or some rule does so automatically, such as maximum interval since last key stroke.
A more complex version of single sign-on will enable users to access more than one identity management system in the same organisation (perhaps functional or geographic) or even between organisations. Someone with responsibilities along a supply chain, for example, will not need to log on separately to partner organisations’ access control but will automatically be verified on foot of the original sign-on to the local or parent system. Usually called federated identity management, the essentials are mutually recognised protocols or open industry standards. Invaluable in business partnerships such as supply chain management, federated identity has a growing place in more casual use for online consumers to offer more streamlined, easy to use processes. An example often cited is the traveller booking both a flight and a hotel through an airline, travel agent or hotel group web site.
Always accessible
Security is paramount in our 365×24 online world and cloud computing and other newer services make the needs and the solutions more complex. In essence, the challenge is all about data and access to it, says Ronan Geraghty, server group business lead in Microsoft Ireland. “Within the organisation, the essential basis is the classification of data and services so that the various levels of access permissions can come into play. Identity comes into play to control that access according to whatever business rules have been set, typically role-based permissions to see certain information or take certain actions. So a well-defined system of classification is essential, regularly reviewed and updated.”
Identity management can be extended from the organisation itself across external resources such as private or public clouds. “It all comes down to systems for strong authentication and implementation of access rules. Microsoft Active Directory, for example, is probably the most common way of identifying people and their roles. Outside of the organisation, Microsoft also supports the OpenID Foundation and the global use of secure identity management systems for consumers and for business,” Geraghty says. “Our Windows LiveID supports OpenID while applications built on the Azure platform can enable identity management and security for ISVs and all of the potential users.”
Microsoft Forefront Identity Manager 2010 provides an integrated and comprehensive solution for managing the entire lifecycle of user identities and their associated credentials. It provides identity synchronisation, certificate and password management and user provisioning in a single solution that works across heterogeneous systems. That enables IT departments to define and automate the processes used to manage identities in the organisation, from creation after recruitment to retirement. More importantly, in many respects, it enables active management of the multiple variations in access permissions that will happen along the way.
Federated identity
Single sign-on and federated identity solutions are already here and proven for the corporate world, Geraghty says, but the vast range of online services for consumers poses a much more difficult challenge. “It would certainly be convenient to have a single ID to access multiple sites and services. Windows Live ID can be used to help that-and a good number of third parties have adopted it. But the challenges are still enormous.”
A typical corporate systems user today has something of the order of 27 accounts, according to Pat Larkin, director of Ward Solutions. “Some of those will come in groups, of course, but the potential range of user name and password inputs means it’s hardly surprising that the security sins like passwords on sticky notes start to occur. Clearly, single sign-on with a strong password or other authentication placed in front of all protected ICT resources is the desirable infrastructure-and it can be done very effectively with today’s tools.”
Working with the market leaders in identity management systems (Microsoft, Oracle and Quest) Ward Solutions has developed a number of identity and access systems for Irish organisations. Larkin points to The National College of Ireland as a useful model, even for commercial organisations, because it has several categories of users and access to a rich set of online resources. “All of the 5,000 students need web access, especially the part-timers, while the 350 staff and faculty need online and network access. There is a mix of intranets, extranets and subscription services to deliver academic content, administrative services and channels of communication.”
The technical challenge is that the NCI in-house resources include managed desktops but online users could be working from laptops, smart phones or even Internet cafes. Ward Solutions implemented a solution that combines SharePoint as the intranet site combined with Identity Lifecycle Manager (the predecessor of Forefront) as the control system for access to multiple applications directories. It synchronises user identities across all resources, changing permissions according to defined business rules and the student users’ changing course progress.
Larkin uses another education example that has clear implications for other sectors. “The CAO system automatically provisions each participating college with the student numbers and other relevant information submitted as part of the applications process. As a successful student starts in the chosen college, the same CAO password gives immediate access to the college system enrolment process and resources as a first time student.”
