Offering regional and national programs, CIO (and CSO) events bring together some of the most respected names and thought leaders in information technology and security. Presented by CIOs and other senior level executives, these invitation-only programs offer timely topics and strong networking. Learn More »

CIO Executive Council

A Peer-Advisory Service and Professional Association for CIOs

Public Council Teleconference: Application Rationalization — Hidden Costs and Smart Decisions

November 17 at 11:00 am US/Eastern (GMT-5)

Join Honorio Padrón, of The Hackett Group, who will share the drivers for companies to tackle application rationalization and the results of research that define the hidden cost of complexity. Additionally, we will discuss key decision milestones—to start or not, holding the course steady and fulfilling expectations.

Virtual Desktop Cost-Benefit Analysis — Michael Jacobs, Catlin Group

The analysis contained in this presentation measures the cost of everything from the machines and licenses to the infrastructure for virtual vs. traditional desktop environments.

Honor your best senior team members - Apply for the CIO Ones to Watch Award

Get well-earned public recognition for your top up-and-coming team members, your IT organization and your enterprise. Award winners will be announced, publicized and feted in May 2010, great timing to help attract new IT recruits to your company.

More / Register »

Learn more about the CIO Executive Council »

RESOURCE CENTER

buy a link »

Tutorial

ID Management Definition and Solutions

ID Management topics covering definition, objectives, systems and solutions.

How do identity management systems work?

A typical ID management system today comprises four basic elements: a directory of the personal data the system uses to define individual users (think of it as an ID repository); a set of tools for adding, modifying and deleting that data (the access lifecycle management stuff); a system that regulates user access (enforcement of security policies and access privileges); and an auditing and reporting system (so you'll have a way to verify what's actually been happening on your system).

Regulating user access can involve a number of authentication methods for verifying the identity of a user, including passwords, digital certificates, tokens and smart cards. Hardware tokens and credit-card-sized smart cards have traditionally served as one component in the two-factor authentication scheme, which combines something you know (your password) with something you have (the token or the card) to verify a user's identity. A smart card carries an embedded integrated circuit chip that can be either a secure microcontroller or equivalent intelligence with internal memory or a memory chip alone. Software tokens, which can exist on any device with storage capability, from a USB drive to a cell phone, emerged in 2005.

What is Federated Identity Management?

Federation lets you share digital IDs with trusted partners. It's an authentication-sharing mechanism designed to allow users to employ the same user name, password or other ID to gain access to more than one network. It's what is known as a "single sign-on." A single sign-on standard lets people who verify their identity on one network or website carry over that authenticated status when moving to another. The model works only among cooperating organizations—known as trusted partners—that essentially vouch for each other's users.

MORE ABCs

Visit our ABCs section and learn the basics of:

change management

mobile security

and more

The federated model relies on the security assertion markup language specification, better known as SAML (pronounced "SAM-el"). This open specification defines an XML framework for exchanging security assertions among security authorities. SAML was developed by the Liberty Alliance, an organization formed to establish guidelines and best practices for federated ID management. The Sun Microsystems-backed group developed SAML to achieve interoperability across different vendor platforms that provide authentication and authorization services.

Microsoft and IBM have established a rival ID management federation standard: the WS-Federation specification. This spec is also designed to provide a standardized way for companies to share user and machine identities among disparate authentication and authorization systems and across corporate boundaries.

The federation model can simplify administration and enable companies to extend ID and access management to third-party users and third-party services.

What challenges or risks does implementing an identity management solution present?

ID management is inherently challenging. The applications in your system are likely to have their own ID data stores and authentication schemes. The ID data they contain isn't necessarily organized in a standard way. You might have had the foresight to opt for industry standards early on in your company's development, but your latest acquisition may not have been thinking ahead.

A successful implementation requires some forethought. Companies that establish a cohesive ID management strategy—clear objectives, stakeholder buy-in, defined business processes—before they begin the project are likely to be more successful.

One risk worth keeping in mind: Centralized operations present tempting targets to hackers and crackers. By putting a dashboard over all of a company's ID management activities, these systems reduce complexity for more than the administrators. Once compromised, they could allow an intruder to create IDs with extensive privileges and access to many resources.

What terminology should I know?

The buzzwords come and go, but a few key terms in the identity management space are worth knowing:

Access management
You almost never see "identity management" without this term right next to it. In fact, a number of vendors and analysts are combining the two into a single concept: IAM (identity and access management). It refers to the processes and technologies used to control and monitor network access. Access management features, such as authentication, authorization, trust and security auditing, are part and parcel of the top ID management systems.
Credential
An identifier employed by the user to gain access to a network. It's the user's password, public key infrastructure (PKI) certificate or biometric information (fingerprint, retinal scan).
De-provisioning
The process of removing an identity from an ID repository and terminating access privileges.
Digital identity
The ID itself, including the description of the user and his/her/its access privileges. ("Its" because an endpoint, such as a laptop or a cell phone, can have a digital identity.)
Entitlement
The set of attributes that specify the access rights and privileges of an authenticated security principal.
Identity lifecycle management
Another buzz phrase. Similar to access lifecycle management. It refers to the entire set of processes and technologies for maintaining and updating digital identities. Identity lifecycle management includes identity synchronization, provisioning, de-provisioning, and the ongoing management of user attributes, credentials and entitlements.
Identity synchronization
The process of ensuring that multiple identity stores—say, the result of an acquisition—contain consistent data for a given digital ID.
Password reset
In this context, it's a feature of an ID management system that allows users to re-establish their own passwords, relieving the administrators of the job and cutting support calls. The reset application is usually accessed by the user through a browser. The application asks for a secret word or a set of questions to verify the user's identity.
Provisioning
The process of creating identities, defining their access privileges and adding them to an ID repository.
Security principal
A digital identity with one or more credentials that can be authenticated and authorized to interact with the network.