Who are You?Although system complexity is a struggle in itself, it breeds yet another challenge: security. End users should not bear the burden of complex security, especially as systems become ever more distributed. Identity management is essential, but there's more than one way to implement it.
by Tulu Tanrikorur Continued from Page 1 Metadirectories automate the creation and maintenance of user accounts stored in a central or distributed security repository, directory, or database. Through a central console, metadirectories enable two-way synchronization between different repositories that are then considered "managed systems." Vendors take different approaches for communication between managed systems and the central engine depending on the nature of each system being integrated. Some metadirectory solutions require each system to have agent software installed, while others use secure versions of common protocols (LDAP, SNMP, SSH, ODBC, or JDBC, for example) and require no installation of agents. Metadirectory solutions address the need to have one identity per user regardless of how their profile attributes are divided across many system repositories. A user named "William Smith" in one system, for example, may be the same person as "W. Smith" in another. To be successful, different groups and departments must agree to "own" (that is, maintain) certain unique data elements (such as portions of a user profile); the metadirectory system can then synchronize changes to those data elements based on a known, agreed-upon source for that data. Vendors generally require organizations to establish one central, master repository or enable their systems to work with multiple existing repositories to manage user security credentials. Prodcuts vary in their degree of support for protocols, databases, directories, and common application repositories (such as human resource, financial, CRM, and ERP systems). Product examples include IBM's Metamerge, Critical Path's MetaDirectory, Novell's DirXML, and Sun Microsystems' Sun One Directory. Provisioning systems are enhanced versions of metadirectory solutions and usually include workflow capability for routing tasks, such as approval requests. By creating centralized user profile information from multiple systems, provisioning systems can deliver a more consistent access control model for enforcing the enterprise's authorization policies (or "provisioning policies") among managed systems. Provisioning systems are thus able to support features for implementing access-control mechanisms. As an option, these systems may offer SSO and password management capabilities, either within their own portfolio or through designated partners. Increasingly, metadirectory vendors are either creating or acquiring these kinds of features as a means of evolving their products into full-featured provisioning systems. Such mergers will make product category distinctions less visible over time. Products include IBM's Access 360 enRole, BMC Software's Control-SA, Business Layers' eProvision, Novell's Identity Provisioning, Waveset Technologies' Lighthouse, and Systor's SAM. Identity FederationIdentity Federation (IFed) defines the management of user credentials so that they may be trusted across administrative domains and systems. User identities are always maintained in a known "trust domain" (such as your local network). Other trust domains, such as remote systems over public or private networks, accept it when a request is forwarded to another system. IFed can reduce the operational costs incurred from not maintaining the same user credentials in multiple places. Other benefits include more seamless security integration among existing systems and greater convenience for the user. To enable a federated identity, trust models across domains are set up as either "one-way" or "two-way." In a one-way trust model, the user is always is expected to sign on to system A first to access system B — not vice-versa. Two-way trust models allow a user to sign on to any system at random in order to access others. Setting up trust models involves some risks in creating "excessive trust relationships," which experts consider among the top security vulnerabilities. IFed is, in a sense, an implementation of the SSO single-credential mode discussed earlier. However, it additionally deals with how to standardize the management of such communication between different security infrastructures outside your own enterprise. The business and legal issues involved in dynamically integrating the security of distributed systems — as well as the information they contain — is a subject of institutional and regulatory debate — and, therefore, changing requirements. IT organizations are also evaluating Web services as a more cost-effective means of integrating systems when compared to traditional private networks. Extending security policies to Web services and Internet-based systems brings many challenges. As a result, multiple standards now exist that affect security brokering, federation, trust policy development, and liability. Most are based on OASIS WS-Security and Extensions specifications and the efforts of the Liberty Alliance Project. Both use the XML-based security assertion markup language (SAML) to exchange user identities and authorizations. IFed is an important and evolving area of security management. Enterprises must cautiously recognize the need to plan ahead for building security infrastructures that are reusable in federated business scenarios.
|
 |
Most Popular This Week
IE Weekly Newsletter
Subscribe to the newsletter
| |
| |||||||||||||||||||||||||||||||
