This is the fourth post in my series:
Let’s be Safe with an Identity Vault
The Identity Vault provides a single view of the identities with all the source data augmented from multiple sources to form this data repository. The vault provides the store that feeds into the target systems. Each target will take specific data relevant for it’s requirements to provide the authorisation and authentication for individual identities to access the system.
The Unique Identifier
Once we define the authoritative sources we need to ensure that every identity is identified uniquely. We would all like to believe that we are unique in the world, and it is certain that we are, however, in the digital world a john brown looks and seems the same as any other john brown despite the fact that they may look completely different in real life with ages far apart. Using a name (firstname and lastname) is not sufficient to provide uniqueness in the digital world. Fortunately every HR system fixed this problem many years ago by assigning a unique identifier to each entry in the database. Whether it is an EmployeeID or other unique key specifically created by the system, it can be defined by a number assigned to represent each identity in the system.
The Identity Management System uses this unique number to maintain and synchronise connection of the identity between source and target systems. Once we have an assigned unique identifier for each identity, we can have the confidence that we can place / provision them, synchronise updates and remove the correct identity from any target we maintain that uniqueness with.
Synchronising the end points
The Vault maintains this unique identifier amongst the other attributes relevant to the target systems we will need connection to. The vault also provides a store of all identities, and the current data relevant to them. If a target system loses all information it may be appropriate to upload all data from the vault to the target.
The only requirement is that we provide a secure connection with the appropriate rights to write into the applications database. Whether the target system is an Active Directory forest or an application, once a connection is made the Identity Management system can create, delete and modify accounts in that system relevant to the data needed. Once this connection is made the Identity platform can automatically process any of these changes managed and controlled by the rules configured in the system and the data entered in the source. This process reduces the risk of incorrect data entry, and improves the security by assigning access controlled by the business rules configured in the system.
Connecting existing systems with an Identity Management system has a number of challenges too. In a future article I will write about some of these difficulties and how we overcome them.