Here at UNIFY Solutions the basic principles of Identity Management are taken for granted. We live and breathe Identity Management solutions day in and day out and we make assumptions that most of these fundamentals around Identity Management are known by our clients before they reach out to our specialists to fill the gaps. Of course, this isn’t always the case, so I thought I would start a series of posts that would bring the details of Identity Management a little bit closer to earth. Where we all live.
Identity Management solutions can be very complex designs involving a number of components delivering specific functionality. This post is not going to delve into the specific details of any of the components but keep things at a higher level. The aim here is to explain what Identity Management is and how it provides greater security, agility and cloud adoption for organisations. An Identity Management solution is not just software and configuration. It involves organisational policies, processes and technology to provide services to applications and other infrastructure.
Three main components comprise an Identity and Access Management (IAM) solution:
- Identity Management – Including Provisioning, De-Provisioning, Synchronisation and Aggregation of Identities;
- My follow up posts on this component:
- Access Management – Providing Authentication, Authorisation, Role-Based Access Control, Federated Identity and Single/Seamless Sign-On; and
- Lifecycle Management – Which includes Self Service Management, Password Management and Synchronisation, Audit, Monitoring and Reporting, Workflow and Self-Service Updates.
I will look to post separate posts on each of these components and include how each of them can provide the core functions of security and agility and how these enable organisations to engage cloud services in the form of SaaS, IaaS and PaaS solutions without compromising security for the organisation.
For now here is a typical design for an Identity Management (Provisioning, De-Provisioning and Synchronisation of Identities) solution.
In this design, the HR application provides Identity data that the IAM platform is provisioning to Active Directory and Exchange. The IAM platform maintains the synchronisation of this Identity data automatically. The provisioning of the accounts into the targets may take no more than a few minutes enabling a new user to access organisational information in a very short time.
Traditional security models leverage a perimeter defence approach through firewalls, proxies and accelerators. However, the adoption of mobile devices and cloud-based services has forced organisations to expand their borders to ensure the internal data and user information remains secure in this new world while still providing users access to the information and systems required. The traditional model just simply cannot adapt to this environment. Without knowledge of who the individual is that is trying to access data from an external mobile device, a blanket policy is required that will either prevent everyone or permit everyone access to the data platform.
The Identity Management security model aims to change the security approach from a fortress style to one that provides access only to those people that can validate their credentials. (i.e. who can successfully authenticate). Once the authentication is confirmed, managing what that person can access and when is relatively straight forward with effective Access Management policies and tools. Managing the Identity involves a number of organisational policies applied to each individual identity that first Provision the account, assign account entitlements and access and provide ongoing self-service and synchronisations for account information. Additional policies to remove or De-Provision the account ensure that staff or Identities that no longer require access to an application are removed automatically prevent unauthorised access through an unused account.
Once an Identity is known, and in the corporate world this would typically be established through a source of truth for the identity, we can be confident to provision and maintain the Identity data to each “target” application. It is often the case that multiple sources of truth exist for IDentity information. The Identity Management system would combine specific data for an Identity from these multiple sources to form a single “picture” of each Identity, in an Identity Vault. While the Vault is not an Authoritative Source (or Source of Truth), it provides the single database of each Identity that can be used to provision accounts into each target application. Each application, including Active Directory, may require different Identity information. Ensuring that these all equal the same Identity is crucial to managing Identity information and ensuring duplicate accounts do not exist.
A more complex IAM solution could look like this, incorporating most components of IAM:
The solution here includes Single Sign On authentication to a number of SaaS based applications and internal applications. It also includes Self Service capabilities and automates the provisioning to each of the cloud and on premise applications from a single source of truth.
Managing the ongoing Identity information becomes quite complex. Ensuring end users are able to self manage information as much as possible eases the burden on service desk operations for simple password resets and changes such as address changes, name changes and application access requests. Each stage of the Identity Management system provides a comprehensive audit capability. How a particular user obtains access to a specific application may be crucial in an organisation. Accessing student information in an education environment should not be something that everyone should have available. An Identity Management system ensures that compliance to policies such as these are carried out through automated processes.
By managing the Identity we can Create an Account, Allocate Entitlements to the Account, provide Single Sign On and Self Service for any application whether On Premise or cloud based, without compromising the security of the organisations data or user Identity information.
Authentication methods such as Multifactor Authentication can be adopted to ensure greater security while One Time Passwords, and use of context based security models allows even further “Step Up” security to be enabled. Now a user can access an application with the same credentials (username and password) from any device anywhere and at any time while the organisation can implement policies that ensure different security or authentication methods would be required to access more secure applications.
Identity Management now provides the cornerstone of the security model for organisations. A robust Identity Management platform enables organisations to allow users to be quickly setup in new applications whether on premise or cloud based, while maintaining management of the identity information within the traditional organisational security perimeter.
Keep an eye open for my next post on Identity Management where I discuss the individual components of Identity Provisioning, De-Provisioning, synchronisation and Identity Augmentation in greater detail.