Identity management was a complex issue to begin with and this complexity is only increasing with the advent of cloud computing. To deal with it, those responsible for managing identities and those creating technologies for identity management have had to continuously innovate.
The latest innovation we are seeing is in the area of intelligent workload management, specifically towards intelligently managing identity-aware workloads. Before I talk about that, I’d like to you to consider how we got to where we are today.
Identity Management can be decomposed into four basic functions:
1. Authentication
In order for a user to access your systems, you need to authenticate that he is who he says he is. Authentication methods can be very basic, such as simply requiring that the user enter a password, or they can be stronger and involve fingerprint readers or other types of biometrics. Of course, the number of systems that an individual may have to access during the course of a workday has proliferated, and many of these systems have migrated off premise. In order to deal with multiple password issues and the varying authentication requirements of different systems, some organizations have moved to single-sign-on methodologies. At the same time, we’ve become better at correlating different types of identity data to allow for the behavioral analysis of users. We can know, for example, when “Frank” swiped his ID badge in order to enter the campus as well as when he tried, and perhaps failed to enter his password correctly. When someone is trying to use Frank’s password when he’s not on premise, we know there’s a problem!
2. Authorization
Once we know who a user is, we need to be able to authorize his use of this or that application or system. The traditional authorization method is roles-based. “Frank” may be a marketer who should be authorized to access marketing assets at various levels; he may also manage a P&L, so he needs authorization to access financial systems; and he may be a “super-user” for some infrastructural elements like a website. Role-based authorization is often supplemented with policy-driven authorization. For instance, Frank can only be a root-user while he’s on campus so the question becomes, “How do I delegate this privilege to him for the time he’s on campus and then rescind it once he’s left?”
3. Provisioning
With authentication done and authorizations in place, the system is then responsible for rolling out the appropriate attributes based on relevant credentials.
4. Auditing
Finally, the system needs to log activity, perform audits, generate reports and track events as they happen. These functions in themselves are by no means new: provisioning users is easily two decades old; authorization has been around as long as client-server or time-share systems have been around, etc. What is new is the way that these get connected and work together. People have gone from multiple tools addressing individual functions to bundles or platforms where you have authentication and authorization and auditing all sorted in a systemic way so that you can cut across and report across them. This bundling or platforming has become necessary as SLAs have become stricter and regulations gotten tighter.
With tighter regulations has come ever-increasing complexity. You not only need to have these tools in place, but you’ve also got to map the various technologies to specific controls – compliance controls security controls, governance, and on and on. These controls have 6 to 7 different components which in turn get mapped to the actual regulations which could be PCI for financial records, Sarbanes Oxley for the password retries, HIPAA for any health records, etc.
And now, to add to the complexity, you have to deal with the fact that some of these components are actually “out there” in the cloud. I believe that this new layer of complexity makes “intelligence” (as in “Intelligent Workload Management”) an absolute necessity.
I’ll address that idea in my next post but would first like to ask, how are you dealing with the increasing complexity of identity management as a service?
Posted
Mar 15 2010, 01:03 PM
by
DiptoChakravarty