Before we seek Identify Management solution for an organization, the organization must define its business strategy in context to IDM. There are organization which requires to have multiple credential to login to multiple system in the landscape. Most of the federal government organization believes that the system landscape is much more secure when each system in the landscape has its own authentication scheme. To amplify that point, each user of the system in the landscape will have 5-6 credentials. One login credential for desktop, one for email, one for using internet, one for using the systems, one for using HR systems and etc. The idea behind this is, if a system security is compromised then it will not impact other system. At the same time, each users are asked to remember 5-6 user name and password. Users tend to forget the user name/password and require more help desk personnel which increases over all support cost.
On the other hand, when organization require to provide ease of use for its systems in landscape, it moves towards single sign on (SSO) and security architecture principle is one user, one identification. The risk with this approach is, if a system is compromised, the entire systems in the landscape will be compromised.
For each scenario, there is entirely a different identity management solution. IDM includes
- User provisioning
- User management
- Role Management
- Audit Control
- Access Management
- Authentication
- Authorization
- Directory services
- Work flow
- Federation
- User de-provisioning
The components of IDM aligns to the process steps I laid out for IDM few months ago.
Identity Management solution can be simplified when the existing and must have directory service is extended to use for other areas. That is, when an organization uses active directory services as a authentication scheme for a desktop/laptop/pc and there is no plan to change it, the recommendation is to study how the active directory service can be made available for other areas like authentication of web application, email and etc.
Take aways:
- Must define the identify management direction based on business strategy (in the context of IDM)
- Leverage existing and must have directory service
- Select a product (for instance Sun Identity Management) which integrates with directory service, user management, and open standards for work flow , provisioning and de-provisioning
- Based on IDM direction, synchronize the credentials (like email, desktop login, unix server login, mainframe login, HR system login, benefits system login)
- Manage user entry and exit process in a cohesive manner and automate the creation and deletion of credentials in all areas.
Note: This page is used for google’s page rank emprical analysis. The links will be created based on the random graph created. This is node #5 which has the key word: xysivabodzinyx , xysivabodzinxy
Posted in Enterprise Architecture Tagged: Identity Management, Security, Security Architecture
