To print: Click here or Select File and then Print from your browser's menu

This story was printed from silicon.com, located at http://www.silicon.com/

Story URL: http://www.silicon.com/research/specialreports/idmanagement/0,3800011361,39158652,00.htm

Analysis: The way to security and compliance
A look at the technologies behind ID management

By Anthony Plewes

Published: Thursday 04 May 2006

Organisations worldwide are grappling with how to secure access to their applications - and keep track of the compliance burden of who has access to which systems. Is ID management the answer? Anthony Plewes investigates the key technologies in this area.

Identity management lies at the heart of creating a secure environment for employees and customers to access companies' systems. Analyst the Burton Group has already identified the area as one of the key security trends for 2007. It says companies are turning to role-based access control and fine-grained authorisation to enforce data and application restrictions and comply with a variety of regulations.

Identity management is not a product as such but a combination of different technologies. The building blocks are authentication, authorisation, provisioning, user management, audit and federation. Because deploying identity management requires organisations to map their business processes into a system, it also often requires extensive consultancy.

The reasons companies choose to deploy identity management are changing. Adrian Humbel, VP of identity management at software vendor Novell, which offers identity management technology and consultancy, says: "Companies first started on the road to identity management to help cut management costs. They were interested in cutting down in calls to the helpdesk from users who needed to reset their password, for example. Now identity management is seen by many companies as a critical tool to them in their compliance efforts."

Regulations such as the ubiquitous Sarbanes-Oxley require company management to know exactly who has access to which systems. This is particularly important in the financial services industry where there needs to be a clear demarcation between front and back office activities, for example.

Miles Clement, senior research consultant at the Information Security Forum, adds: "Identity management can help companies enforce the separation of duties. Some people may be allowed access to one set of systems and not another. Identity management can help companies prove they applied the rules."

Some of the key technologies in this area include:

User management

Provisioning and user management are central to identity management. They give companies an automated framework to provide employees with access to all their enterprise applications. They use workflow to handle the application, review and approvals of a request for access to any application. They also look at the employee's role to determine which access rights they should be given.

Employees rarely keep the same applications or access rights during their employments; keeping up with these changes is something this aspect of ID management aims to solve. Simon Perry, VP of security at software vendor CA, one of the leading vendors in identity management software, explains: "The average user has access to six applications but around 17 identities. This is because the mix of applications they use may have changed over time."

One of the benefits with an automated system is that it prevents users gaining too many identities, as it automatically upgrades the user's account and removes the old identity. This is more than just a housekeeping exercise - it also helps improve security. Otherwise when the employee leaves the company, the system administrators will only delete their current identities because they are unlikely to know about the older accounts. These dormant accounts pose a serious security risk because they could provide ex-employees with a route into corporate systems.

Access control

Authentication and authorisation are another key part of identity management. Many companies still base their internal access systems on passwords alone. Unfortunately simple passwords can be easily cracked and companies need to strike a fine balance between the strength of the password and the ability of users to remember it.

Ian Kilpatrick, chairman of Wick Hill Group, a distributor of security products, warns: "Basing a security system on a six-character password is like building castles on sand. Social engineering defeats password protection. It has been proved time and time again that people are prepared to give out their password for as little as an Easter egg."

As part of an identity management rollout, organisations should investigate stronger forms of access control such as two-factor authentication. This is where a password is combined with something that the user has in their possession, such as a smartcard or token. While two-factor authentication has not been widely adopted by deskbound employees, it is the most common approach for remote access through VPNs.

Beyond two-factor authentication there is three-factor authentication, where you can combine three identifiers such as a password, token and device ID. In some industries such as government and financial services, biometric identifiers such as fingerprints are used as part of the login process. But despite its promise, biometrics still has a number of issues to overcome before it becomes mainstream - in particular issues concerning its reliability.

One of the problems with two- or three-factor authentication is that not all applications support it. In particular, legacy applications will often only support a traditional password.

Single sign-on

One of the most talked about approaches to user authentication is single sign-on (SSO), where a user needs to sign in only once to be able to access all their applications. Given the potential security risk that this poses if an intruder gains access, it is important to use strong authentication to identify the user.

Single sign-on can even help organisations secure access to legacy applications that do not support stronger authentication. CA's Perry says: "SSO deployed as middleware allows you to deploy stronger authentication. If the platform supports it then you can pass it on. Otherwise you can use the format suitable for the platform. Further you can use the most secure password possible because the user does not need to remember it."

However, even if a company chooses to use passwords rather than more secure authentication technology, identity management systems can help secure companies' data through context. This can be based on many factors such as connection type, time of day or what the user wants to access. If there is any doubt as to the user's identity, the system can challenge them for further authentication.

Federated identity

One of the hottest topics in identity management is federated identity, an approach where one application can assert the identity of a user to another application. It is currently used where users in different organisations need to use each others' systems such as in government.

The advantage of this approach is that the remote system does not need to set up a user identity for all users from the other system. The remote system simply defines roles with access rights to which the users from the other organisation are assigned. There are a number of standards in federation including SAML and WS-Security.

Information Security Forum's Clement says: "Federated identity is a way for third parties to work together but it can also be used within the organisation. It is simply a way of managing identity for access to other applications. It makes no difference whether the user is internal or external."

In the end, identity management is more than just a set of technologies, it also requires discipline throughout the organisation. The user is still the big security issue. With the right security technology all companies can do is try to minimise this risk. Identity management is a key player in this process but companies should recognise that it is a lengthy and ongoing exercise.