Managing user identities

Officials at Lawrence Livermore National Laboratory are working toward a centralized approach to managing the identity information for people who access the lab's network and computer systems. Officials in the lab's Computer Security Program will be responsible for managing authentication, which focuses on who has access to systems, rather than having that function duplicated across the lab's 12 directorates.

The project will "help change the culture of everyone trying to reinvent the wheel," said Tony Macedo, a computer scientist and infrastructure project manager at the lab.

As they grapple with the challenge of boosting security, ensuring Web-based

collaboration and cutting costs, many information technology managers are demanding more of the identity management products that control users' access to networked resources.

A perfect storm of organizational pressures now drives the technology, said Sara Gates, senior director of identity management at Sun Microsystems Inc.

As a consequence, the role of identity management solutions, how they are assembled and even their technical underpinnings have changed significantly.

Vendors' responses can be seen in integrated suites and products that cover traditional areas of identity management while branching into emerging fields. New product directions include auditing capabilities and federated identities. The latter lets users maintain the same identity as they access systems across organizational boundaries.

The increasingly sophisticated systems can be time-consuming to deploy, with installations commonly taking one to two years. But the payoff for agencies is threefold: An identity management program can simplify user access, tighten security and eliminate costly redundancies.

Beyond single sign-on

In its early days, identity management was synonymous with single sign-on technology, which lets a user sign on once to access multiple applications. Later, password management allowed users to reset their passwords, rather than having to ask the help-desk staff to do it.

Now new forces have converged to expand identity management once again. Regulatory compliance is chief among those pressures. The Federal Information Security Management Act and other directives have compelled officials to tighten internal security controls. The compliance movement has pushed identity management in a new direction, toward auditing and reporting.

Gates said she has seen this shift in emphasis during the past year. "With the economy, everybody was driving out cost," she said. "I think that is still important, but the volume has really turned up in terms of security and auditing and compliance. It's been a huge driver."

Identity management products typically let agency administrators define user roles and grant access to resources according to those roles. Auditing goes a step further, however. While identity management defines who is allowed to do what on the network, the auditing piece reveals who is doing what on the network, said Marc van Zadelhoff, vice president of marketing and business development at Consul Risk Management Inc.

Consul makes security auditing software and partners with identity management vendors such as BMC Software Inc. to extend its solutions. Consul's InSight for Control-SA, for example, provides auditing and control facilities for BMC's identity management product. The Consul/BMC alliance is about 6 months old.

Auditing and identity management have become increasingly intertwined, said Paul Proctor, vice president of the security and risk strategies practice at Meta Group Inc.

Making identities portable

Identity federation is another direction in identity management's evolution. The idea is to make a user's identity portable across organizational boundaries. New applications are based on the ability to share identity information among the organizational entities within a large agency, among agencies or between agencies and contractors.

Ping Identity Corp., for example, offers SourceID, a federation gateway that enables cross-domain single sign-on. Trustgenix Inc., meanwhile, offers IdentityBridge, a federation server that provides cross-

domain single sign-on and user provisioning. An application such as single sign-on has typically been confined to a single domain — a family of applications accessible via an agency portal, for example.

Uppili Srinivasan, senior director of identity management and security products at Oracle Corp., said all the major players are pursuing federation technology. Oracle, for example, acquired Phaos Technology Corp., a federated identity management vendor, earlier this year.

"Identity federation is a big deal within organizations," Srinivasan said, adding that Oracle has numerous pilot projects and a few deployments under way.

But identity federation among different entities hinges on interoperability. Today, multiple specifications exist for sharing identities across organizational boundaries. Chief among them are Security Assertion Markup Language (SAML), the Liberty Alliance Project's specification and the Web Services Federation standard.

The Organization for the Advancement of Structured Information Standards (OASIS) is advancing SAML, while the Liberty Alliance offers the Identity Federation Framework (ID-FF) specification. WS-Federation, meanwhile, is among the Web Services Security specifications that Microsoft Corp. and IBM Corp. promote.

The lack of a single standard has been an obstacle. Macedo of the Lawrence Livermore lab said he looks for a commonality among the various vendors the lab employs. When vendors start adopting open security standards, the lab won't "have to write all the integration ware,"

he said.

Macedo said one place within the lab adopts every type of security technology and standard, underscoring the challenge of finding common ground.

Vendors, however, are working on making the standards interoperable. Officials at IBM, for example, work with the different factions "so there is interoperability among the various initiatives," said Joe Anthony, director of integrated identity management for IBM's Tivoli Software.

But despite the technical maneuvering, some executives believe the greatest hurdle in cross-domain identity management is establishing trust among organizations.

"It's not a technology issue as much as it is a business policy issue in establishing trust," said Rick Simmons, vice president of North American field operations at Oblix Inc., a maker of identity-based security solutions. "In a lot of cases, agencies have never worked together.

Moore is a freelance writer based in Syracuse, N.Y.

***

How to manage identities

Focus, focus, focus. The first step toward deploying an identity management system is "defining the objective of the project and then sticking to it," said Somesh Singh, vice president and general manager of BMC Software Inc.'s Security Business Unit.

Pick a likely target. When defining an objective, officials should look for a specific pain point. An agency may find that three to five applications are driving 80 percent of the help-desk calls, said Joe Anthony, director of integrated identity management for IBM Corp.'s Tivoli Software.

Limit roles. Projects can get bogged down when customers spend too much effort defining user roles. They emphasize "the role definition aspect of the project to the degree that there are almost more roles than people," said Bill Mann, vice president of eTrust security management at Computer Associates International Inc. "They need to tone down the number of roles ...to a manageable set."

Keep talking. Project managers should share their identity management plans with all employees at an organization, said John Aisien, vice president of marketing and business development at Thor Technologies Inc. He said help-desk and other information technology employees may find identity management threatening, because it reduces their workload. He said IT managers need to work with such groups to demonstrate how identity management benefits them.