Who are You?Although system complexity is a struggle in itself, it breeds yet another challenge: security. End users should not bear the burden of complex security, especially as systems become ever more distributed. Identity management is essential, but there's more than one way to implement it.
by Tulu Tanrikorur As distributed enterprises extend around the globe to encompass divisions, subsidiaries, and sometimes exotic business partnerships, intelligent information flows through networks and is exposed to all sorts of security threats and risk. An increasing amount of this traffic is flowing over the Internet (including intra- and extranets), which is becoming mainstream for linking users with applications and back-office systems. It's not surprising that in the midst of this dramatic business process transformation, we have witnessed surging interest in information security. A fundamental aspect of modern information security is identity management (IM), that is, a systematic process that covers the whole life cycle of user accounts and access control rights in distributed environments. IM is an often lengthy and sometimes risky process that touches several technology domains. Vendors that define the term differently to fit the definition with their product portfolios complicate clear understanding. And to make things even more confusing, implementation often requires living with overlapping solutions. IT must understand the dependencies and differences among products to develop a coherent IM security framework. What's the price for ignoring the problem? "Poor or no identity management can open many security holes," says a report by the SANS Institute, which studies security management. Without strategic enterprise planning, corporations end up with many products, but no common vision. In this article, I will discuss the major IM components with an eye on how to develop an IM architectural framework that will help you create solution compatibility and, ultimately, an enterprise IM strategy. Solution CategoriesFigure 1 offers a view of the various product categories that are important to IM. In this section, I will discuss each category and its importance to IM. Password management systems allow automatic password synchronizations (upon a change) and centralized password-resets across multiple target systems supported, such as operating systems, directories, and databases. "Listener agent" software sometimes needs to be installed (or built) in different systems to communicate the password changes among them. While they are usually capable of storing all user accounts of all target systems in their own repository, password management systems can also extend and work with existing repositories, such as LDAP directories. Passwords can be reset in either self-service or help-desk environments after setting up questions and answers for verification. Self-service is usually done via phone or Web. Before you can employ this functionality, a repository must be populated with all user accounts. Password management systems don't necessarily let you manage access rights for different systems or create/delete user accounts on target systems. In addition, these systems don't have to provide single sign-on capabilities (that is, allowing users to log in once to use multiple systems) or replace the authentication methods used by each target system. Password management systems offer convenient features and minimize the number of passwords to manage. However, organizations should realize it may be risky for users to have only one password to access multiple systems. Examples of products include M-Tech's P-Synch, Courion's PassportCourier, Blockade Systems' ManageID Syncserv, and PassGo's Sync. Some of these vendors are now getting into metadirectory/provisioning systems markets by providing extra features. Single sign-on (SSO) products let users log in once against a centralized SSO server (at either a separate or existing repository) to access multiple systems without separate logins. SSO products don't always support automatic password synchronizations or resets. Unlike password management systems, users authenticate themselves to a centralized SSO server first, and just once. Some products monitor each user's login through a different system, allowing the SSO product to record their passwords and easily generate them automatically. This approach simplifies the effort needed to populate the SSO repository. SSO solutions can run in two modes. The first is single credential mode in which all target systems accept (and therefore trust) a single credential record retrieved from the SSO servers. The second is multiple credential mode, where the SSO system automatically signs on users behind the scenes by retrieving user ID and password information for each target system. While convenient for users, SSO products, like password management systems, may introduce security risks, so assess risks and benefits early. Products that support SSO functions include Computer Associates' eTrust SSO, IBM Tivoli's Global SignOn, Netegrity's SiteMinder, and EnTrust's GetAccess. Virtual directories centrally manage multiple (separate) directories on the network to provide a unified view under one directory console. Virtual directories don't necessarily provide synchronization of security credentials among the directories that they manage. Also, data ownership doesn't change for groups/departments that use the multiple directories and repositories. Some virtual directories have evolved to include self-help password management facilities, including IBM Tivoli's User Administration, Computer Associates' Unicenter TNG Directory Management Option and BindView by-Admin.
|
 |
Most Popular This Week
IE Weekly Newsletter
Subscribe to the newsletter
| |
|
|