Narrowing broads
‘Granularity’ is a concept in identity and access control that is of growing importance, says Mark Crosbie, IBM security architect, because the traditional controls on access to information have become too broad. “We need defences in depth because our perimeters, our exteriors are just too porous and as we move into the cloud the challenges will be even tougher. So we will be looking at a number of factors to authenticate identity and using a multi-faceted approach. The users will need fewer, stronger passwords, other elements like biometrics will come in where appropriate. The control systems will check multiple factors. Location, for example, looks like being very interesting in a mobile context. Is that user device physically where it is expected to be?”
There is a general move away from just broad ‘permissions’ to role-based access that is dynamic in terms of ongoing business change, actions and contexts. “We are now seeing access control in terms of a workflow model, where roles are carefully defined and refined and then propagated throughout the systems and resources. People can have multiple access rules for specific applications and data, for remote access and even for differentiated physical access.”
That points to one of the common flaws in access control, Crosbie says, where removing privileges when somebody leaves can be incomplete. “You hand in your building pass but your remote access is not revoked. That is where the integrated workflow approach comes in so that implementation of the business rules is automated.”
As more business moves into the cloud, including supply chains and collaboration of all kinds, he accepts that identity brokers will evolve with an essential role in authenticating identity. “But that is just the first step, in the sense that business partners will have to overcome the challenge of linking their access control systems so that, yet again, having been recognised people can still see and do only what they are authorised for.”
Complexity challenge
Oracle has been a leader in integrated identity management for a long time with a set of tools for its own applications and ecosystem. Oracle Identity Management is application centric, which ensures the granularity of access control across corporate resources and online business partnerships. “Overall, the focus today is on reducing the complexity of ID and access management,” says Des Powley, Oracle EMEA director of Information Security. “Our concept is that for every application there are authorised users and specific privileges. A major driver for all major corporates is compliance and the ability to prove the quality of the controls and to have auditable systems to show who did what and when. That even extends to business intelligence analytics working with the identity management systems to enable clear visibility of actual compliance across all relevant requirements.”
“We are all trying to find ways to make identity mechanisms pervasive, simple to use for people and organisations and for developers to incorporate as part of application logic,” he says. “At a higher level, Oracle sees the next evolution taking identity management services up into a common enterprise layer. As organisations move towards service oriented architectures (SOA), identity components and management capabilities should be available as a service in that architecture.”
Echoing the point that greater challenges are coming as business moves into the cloud, Powley suggests that in a private cloud with an established and formal relationship between organisations, say between vendors or service providers and their customers, we already have solutions and they continue to evolve. “But transient relationships in the public cloud, say business to consumer, and with fraud as a constant hazard, there are certainly complex challenges.”
Continuum
While online consumers and the organisations that deal with them face a growing set of challenges, identity and access management still begins back at the workplace (physical or virtual) in the business world, points out Colm McDonnell of Deloitte. As the partner in charge of Enterprise Risk Services, he sees a continuum from an employee’s first day at work, in SME or multinational, with a first set of access permissions that will change over time and eventually be withdrawn on departure. The systems within the organisation are the first step before online collaboration and federated identity and any of the other sophisticated inter-organisation security mechanisms come into play.
“Even that internal control can be difficult with remote working, virtual teams and often highly variable permissions as people move and roles change,” McDonnell says. Deloitte itself has been using a smart access technology for over two years based on corporate Visa cards. The actual cards have an embedded LCD screen and keypad. Using a private PIN, the employee uses the card to generate a unique, one-time pass code which is then authenticated by the Deloitte system at log-on. “Because this is a Visa Corporate credit card as well and means no separate token or other security device is necessary, it is easy to use for staff and in fact involves lower costs per user than the standard alternatives.”
But the salient point is that literally every organisation today has to consider and invest in identity management and access control. Online fraud based on identity theft, driven by criminals with very sophisticated technical resources, is at the top and dramatic end. Financial services and merchants and any business involved in any form of online commerce just have to cope. Within the extended organisation (and increasingly with non-employee partners and collaborators) it is essential to have the systems in place to authenticate identities and control and log who sees or does what.
Yet Deloitte and others believe that all of this need not necessarily be a burden. In fact the ripple effects from better access management can include greater efficiency and even reduced IT costs-single sign-on and federated identity being good examples. Consumers and organisational users can benefit from the rise of global standards and the reduced friction from arbitrary and unstructured barriers and constraints in different online activity.
Subscribers 0
Fans 0
Followers 0
Followers