"A cloth is not woven from a single thread."
-- Ancient Chinese proverb
How can we possibly remember all of our passwords nowadays? Whether organization-to-organization, customer-to-business, or citizen-to-government, more people communicate with each other over computer systems than ever before. Within government organizations, agencies are beginning to offer more electronic services to citizens, streamline interactions with suppliers and explore new ways to collaborate with other agencies.
Identities play a critical part in any business transaction. The internet and digital worlds are no different, as the digital identity is not only used to prove who the user is, but also to control and audit the services that the user accesses. Services offered over the net require management and tracking of identities. The challenge associated with managing and tracking identities is intensified by the growing number of entities -- public, private and individual -- that each government agency needs to communicate with.
The result is a growing array of digital identities and attendant alphanumeric passwords that make even the clearest minds feel schizophrenic. Users are shouting in frustration: "There must be a better way!"
There is, and it's called Federated Identity Management (FIM). FIM is an approach for sharing and managing identity-related information across organizations. FIM allows an authenticated person to access multiple services in different domains and obtain personalized access without the need to re-authenticate. It eliminates multiple passwords, reduces the inconvenience of the user accessing multiple services from different agencies, and reduces the burden of the service provider who maintains those identities.
Simply put, from an end-user perspective, accessing services from multiple agencies requires a single user ID, a single password and a single login. Once authenticated to one agency, the end-user can seamlessly access services of other agencies without a need to re-authenticate.
In today's heightened security climate, tracking one's digital identities within the enterprise is a demanding procedure. Data threats are growing in frequency and intensity, as identity thieves and hackers become more resourceful and ruthless. At the same time, organizations are under growing pressure to foster information sharing and to interact with customers, business partners and public service providers.
Collaboration and interoperability introduce new security risks, calling for appropriate safeguards. Unfortunately, implementing such safeguards involves, in many cases, recording additional identity and access-related data in independent identity data "silos," which in turn impede performance and efficiency and undermine efforts for better information sharing.
A plan to collaborate and offer more services -- and to do so securely -- is no longer a luxury. It is a necessity, requiring new and innovative approaches to identity management.
Consequently, IT managers face a conundrum: How can they offer new services and tighten security measures at the same time without adding new and inefficient layers of complexity? That's where FIM comes into play. It braids many identity strands into a single, interconnected fabric.
To simplify identity management across business domains, FIM builds on two pillars -- the agreements and trust between the organizations that participate in a federation relationship, as well as a technology foundation that enables a secure interoperable identity exchange.
FIM extends the reach of Single Sign-On (SSO) beyond the enterprise, accommodating effective management of identities across company boundaries; it reduces the cost of management; it decentralizes the management of the identity information and it allows multiple parties to use the information.
FIM encompasses technologies, standards and agreements that render identity information portable and relevant throughout multiple domains, enhancing the user's experience considerably.
In many commercial and government organizations, identity and access information is managed in multiple technological and organizational "silos." Each application, infrastructure component or website may have its own definition of users and access rights to govern user access to its services, resulting in a fragmented identity infrastructure. This approach creates a daunting challenge for both users and IT in managing credentials. Users need to remember and manage all of their passwords for each environment and application. Each application and service provider must endure the cost associated with maintaining and managing all those identities independently. The process of managing the user and accessing right data for each environment separately is inefficient, cumbersome and redundant.
Empirical data gleaned by Larstan Business Reports sheds light on the need for cross domain access. During the third quarter of 2005, Larstan surveyed government executives concerning their systems, security efforts and knowledge of identity management.
According to the survey results, 31 percent of government respondents currently have a need to access a shared system resource. This significant amount of the respondents demonstrates the need to expose services and resources to external organizations.
The origins of the fragmented identity infrastructure lie in the technological and organizational realities of enterprises and governments.
On one hand, the technology for managing user identity and access has evolved within different computing waves -- from mainframes, mid-size systems to personal computing, and from enterprise distributed network infrastructure to the internet and web. The history of computing shows us that with the emergence of each technological discipline, new identity "silos" were created and employed for user authentication and authorization of user access to resources.
On the other hand, the creation of identity "silos" is not to be blamed on the technology advancement alone. Commercial mergers and acquisitions, organizational restructuring and global consolidation are part of the realities that exacerbate the fragmented identity infrastructure problem by introducing new integration challenges. Within globally distributed environments, even an organization that initially practiced consolidated identity management strategy is most likely to find itself with a complex fragmented identity infrastructure over time.
Traditional approaches for addressing the identity fragmentation have focused on the consolidation of systems and integration of identity repositories and processes within the enterprise. However, the traditional approaches of consolidation do not fit all environments because the fragmentation is exaggerated within large user communities. In larger communities, many different users want to operate in a trusted environment and obtain seamless services, whether the service provider is internal or external to their organization.
This is especially true for organizations that are facing privacy, regulatory and legal constraints or operate in an inherent multi-domain environment dictated by their organizational structure. These organizations require an approach that extends beyond a central identity management approach.
FIM solutions allow each organization within a federated environment to independently solve internal identity management issues using technologies and best practices of their choosing. The organizations become members of a trusted identity network and leverage their internal identity management solutions for cross organization interaction. With FIM, organizations are extending the reach and value of their services, while simultaneously maintaining the privacy of internal users and controlling the cost of user and privileges management.
Let's again turn to Larstan's survey. Figure 2 depicts which drivers are perceived to be most important in a federation initiative.
This survey indicates that managing risk is perceived as a most important driver for undertaking a federated identity initiative among government executives who specified a driver for their federation initiative. It also indicates that a large percentage of survey participants are uncertain how implementing federation will benefit them. n
About the authors
Doron Cohen is the CTO for BMC Software's Identity Management Business Unit. He has over 20 years of experience in IT and Security Management, including over 14 years directing development of enterprise-class system and security applications. He has extensive expertise in the development of Identity Management products for distributed cross-platform environments -- spanning operating systems, databases and applications. He can be reached at: [email protected].
Bob Worner is the director of solution line management, identity management business unit, for BMC Software. As part of the solution line management team, he is responsible for long-term market analysis and business development of BMC Software's identity management business unit solutions. He can be reached at: [email protected].
INSIDER'S NOTE: ID theft
In today's heightened security climate, tracking one's digital identities within the enterprise is a demanding procedure. Data threats are growing in frequency and intensity, as identity thieves and hackers become more resourceful and ruthless. At the same time, organizations are under growing pressure to foster information sharing and interact with customers, business partners and public service providers.
An extended version of this article is available at https://theblackbooks.com/govsecurity/dcohen.html